cryptnox-logo
Cryptnox crypto hardware wallet dual card set for secure cryptocurrency cold storage
Cryptnox crypto hardware wallet smart card with FIDO2 authentication
Cryptnox secure crypto hardware wallet card
Cryptnox hardware wallet NFC smart card dual set
Cryptnox crypto hardware wallet NFC smart card pair with backup card
Cryptnox crypto hardware wallet NFC smart card contact chip detail
Cryptnox crypto hardware wallet smart card, alternate product view

Cryptnox SA

Cryptnox Crypto Hardware Wallet — Smart Card Cold Storage with Dual-Card Backup

The Cryptnox crypto hardware wallet is a Swiss-engineered smart card that secures Bitcoin, Ethereum, 1,000+ EVM tokens, Tron (TRX, TRC-20), XRP, and other supported chains entirely on-card via an EAL6+ certified secure element. The Dual Card Set ships uninitialized — you set up both cards yourself via a brief paired ceremony in the Cryptnox app, with the seed computed inside both secure elements via a three-step ECDH exchange using randomness from the on-chip TRNGs, and committed to both cards immediately one after the other (no 24-word phrase to write down). Two more options: inject an existing 12/24-word BIP39 seed for migration or off-card backup, or initialize a single card from its on-chip TRNG for short-term use. When the card generates the seed itself (paired dual-card ceremony or single-card random init), randomness comes from the chip’s EAL6+-certified on-chip TRNG — every TRNG-generated seed is equally likely, and impossible to predict in advance. See the full default list of supported coins and blockchains — additional EVM-compatible networks and tokens can be added manually, plus supported custom tokens on Tron and XRP.

Cards also ship with FIDO2 Functionalities now!

For more informationLearn about Cryptnox FIDO2 security key.

ORDERS TO THE EU SHIP DIRECTLY FROM THE EU – NO IMPORT DUTIES

 39.90

Tax included. Shipping calculated at checkout.

Pay with Debit or Credit Card

Description

Customer rating: ★★★★½ 4.4 / 5 — based on 45 Amazon customer reviews (as of May 2026). Read on Amazon.

What makes the Cryptnox Dual Card Set unique: the primary card and the backup card can be initialized together in a paired ceremony (one of three available initialization methods) that completes within 23 seconds, and the seed is never displayed in the clear, never written down, and never seen — not by you, not by Cryptnox, not by anyone. The seed is computed inside both Secure Elements simultaneously via a three-step encrypted (ECDH) exchange (dual-generation mode) and committed to both cards immediately one after the other. There is no 12/24-word seed phrase to read off a screen, photograph, or hide. After the ceremony, the primary card stays available for daily use and the backup card sits beside the pre-printed Access Card in the included NFC-shielded casing — that is your full backup model.

The Cryptnox crypto hardware wallet is a Swiss-engineered smart card that secures your Bitcoin, Ethereum, 1,000+ EVM-compatible tokens, Tron (TRX and TRC-20), XRP, and other supported chains entirely on-card. Private keys are generated inside an EAL6+ certified secure element and never leave the chip. The Dual Card Set ships uninitialized — for a critical security reason: nobody between the chip foundry and your hands can have access to your seed. You initialize the cards yourself in the Cryptnox app, using one of three methods (see below).

Cold storage in a smart card form factor

Most hardware wallets are USB devices that plug into a networked laptop. The Cryptnox crypto hardware wallet is a smart card — between transaction signings the card is fully offline, with no charging, no batteries, and no cables. To sign a transaction, you bring the card near your phone in the Cryptnox app (the NFC antenna location varies by phone model). The brief signing session uses an authenticated, encrypted secure-messaging channel between the card and the app — the link itself cannot be eavesdropped or replayed, even though it travels over NFC. Outside that signing handshake, the card stays fully offline — colder than any USB hardware wallet that remains plugged into a networked machine.

