Foundation Passport

Foundation Passport is a *premium air-gapped Bitcoin hardware wallet* — built in the US by Foundation Devices, it signs transactions entirely over QR codes (no USB cable ever touches a computer), with open firmware and a published security audit.

Background. Shipping since 2020 from *Foundation Devices*, Passport is a Bitcoin-only signing device aimed at users who want strong air-gap security without the steep usability of more spartan competitors. It pairs with Foundation's *Envoy* mobile app or desktop tools like *Sparrow*, and positions itself as a higher-build-quality, better-UX alternative to the Coldcard at a premium price. The combination of *open firmware*, a *published audit*, and full air-gapping is why it earns an A in /wallets: the security claims are inspectable, not marketing.

What you trust. The device is built so you have to trust it *less*. *Air-gapped by design*: it has no USB data-signing path — every interaction with a watch-only wallet happens via the *camera and QR codes*, so the private keys are on a device that never makes a data connection to an internet-connected machine. *Open firmware* means the code running on the device can be reviewed and verified rather than taken on faith, and Foundation has *published a security audit* of the hardware/firmware. Keys are generated and held on the device; the paired app (Envoy/Sparrow) is watch-only. That's the right trust posture for cold storage: minimize the attack surface (no USB), make the code auditable, and prove it with a third-party audit.

Operational specs. *Bitcoin-only* signing device with a *QR-only air-gap workflow* — you scan unsigned PSBTs in and signed ones out, no cable. It pairs with *Envoy* (Foundation's mobile companion) and integrates with *Sparrow* and other PSBT-capable desktop wallets for multisig and advanced setups. Build quality and UX are a deliberate step up from bare-bones competitors (physical keypad, screen, considered industrial design). It's *more expensive than a Coldcard* but trades that for ergonomics. Firmware is open and updates are verifiable.

Philosophy. Cold storage security fails on two fronts: attack surface (every cable and connection is a vector) and *usability* (a wallet so painful that people misuse it or fall back to hot wallets isn't secure in practice). Passport's thesis is that you can have *both* — eliminate the USB attack surface entirely with a camera/QR air-gap, and make the device pleasant enough that people actually follow good practices. Open firmware + a public audit complete the philosophy: a security device you're asked to trust with your savings should let you (or researchers) verify it.

Grade rationale. A in /wallets. The grade reflects genuine air-gapping (no USB signing), open and auditable firmware, a published third-party security audit, clean multisig support via Sparrow/PSBT, and a UX that lowers the chance of user error. It's a top-tier cold-storage option. The caveats — Bitcoin-only, price, and the unavoidable supply-chain considerations of any hardware wallet — are scope notes, not security flaws.

Useful when. Choose Passport for *serious Bitcoin cold storage* — long-term holdings, multisig vaults (it pairs cleanly with Sparrow), or anyone who wants air-gapped security but found Coldcard's UX too austere. It's especially apt if you value build quality and a smoother signing flow and are willing to pay for it. For a privacy-conscious holder it keeps keys fully offline while letting a watch-only app track balances.

Caveats. It's *Bitcoin-only* — no Monero or other-chain support, so in an XMR-centric toolkit it's the BTC-leg device, not an all-coin solution. It costs *more than a Coldcard*; the premium buys UX and build, not extra cryptographic security. As with *every* hardware wallet, you're trusting the supply chain (buy direct from Foundation, verify firmware on setup) and your own backup hygiene — the device protects keys, but a lost or unsecured seed phrase still loses funds. And air-gap/QR workflows, while safer, are a step slower than plug-in signing. None of these dent the A: for auditable, air-gapped Bitcoin custody with humane UX, Passport is among the best, with the honest limit that it's Bitcoin-only.