Security

  • Where is my crypto held?

    The cryptocurrency is technically located on the blockchain, while the Tangem card stores the private keys used to access blockchain addresses.

  • Where are the keys stored?

    Wallet keys, which are needed to manage your funds, are created when you activate your card. The keys never leave the chip after the wallet activation and are not transferred anywhere. The primary purpose of the chip is to keep the keys safe and secure.

  • How are the private keys generated, and where are they stored?

    The key generation process in Tangem Wallet differs depending on whether you create a wallet with or without a seed phrase.

    Creating a wallet without a seed phrase:
    When you create a wallet without a seed phrase, the private key is generated using a hardware random number generator on the card chip. The entropy for the random number is taken from the chip's physical sensors. This means that each key is unique and truly random.

    The main advantage of this method is that the key never leaves the chip in the clear. The chip's main purpose is to ensure the private key's integrity and security.

    The hardware random number generator is a component of the Samsung chip. Find the security assessment document here.

    Creating a seed-phrase wallet:
    When creating a seed-phrase wallet, the Tangem application selects 12 (or 24) random words from a list of 2048 based on the BIP39 seed-phrase standard.

    The selected combination of words is converted into a binary seed phrase, which is used to generate a set of private keys and public address pairs. The resulting private keys are downloaded and stored on Tangem cards.

    Key Security and Storage:
    All methods of creating a wallet work the same way for storing keys. No one can access the keys, whether they stole the card, work for Tangem, or even own it. The private key cannot be removed from the card under any circumstances.

  • How is the private key cloned on the backup cards?

    When a backup is created, a secure communication channel is established between the cards using the Diffie-Hellman key exchange protocol, after which the keys are transferred from one card to the other.

    This mechanism is fully protected against man-in-the-middle attacks since the first step involves the cards authenticating each other with a two-way attestation, and the encryption is done with a 256-bit key. This is a top-level encryption protocol, and the application will not be able to decrypt the keys under any circumstances.

  • Is there a seed phrase in the wallet?

    The use of seed phrases is optional. There are three private key generation methods available in the new Tangem wallet:

    1. Using a True Random Number Generator (TRNG), which generates keys inside the card chip and stores them there. Neither Tangem nor anyone else can access them (the recommended method).

    2. Generating a seed phrase in the Tangem app and then importing it into the card/ring.

    3. Importing your seed phrase from another wallet. Unlike private keys generated in the wallet, a seed phrase can be copied and stolen.

    For more information on seed-phrase technology and our approach, see our blog post: Everything About Seed Phrases in Tangem Wallet.


    However, all wallet setup methods function the same for key storage. No one can access the keys, even if they steal the card, work for Tangem, or own it. The key cannot be removed from the card under any circumstances, and the primary task of the chip is to keep the key secure.

  • How do I find out my private key?

    The card is based on a chip that generates a private key during the wallet creation process, using a hardware random number generator. The entropy for the random number is taken from the chip’s physical sensors. The key never leaves the chip in an unencrypted state or after the wallet is activated. The chip's primary purpose is to keep the key safe and secure.
    This means that no one can ever find out your private key. The secret is safe, even from you.

  • Where is the guarantee that the manufacturer doesn’t know the key?

    Initially, the card comes without a private key. The key is generated when the wallet is created, and the card is scanned to the device.

    Moreover, if you reset the card to factory settings and create a new wallet, new public and private keys will be generated.

    The Tangem firmware has undergone two independent audits: the first in 2018 by Swiss company Kudelski Security and the second in 2023 by international security lab Riscure.
    Both audits confirmed the system's integrity, finding that the private key is generated using a random hardware number generator and that no backdoors or bugs can lead to loss of funds.

    You can read the detailed reports of both audits. Kudelski Security's audit results are available here, and information about the second audit conducted by Riscure can be found here.

  • Why does a wallet need 2 or 3 cards?

    Additional cards are needed to create a backup. The number of cards in your set (2 or 3) is the number of copies of your private key that exist in the world. If one of the cards is lost or stolen, the backup cards will help you restore access to your wallet.

  • How many cards can be in a backup of one wallet?

    The maximum number of cards that can be used as a backup is 3.

  • Is there a difference between "primary" and "backup" cards?