Three ways to initialize — choose what fits your security target

Methods 1 and 3 generate the seed inside the card itself, using its on-chip TRNG (true random number generator) — part of the chip’s Common Criteria EAL6+ certification. Every TRNG-generated seed is completely random, and impossible to predict in advance, not even by Cryptnox. Method 2 instead imports a seed of your choosing from outside the card, so its randomness is whatever the original source wallet used.

  • Method 1 — Paired dual-card ceremony (recommended for the Dual Card Set): with both cards present, the Cryptnox app guides you through a brief interactive mini-ceremony (dual-generation mode). The seed is computed inside both secure elements via a three-step ECDH exchange using randomness from the on-chip TRNGs, and committed to both cards immediately one after the other. The seed never exists in plaintext outside the secure elements. Result: identical seed on both cards — the first card is for daily use, the second is your built-in backup, stored somewhere safe. If the main card is ever lost or damaged, the backup restores full access instantly, with no 24-word seed phrase to write down. Step by step tutorial available on: Dual Card setup tutorial.
  • Method 2 — External seed injection (migration or off-card backup copy): the cards can accept an externally generated 12/24-word BIP39 seed via the Cryptnox app. Use this if you’re migrating from another wallet (Ledger, Trezor, MetaMask, etc.) and want to keep the same seed, or if you want to keep a copy of the seed off-card under your own protection. Both cards in the Dual Card Set can be loaded with the same injected seed. Check out our 12/24-word mnemonic setup tutorial.
  • Method 3 — Single-card random init (short-term / specific use): this method is for advanced users. A single card initializes itself with a random seed pulled from its on-chip certified TRNG. There is no backup — if the card is lost, the funds are unrecoverable. Only suitable for small short-term holdings or specific experimental use cases. Most users should pick Method 1 or 2. Step-by-step tutorial available on: Single Card setup tutorial.

MetaMask, Uniswap, and DeFi compatibility

The Cryptnox crypto hardware wallet works with two standard integrations:

  • MetaMask browser extension — pair Cryptnox via the QR-based wallet-signing standard. MetaMask handles dApp connection and transaction building in the browser; the Cryptnox card signs each transaction on-device after a phone confirmation. Step-by-step tutorial: MetaMask + Cryptnox setup guide.
  • DeFi platforms (Uniswap, Aave, bridge aggregators, NFT marketplaces, etc.) — connect via WalletConnect. The dApp displays a QR code, you scan it with the Cryptnox app, and sign with the card. See how to use WalletConnect with Cryptnox.

In both paths, your private keys never leave the card’s secure element. Check the full list of supported coins and blockchains for the complete catalog of default chains, altcoins, and tokens. Custom EVM-compatible networks and tokens can be added manually, as well as custom tokens on XRP and Tron.

How to use the card on your phone or desktop

For mobile signing, just hold the card near any NFC-capable phone while using the Cryptnox app — no contact reader required. Beyond signing, the Cryptnox app also lets you buy crypto in-app and swap one supported asset for another through built-in third-party providers, so for everyday use you rarely need to leave the app. On Android, you can use one of the USB-C Cryptnox readers (the Cryptnox dual-slot smartcard reader or the NFC contactless reader) with the Cryptnox Wallet app via the USB-C connector, as an alternative to the phone’s built-in NFC — turn it on under the app’s expert settings (“enable USB mode”). This is especially useful in kiosk-mode (Point of Sale terminal) deployments where the card is presented to a fixed reader rather than waved against a phone. For desktop browsers, scan a WalletConnect QR code with the Cryptnox app and sign on your phone. If you prefer to sign from a desktop, any of the three Cryptnox card readers is compatible — the Cryptnox dual-slot smartcard reader (contact + NFC), the NFC contactless reader, or the USB-A mini contact reader. Desktop signing also requires the free Cryptnox desktop app, available on Windows (Microsoft Store), macOS (Homebrew tap), and Linux (Snapcraft), with a cross-platform Cryptnox CLI for power users. Each desktop signing operation asks for the card’s PIN — there is no default biometric/secure-element pairing on desktop, so the PIN you set at initialization is what authorizes the signature. The CLI supports two authentication modes against the card: the standard PIN (same as the desktop app), or a hardware-backed user public key — RSA 2048 or P-256 (NIST) — that you load onto the card. With key-based auth, the CLI proves possession of the matching private key via challenge-response, with the private side held in either a Windows TPM accessed through Windows Hello, or a YubiKey PIV slot (cross-platform: macOS, Windows, and Linux). Configured this way, transaction signing requires two physical factors — the Cryptnox card plus the TPM or YubiKey — and no PIN is typed on the desktop. The Homebrew tap and the CLI are open source on GitHub, so you can audit the code, build from source, or integrate script signing into your own workflows — see cryptnox.com/get-software.

For setup walkthroughs, integration guides, and troubleshooting, browse our hardware wallet tutorials hub.

Features

Cold storage in a wallet-friendly card

  • True cold storage: the card is offline 100% of the time except during the brief signing session. No always-on USB connection to a networked laptop.
  • EAL6+ secure element: the same chip class used in banking and government-grade smart cards. Private keys are generated and stored inside the chip; they never leave it.
  • Certified on-chip TRNG: when the card generates the seed itself (paired dual-card ceremony or single-card random init), it uses an on-chip true random number generator that is part of the chip’s Common Criteria EAL6+ certification — every TRNG-generated seed is equally likely, and impossible to predict in advance, even by Cryptnox. External seed injection (Method 2) imports a seed of your choosing instead.
  • Encrypted signing channel: every signing session between the card and the Cryptnox app uses an authenticated, encrypted secure-messaging channel — the data exchanged with the card cannot be intercepted or replayed, even on the NFC link.
  • Wallet-friendly form factor: credit-card sized, fits in any wallet cardholder. No keychain dongle, no charging cable, no battery.
  • Ships uninitialized: the cards arrive blank — you set them up yourself in the Cryptnox app, so nobody upstream ever sees your seed.
  • Bonus FIDO2 2.1 (accessory): both wallet cards are dual-tech — each implements the same FIDO2 2.1 stack as the standalone Cryptnox FIDO2 (non-MIFARE) cards, so either can double as a 2FA / MFA security key on services that support FIDO2 / WebAuthn (and as a passwordless authenticator on services that support FIDO2 passwordless, e.g. Microsoft Entra, Google, login.gov, AGOV). Primary use case remains crypto cold storage. FIDO2 on Cryptnox cards

Access Card, PINs, PUKs — how the card protects you in daily use

  • Three cards in the Dual Card Set: two hardware wallet cards (primary + backup) and a printed Cryptnox Access Card carrying a random PIN, PUK, and matching QR codes generated at the Cryptnox factory (unique per set). All three cards ship together in an NFC-shielded casing, so you can initialize the set in under 23 seconds: scan the QR codes, run the paired-card ceremony, then keep the primary card on you for daily use and store the backup + Access Card together in that same casing somewhere safe. Want zero factory trust? Override the factory credentials with values you generate yourself or with the offline Cryptnox PIN/PUK generator.
  • PIN and PUK at setup / import: both are required when you initialize a fresh card or import it into a new phone (e.g., after migrating to the backup card). Importing links the card to your phone’s secure element — from that point on, mobile signing no longer asks for the PIN.
  • Daily mobile use — biometric + phone secure element: Face ID / fingerprint triggers the phone’s secure element to sign the request, the card validates that signature and signs the blockchain transaction. The (weaker) PIN is not used on mobile after pairing.
  • Daily desktop use — PIN: the desktop app and the open-source CLI have no biometric/secure-element pairing, so signing on desktop still requires the PIN you set at initialization.
  • PUK — master administrator key: required only for resets, PIN replacement, and other privileged operations. Lives only on your printed Access Card and never travels over the network during normal use. The default PUK is generated at the Cryptnox factory and unique per Dual Card Set; you can replace it with a self-generated value if you want a zero-trust posture.
  • No lockout, hardware-enforced rate limit: Cryptnox cards do not brick after a wrong-PUK count. The secure element instead enforces a minimum ~60 ms processing time per attempt, and a randomly generated 12-character PUK has ~6.83 × 1021 combinations — exhaustive brute-force would take roughly 13 trillion years. PUK security model
  • Dual-generation mode (paired ceremony): the two factory-linked wallet cards perform a three-step ECDH exchange in the Cryptnox app. The seed is computed inside both Secure Elements simultaneously and never exists in plaintext outside the chip; only that specific pair of cards can complete the protocol. Dual-generation mode details