    All of the cards from the backup are equal to each other and have access to the same wallet.

  • Why is it possible to link backup cards only once?

    For security reasons, backup creation and private key cloning can only be done once. You should therefore be sure of the number of copies of your private key you want to create.
    As the cards operate without using the company's servers, the cards know nothing about each other. It is only when creating a backup that the private key is copied to the number of cards you have chosen (2 or 3).
    If backup cards could be linked on multiple occasions, an attacker could make copies of your card without your knowledge.

  • I set up a wallet without a seed phrase. How do I add one?

    You cannot add a seed phrase when a wallet has already been created. However, you can reset the wallet to factory settings and create a new one with a seed phrase. Before resetting the card to factory settings, move all the cryptocurrency stored in your Tangem wallet to another location for a while (e.g., another wallet or exchange). This is important because resetting a card will completely erase all funds stored in the wallet!


    You must reset each card. Detailed instructions are in our blog: How to reset Tangem Wallet to factory settings.


    To create a seed-phrase Tangem Wallet, follow these instructions:
    1. Open the Tangem app.
    2. Tap Scan and scan the card.
    3. Select Other options.
    4. Tap Generate seed phrase.

    Your 12-word and 24-word seed phrase will be displayed. Select the number of words, write down the seed phrase in the order specified, and store it in a safe and secret place.

    5. Click Continue.

    Check whether you have written down your seed phrase by entering the words in the correct order.

    6. Tap Create wallet and scan the card.


    To fully understand the process of setting up a Tangem seed-phrase wallet, watch a video demonstration and refer to our step-by-step guide in our blog article.


    Important: This applies to the second-generation Tangem Wallets or later.

  • Why does the wallet show zero/incomplete balance after importing a seed phrase?

    If you imported your seed phrase but see a zero/incomplete balance, it may be due to several reasons. Let's look at each of them in more detail and suggest possible solutions.


    1. You didn't add the right tokens to the main screen of your wallet.
    When importing a seed phrase into a new wallet, the tokens that you used in the original wallet may not be displayed automatically. You need to manually add them to the home screen. To do this, go to the "Manage tokens" section and add the required tokens to the home screen. Detailed instructions are available in our blog: How to add cryptocurrencies to the Tangem app.


    2. Incorrectly imported seed phrase.
    Make sure you have entered the correct seed phrase. Even one wrong letter or word can invalidate the entire phrase.


    3. Incorrect word order in the seed phrase.
    It is important that the words of the seed phrase are entered in the correct order. Check and, if necessary, correct the word order.


    4. Missing passphrase.
    If you used a passphrase in your previous wallet but forgot to enter it during import, it may be the reason for the lack of balance. In this case, you must reset each card to factory settings and import the wallet again with the passphrase.
    Detailed instructions can be found in our blog: How to reset Tangem Wallet to factory settings.


    5. The seed phrase was initially recorded incorrectly.
    If the seed phrase was recorded incorrectly initially, you cannot regain access to your funds. Check your record and make sure it is correct.


    6. Seed phrase is not a standard BIP39 seed phrase.
    Some wallets use non-standard seed phrases. Check if your seed phrase is a standard BIP39.


    7. Multiple addresses for the same coin.
    Suppose you have multiple accounts for the same coin in the source wallet. In that case, only the first consecutive addresses on the derivation path in each blockchain are displayed when importing into Tangem. Either zero or incomplete balance may be displayed.


    You can try the following workaround:
    - Check the coin's derivation path in the source wallet. These data can usually be found in the source wallet. We recommend contacting the source wallet's support if you cannot find them.
    - Add a custom token in the required network using the derivation path from the source wallet.
    You can read more about derivation paths here.


    To add a custom token:
    - Open the app and log in to your wallet.
    - Tap the three dots in the top right corner.
    - Select the desired wallet.
    - Go to the Manage tokens section.
    - Click on the "+" icon in the top right corner of the token list.
    - Fill in the fields according to your token/coin
    - Instead of the "Default" derivation path, select "Custom" and enter the derivation path from the source wallet.
    Detailed instructions on how to add a token are available in our blog: How to add your own token to the Tangem app.