Supported coins and blockchains

The Cryptnox crypto hardware wallet supports Bitcoin, Ethereum, 1,000+ EVM-compatible tokens and altcoins, Tron (TRX and TRC-20 tokens), and XRP (XRP Ledger) — all pre-programmed in the free Cryptnox app for iOS and Android. The complete default list of coins and blockchains is published at cryptnox.com/coin-blockchain-support; advanced users can also add additional chains and tokens manually. WalletConnect provides access to DeFi platforms across EVM-compatible networks configured in the Cryptnox app.

How signing works

  • Mobile: install the free Cryptnox app on iOS or Android, build the transaction in the app, hold the card near the phone (NFC antenna location varies by phone) to sign. The Cryptnox app also includes in-app crypto purchases and a swap mechanism via integrated third-party providers, so most day-to-day operations happen inside the app itself. Signing channel is encrypted end-to-end. Android USB-C reader option: on Android you can also use a USB-C Cryptnox reader (Cryptnox dual-slot smartcard reader or NFC contactless) with the Cryptnox Wallet app via USB OTG, as an alternative to the phone’s built-in NFC — enable it under the app’s expert settings (“enable USB mode”). Particularly useful in kiosk-mode deployments. USB-mode is Android-only for the moment.
  • MetaMask + browser: pair the card via the QR-based wallet-signing standard. Setup walkthrough.
  • DeFi (Uniswap, Aave, NFT marketplaces, bridge aggregators): via WalletConnect. The dApp displays a QR code; scan it in the Cryptnox app and sign with the card.
  • Desktop direct (optional): any Cryptnox card reader — Cryptnox dual-slot smartcard reader, NFC contactless, or USB-A mini — paired with the free Cryptnox desktop app (Windows / macOS / Linux; downloads). Each desktop signing operation asks for the card’s PIN; there is no biometric/secure-element pairing on desktop. The macOS Homebrew tap and the cross-platform CLI are open source on GitHub.

What’s in the Dual Card Set

  • 2 × Cryptnox crypto hardware wallet cards (primary + backup), shipped uninitialized for security — both from the same production batch with uniform firmware
  • 1 × Cryptnox Access Card carrying a factory-generated random PIN, PUK, and matching QR codes pre-printed on it (unique per Dual Card Set). Scan to enroll in seconds; override with your own PIN/PUK if you prefer.
  • Stylish NFC-shielded card casing — the cards ship together in this casing, which doubles as a safe-storage holder for the backup + Access Card after setup (blocks accidental NFC reads).
  • Initialize together via the paired-card ceremony (default), or use external seed injection / single-card init if your scenario demands
  • Free Cryptnox app for iOS and Android

Browse the full hardware wallet tutorials catalog for setup walkthroughs, integration guides, and troubleshooting.