    8. Different address types.
    If the funds in the source wallet are on an address whose type is not supported by Tangem Wallet, they will not show up in the import result.
    For example, there are several types of addresses in the Bitcoin network, which can be easily distinguished by the prefix - characters at the beginning of the address:


    1. Legacy (P2PKH): starts with the number 1. Example: 1N4Qbzg6LSXUXUXyXu2MDuGfzxwMA7do8AyL.


    2. Script (P2SH): begins with the number 3. Example: 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy.


    3. SegWit (P2WPKH): starts with the combination "bc1q". Example: bc1qfg9t7fwn0atn4yf9spca5502vk8dyhq8a9aqd8.


    4. Taproot (P2TR): starts with the combination "bc1p". Example: bc1peu5hzzyj8cnqm05le6ag7uwry0ysmtf3v4uuxv3v8hqhvsatca8ss2vuwx.


    Tangem Wallet supports Legacy (P2PKH) and SegWit (P2WPKH) addresses.


    You cannot regain access to the funds if you import a wallet with the funds on Script (P2SH) and Taproot (P2TR) addresses.


    9. Different cryptographic standards.
    Different wallets may use cryptographic techniques and blockchain derivation methods. Having a seed phrase does not guarantee that users can access their funds in another wallet.


    Tangem Wallet is compatible with many other wallets, such as Trust Wallet. This problem is not unique to our wallet; it reflects a broader industry problem, as there is no universal standard for all wallets.


    Important: This applies to the second-generation Tangem Wallets or later.

  • What is the difference between a seed phrase and an access code?

    The seed phrase and access code are two different methods of securing access to your Tangem Wallet.


    1. Seed phrase: These 12 or 24 words help you recover your wallet in case of lost or damaged cards. It is the basis for recovering your wallet, as you can recover all the private keys needed to access your funds.

    2. Access code: This is the code you set when you initially set up your Tangem Wallet cards. This code protects your card from unauthorized use. It can contain any word, phrase, or number you want.
    The minimum number of characters is 4, and the maximum is unlimited.
    The access code is required when you scan your card, e.g., enter your wallet, sign a transaction, or reset your card to factory settings if you do not use biometric authentication.


    The critical difference between the two lies in their function and applications; the seed phrase provides access to your funds, while the access code secures your physical card and prevents unauthorized access.


    Important: This applies to the second-generation Tangem Wallets or later.

  • What should I do if I lose a seed phrase?

    You can still manage your funds if you've lost your seed phrase but still have access to your wallet using at least one card.

    We recommend transferring your funds to a different location, such as another wallet or exchange, as soon as possible. This is important because the lost seed phrase may be compromised.

    After transferring your funds, reset all the cards to factory settings and create a new wallet with a new seed phrase.


    However, if you've lost or damaged all your cards and the seed phrase, you won't be able to access your wallet.

    Important: This feature applies to the second-generation Tangem Wallets or later.

  • I didn’t write down my seed phrase, how can I look it up again?

    You can only see the seed phrase during the wallet setup process. It is not saved on the wallet or phone and cannot be restored later.


    In this case, you must reset the wallet to factory settings and create a new wallet with a new seed phrase.


    Before resetting your cards, move all the cryptocurrency stored in it to another location for a while (such as another wallet or exchange). This is important because resetting the card will result in a complete erasure of all funds stored in the wallet.


    To reset the entire wallet, repeat the reset steps for each card in the backup. Our blog post on resetting the Tangem Wallet to factory settings provides detailed instructions.

    To create a Tangem wallet with a seed phrase, follow these instructions:
    1. Open the Tangem app.
    2. Tap Scan and scan the card.
    3. Select Other Options.
    4. Select Generate Seed Phrase. A 12 and 24-word seed phrase will be displayed on the screen. Choose the number of words, write down the seed phrase in the specified order, and store it in a safe place.
    5. Tap Continue. To check whether you have written down the seed phrase correctly, enter the words indicated on the screen.
    6. Tap Create wallet and scan your card.


    Here is a video explaining setting up a Tangem wallet with a seed phrase.
    A step-by-step guide is also available on our blog: How to Set Up the Tangem Wallet With a Seed Phrase.


    Important: This feature applies to the second-generation Tangem Wallets or later.