Specifications

Technical specifications

  • Form factor: ISO/IEC 7810 ID-1 (CR80, credit-card size — 85.6 × 54 mm)
  • Interface: NFC (ISO/IEC 14443 Type A) + contact (ISO 7816)
  • Secure element: EAL6+ certified chip
  • Random number generator: EAL6+-certified on-chip TRNG (true random number generator), used when the card generates the seed itself (paired dual-card ceremony, single-card random init) — every TRNG-generated seed is equally likely, impossible to predict in advance, even by Cryptnox
  • Key storage: private keys generated and stored inside the secure element; never leave the chip
  • BIP32 derivation and custom derivation paths
  • FIDO2 / WebAuthn (accessory functionality): FIDO2 2.1 (CTAP2) + U2F/CTAP1 stack on every wallet card, identical to the non-MIFARE Cryptnox FIDO2 cards — either card can be registered as a 2FA / MFA security key alongside its hardware-wallet role
  • Communication security: authenticated, encrypted secure-messaging channel between the card and the Cryptnox app — protects every signing session against eavesdropping or replay
  • Initialization: cards ship uninitialized; the user initializes them in the Cryptnox app via one of three methods — (1) paired dual-card ceremony with simultaneous on-chip seed generation in both cards, (2) external 12/24-word BIP39 seed injection (for migration from another wallet or off-card backup), or (3) single-card random init from the on-chip TRNG (no backup; short-term / specific use only)
  • Power: passive — no battery, energy harvested from the NFC reader’s RF field
  • Durability: ISO 7816 / 14443 smart-card lifecycle — typically rated for 500,000+ contactless transactions
  • Mobile app: free Cryptnox app for iOS and Android
  • Desktop integrations: MetaMask via QR-based wallet-signing standard; WalletConnect for DeFi platforms; optional direct desktop signing via any Cryptnox card reader (Cryptnox dual-slot smartcard reader, NFC contactless, or USB-A mini) paired with the free Cryptnox desktop app on Windows (Microsoft Store), macOS (Homebrew tap), or Linux (Snapcraft) — or the cross-platform Cryptnox CLI (downloads; Homebrew tap and CLI are open source on GitHub). Desktop signing is authorized by the card’s PIN.

Pack contents

  • 2 × Cryptnox crypto hardware wallet cards (primary + backup), shipped uninitialized
  • 1 × Cryptnox Access Card with a factory-generated random PIN, PUK, and matching QR codes pre-printed on it (unique per Dual Card Set; can be overridden with your own values or with the offline Cryptnox PIN/PUK generator)
  • Stylish NFC-shielded card casing — holds the 3 cards together for shipping and for safe storage after setup; blocks accidental NFC reads while stored
  • Welcome card with QR code linking to the quick start guide
  • You initialize both wallet cards together in the Cryptnox app via the paired-card ceremony (dual-generation mode), or independently via external seed injection or single-card init

Compliance

  • EAL6+ secure-element certification
  • ISO/IEC 7810 (card form factor)
  • ISO/IEC 7816 (contact interface)
  • ISO/IEC 14443 (NFC interface)

Certifications

Chip platform certifications (NXP JCOP 4 on P71D321):

  • Common Criteria EAL 6+ augmented — NSCIB-CC-180212_3
  • FIPS 140-2 Overall Level 3 with Physical Security at Level 4 — NIST CMVP certificate #3746
  • AIS-31 compliant True Random Number Generator (chip-level)

Applet certifications:

  • Hardware Wallet applet — no formal Common Criteria / FIPS certification at the applet level, but the card firmware was independently audited by Cure53 (Berlin, November 2019). Cure53 returned no critical or high findings on the JavaCard applet code and concluded the firmware “mitigates attack classes common to card-based HSMs successfully — side-channels, signature malleability, and nonce reuse.”
  • Cryptnox FIDO2 / U2F applet, shipped with the Hardware Wallet as accessory: FIDO Alliance Certified — FIDO2 v2.1 + CTAP Level 1

Supported elliptic curves (applet-level):

  • Hardware Wallet applet: Secp256k1 (Bitcoin / Koblitz) + NIST P-256 (P-256 r1)
  • Cryptnox FIDO2 / U2F applet: NIST P-256 (P-256 r1) only

Frequently Asked Questions

Which cryptocurrencies does the Cryptnox hardware wallet support?

The Cryptnox hardware wallet card supports a wide range of cryptocurrencies through the free Cryptnox app — Bitcoin, Ethereum and the 1,000+ EVM-compatible tokens and altcoins, Tron (TRX and TRC-20 tokens), and XRP (XRP Ledger). The full list of coins and blockchains pre-programmed in the app is published at cryptnox.com/coin-blockchain-support — additional EVM-compatible networks and tokens can be added manually for advanced users, along with supported custom tokens on Tron and XRP. Through WalletConnect, you can also use the card with DeFi aggregators, DEXs, NFT marketplaces, and bridge aggregators on Ethereum and other EVM-compatible networks supported by the Cryptnox app.