  • What should I do if I suspect someone has accessed my seed phrase?

    If you suspect that someone has accessed the seed phrase of your Tangem Wallet, it is important to take action to protect your funds as soon as possible. Here's what you can do:


    1. Transfer funds: Immediately transfer all your funds to another place for a period of time (such as another wallet or exchange). This will allow you to keep your cryptocurrencies safe until you take further action.


    2. Reset the cards to factory settings: Resetting them to factory settings erases everything. Before resetting, withdraw all cryptocurrency from the wallet.
    Detailed instructions are in our blog: How to reset Tangem Wallet to factory settings.


    3. Create a new wallet with a new seed phrase: After all cards are factory reset, you can create a new wallet with a new seed phrase.


    4. Improve security: Unlike card-generated keys, the seed phrase is not secure and can be copied or stolen. If someone gains access to your seed phrase, they can access your funds.


    It is important to keep your seed phrase in a safe place and follow the basic rules of crypto hygiene:
    - Never store your seed phrase online;
    - Do not enter it into any app without ensuring it is safe;
    - Never give it to anyone, and never lose it.
    - Don’t lose your seed phrase.


    Don't forget that the safety of your wallet and funds depends on you. Be vigilant and take steps to protect your funds.


    Important: This feature applies to the second-generation Tangem Wallets or later.

  • Can I change the seed phrase?

    No, the seed phrase is only randomly generated when you create a wallet.

    To change the seed phrase, reset your current cards to factory settings and create a new wallet.


    Before resetting a card to factory settings, move all the cryptocurrency stored in your Tangem wallet to another location for a while (e.g., another wallet or exchange). This is important because resetting a card will result in a complete erasure of all funds stored in the wallet.

    You must reset each card in the wallet.

    Detailed instructions on this can be found in our blog: How to reset Tangem Wallet to factory settings.


    Important: This applies to the second-generation Tangem Wallets or later.

  • What should I do if I lose the Ring?

    Losing the Tangem Ring is the same as losing one of the cards. If you lose the ring, you can still access your wallet through the backup cards. From a security standpoint, if an attacker finds your lost ring, they cannot access the wallet because it is protected by an access code. Moreover, the ring is also protected against brute-force attacks. After the sixth incorrect attempt to enter the code, the delay time for the next attempt is increased by 1 second. The maximum delay time is 45 seconds. The delay is only reset after the access code has been successfully entered.

  • Can I purchase just the Ring without the backup cards?

    No, the Tangem Ring is sold as a set with two cards. Additional cards are needed to create a backup. The number of items in your set (2 or 3) is the number of copies of your private key that exist in the world. If one of the items is lost or stolen, the backup copies will help you restore access to your wallet.

  • Can someone access my funds by tapping my Tangem Ring while I'm wearing it?

    No, the ring must be removed from your finger and tapped on your smartphone. You also have to enter the access code or use biometric authentication to use the Tangem app.

  • What happens if I lose my Tangem Wallet?

    Tangem Wallet includes a set of 2 or 3 cards, so that you can back up the key to other cards during the activation process. The backup cards will help you manage your money even if you lose one of the cards.

  • How do I restore access if I lose all my backup cards?

    Losing all your cards will result in losing your funds. Only your cards can give you access to the wallet. The number of cards you have in your backup determines how many copies of your private key exist.

    Therefore, we recommend storing your cards in different places. If one card is lost or stolen, you can buy a new set of cards and transfer funds to it.

    However, if you set up your wallet with a seed phrase and lose all the cards in the set, you can restore your wallet to another wallet using the exact seed phrase.

  • If the Tangem Wallet card is stolen, can a third party gain access to the wallet?

    No, the cards are protected by an access code from unauthorized access by third parties and against brute-force attacks.

    After the sixth incorrect attempt to enter the code, the delay time for the subsequent attempt increases by 1 second. The maximum delay time is 45 seconds.

    The delay only resets after the correct access code has been entered.

  • If my phone is lost/broken, will I lose access to my funds?

    In such cases, you don't lose access to your assets. You can use your card to access your wallet via any other mobile device. The phone itself doesn't store any assets you hold; it simply acts as a display by visualizing specific data for a particular user on screen. The storage of private keys and signing of transactions is done by your card. All you have to do is download the Tangem app on your new phone and scan the card.

  • If I lose one card from the backup, can I buy another set and link it to my existing wallet?

    Since you can only create a backup and clone the private key once, you won’t be able to link new cards to an existing backup. After purchasing a new set, you should transfer your funds to the new wallet.

  • What happens if I lose my Tangem Note?

    Since Tangem Note cards don't have a backup option and are used in a similar fashion to fiat money, you can manage the cryptocurrency as long as you own the card. If the card is lost, however, it will be impossible to manage the funds.

  • If Tangem Note is stolen, can a third party gain access to the wallet?

    Tangem Note cards have no backup option or access code protection. For this reason, the cards can be compared to traditional banknotes: whoever owns the card can access the wallet. Like traditional banknotes, therefore, these cards must be physically secure at all times.

  • Is it possible to block a lost card?

    This isn’t supported. Once a backup has been created, all cards in the set have a single private key and become equal, so there is no technical way to identify which card has been lost.

    When you activate a card and create a backup, you protect each card with its user password. Moreover, the card is protected against brute-force attacks. After the sixth incorrect attempt to enter the code, the delay time for the next attempt is increased by 1 second. The maximum delay time is 45 seconds. The delay is only reset after the access code has been successfully entered.

  • What personal data does the company collect?

    Tangem does not monitor incoming or outgoing transactions. We never gather wallet addresses, users’ personal data, or any other information that could identify users or their phones.

  • Does the Tangem app store user data?

    The app doesn’t store personal data or any other information that could identify a user or their phone.

  • How exactly is Tangem Wallet a cold wallet? What is the working principle of the wallet?

    A cold wallet is a vault for storing cryptocurrency that is not connected to the internet. On Tangem cards, the private key is generated when the wallet is created and the card is attached to the device using a hardware random number generator. It is then stored on the card, which is fully disconnected from the internet. The private key never leaves the card. The primary purpose of the wallet is to store the private keys securely. The app is simply a user interface allowing the cards to communicate directly with the blockchain.

  • Can Tangem block access to the wallet?

    Tangem doesn’t have its own servers that connect to blockchains. It is the app on your phone which communicates directly with the blockchain. This means that we cannot with operations in any way. Tangem's philosophy is to provide users with a technological solution for interacting with crypto assets and nothing more. The wallet protocol looks like this: card <-> application <-> blockchain.

    Besides, we don't conduct registration or verification of users, so we don't know their geolocation, citizenship, etc. This means we can't identify a particular user to block their wallet access (even if that were possible). All we can hypothetically find out is your IP address, which can still be changed with a VPN if necessary.

    Plus, our app is open source and published on GitHub. With some skills, anyone can study it, make sure it's secure and compile the app.

  • How reliable and safe is it? What if a Tangem сard stops working?

    Tangem Wallet is a highly secure and reliable hardware wallet. The chip in your card is a microcomputer that generates a private key that never leaves the card. We have gone the extra mile to prove it externally:

    • The highest certification level among direct competitors that ensures no backdoors: EAL6+ by Common Criteria. This is the same level of chip protection used in passports.
    • The firmware has passed two audits from the independent Swiss company Kudelski Security and the international security laboratory Riscure.
    • The only hardware wallet with the highest possible IP68 protection rate against environmental conditions. It is entirely safe from dust, water, and hacking attempts.
    • The card is durable enough to perform from -25 ℃ (-13 ℉) to +50 ℃ (122 ℉). You can even put it in the snow without repercussions.
    • The chip is designed to sign an infinite number of transactions with a life expectancy of 25+ years.
    • The chip is further protected against EMPs (electromagnetic pulses), ESD (electrostatic discharge) and X-rays in compliance with the ISO 7816-1 standard.

  • What is the lifespan of the card?

    The cards have a minimum lifespan of 25 years, which is guaranteed by Samsung, the chip manufacturer. Technical information about the chip is available on the Samsung website via the link.

  • What will happen to the card when it is exposed to a powerful magnetic field, for example, in an MRI machine? What is the probability that the wallet will demagnetize and stop working?

    The chip doesn't contain any magnetic elements that could demagnetize. Moreover, the Tangem card chip is protected against EMPs (electromagnetic pulses), ESD (electrostatic discharge) and X-rays in compliance with the ISO 7816-1 standard.

  • Will the card work if Tangem doesn’t exist as a company? Does Tangem use its own servers?

    Even though we have no intention of going out of business any time soon (we’ve been running smoothly since 2017), in case something terrible happens, Tangem cards and the app will continue to function. The Tangem app uses the company's servers to verify the card's authenticity, synchronize the list of tokens added between backup cards, and calculate the value of the cryptocurrency in your wallet. Without these services, you will still be able to use your Tangem cards, though it will be a little less convenient. You can read more on our blog via the link.

  • What happens if the app is no longer available for download from App Store/Google Play?

    The previously installed app on your device will be available if the ability to download it from App Store/Google Play suddenly disappears.
    The app works independently of Tangem's servers and will continue to work even if the company shuts everything down. You can also always download the Tangem app on GitHub. Moreover, the Tangem app is fully open source and available on GitHub, so a replacement app can be created by anyone and used to power the card.
    For more details, you can read our blog.

  • Can different access codes be set for each card in the backup?

    By default, the same access code is created for all cards during backup. After that, you can set a different access code on each card through by going to "Details", "Card settings" and then "Change access code".

  • Can I set an access code on Tangem Note?

    In contrast to Tangem Wallet, Tangem Note is a single card, so it has no backup function or access code protection.
    Tangem Note is a good choice for cryptocurrency beginners, and works well as a gift or method for handing over crypto in person.

  • Can I set an access code without creating a backup?

    The access code can only be set if a backup is created. For cards without a backup, you cannot set an access code because if you lose the access code, you will lose access to the wallet. If you have forgotten the access code on a card with a backup, you can reset the code on that card with the help of a second card from the backup.

  • Is there any protection against brute-force attacks?

    The card has protection against brute-force attacks. After the sixth incorrect attempt to enter the access code, the delay time for the next attempt is increased by 1 second. The maximum delay time is 45 seconds. The delay is only reset after the access code has been successfully entered.

  • How can I make sure that I’ve bought an original card?

    Tangem cards cannot be physically modified, as there is a monolithic chip inside the card. Tangem cards cannot be modified in terms of software.

    The official app can accurately check the following:
    — that the card was produced by Tangem;
    — that the card is flashed with Tangem software.

    Tangem’s end-to-end certification means it’s entirely safe to buy, even in a city underpass. The most important things to note are that:
    1. You have installed the official Tangem app.
    2. The cards prompt you to create a wallet. If not, reset the cards to factory settings.

    For further information, please refer to the blog post: Tangem Wallet Authentication.

  • How can I check that I’ve received an unused card?

    When you activate the card, you should be prompted to create a wallet. If not, reset the cards to factory settings and create a wallet; this will generate new keys.

  • How can the authenticity of the Tangem firmware be verified?

    Tangem uses a “security through obscurity” approach. Disclosing the source code will make its hardware wallets vulnerable. To prove that the Tangem firmware does not have backdoors or bugs that could lead to loss of funds, we went through two independent audits of the Tangem firmware.

    The first audit was conducted in 2018 by the Swiss company Kudelski Security and the second in 2023 by the international security laboratory Riscure. 

    Both audits confirmed the integrity of our system, establishing that the private key was generated using a hardware random number generator and that there were no backdoors or bugs that could lead to the loss of funds.

    You can read the detailed reports of both audits. Kudelski Security's audit results are available here, and information about the second audit conducted by Riscure can be found here.

  • Is it possible to update the card firmware?

    For user safety, The Tangem firmware is downloaded into the chip once and cannot be updated again. This eliminates the risk of installing malware and possible theft of funds.

    Updating a hardware wallet’s firmware means that you will have to trust the wallet manufacturer and hope that, at some point, you won't receive an update that compromises your keys.

    Tangem’s firmware has undergone two independent audits from Kudelski Security and Riscure. Both audits confirmed the integrity of our system, establishing that the private key was generated using a hardware random number generator and that there are no backdoors or bugs that could lead to the loss of funds.

    You can read the detailed reports of both audits. Kudelski Security's audit results are available here, and information about the second audit conducted by Riscure is here.