Is this a cold storage wallet?

Yes — it’s a true cold-storage device. Private keys are generated inside the card’s EAL6+ secure element and never leave it. The card only signs transactions when tapped against your phone via NFC; between taps, nothing is online. That’s colder than any USB hardware wallet that plugs into a networked laptop.

Do the cards ship pre-initialized? How do I set them up?

No — the cards always ship blank, for a critical security reason: nobody between the chip foundry and your hands ever sees your seed. You initialize the cards yourself in the Cryptnox app, using one of three methods:

  • Paired dual-card ceremony (recommended for the Dual Card Set): with both cards present, the Cryptnox app guides you through a brief interactive mini-ceremony. The seed is computed inside both secure elements via a three-step ECDH exchange using randomness from the two cards’ on-chip TRNGs, and committed to both cards immediately one after the other — it never exists outside the two secure elements. You get a primary card plus a built-in backup, with no 24-word seed phrase to write down.
  • External seed injection: inject an existing 12/24-word BIP39 seed via the Cryptnox app — useful if you’re migrating from another wallet (Ledger, Trezor, MetaMask, etc.) and want to keep the same seed, or if you want to keep a copy of the seed off-card under your own protection. Both Dual Card Set cards can be loaded with the same injected seed.
  • Single-card random init: a single card initializes itself with a random seed pulled from its on-chip certified TRNG. There is no backup — only suitable for short-term holdings or specific experimental use cases.

For the paired dual-card ceremony and single-card random init, the seed is produced by an on-chip TRNG (true random number generator) that is part of the chip’s Common Criteria EAL6+ certification — every TRNG-generated seed is equally likely, and impossible to predict in advance, even by Cryptnox. External seed injection (Method 2) bypasses the on-chip TRNG and uses a 12/24-word BIP39 seed you supply.

How is the Cryptnox “dual card” different from a single hardware wallet?

The Dual Card Set arrives uninitialized — both cards are blank when you receive them. Once you have the cards in hand, the Cryptnox app guides you through a brief paired-card ceremony where both cards compute the same seed inside their secure elements via a three-step ECDH exchange using randomness from the on-chip TRNGs. The seed is committed to both cards immediately one after the other and never exists outside the two secure elements. The first card is your daily-use card; the second is your built-in backup, stored somewhere safe. If the main card is ever lost or damaged, the backup restores full access instantly — no 24-word seed phrase to write down or protect. Alternatively, both cards can be loaded with a 12/24-word BIP39 seed injected via the Cryptnox app, if you’re migrating from another wallet or want to keep a copy of the seed off-card.

Does the Cryptnox wallet work with MetaMask, Uniswap, and other dApps?

Yes — through two standard integrations depending on the platform:

  • MetaMask browser extension: pair Cryptnox via the QR-based wallet-signing standard. MetaMask handles dApp connection and transaction building in the browser; the Cryptnox card signs each transaction on-device after a phone tap. You keep MetaMask’s familiar dApp UX with hardware-wallet-level security underneath.
  • DeFi platforms (Uniswap, Aave, bridge aggregators, NFT marketplaces, etc.): connect via WalletConnect. The dApp displays a QR code, you scan it in the Cryptnox app, and sign the transaction by tapping your card against your phone.

In both paths, your private keys never leave the card’s secure element.

How do I actually sign a transaction — app, cable, or what?

You install the free Cryptnox app on iOS or Android, connect your hardware wallet card by tapping it against your phone (NFC), and confirm transactions in the app. For desktop browsers, scan a WalletConnect QR code with the app and sign on your phone. For normal mobile use: no USB cables, no batteries, no charging. Optional Cryptnox readers are available for desktop workflows.

What makes Cryptnox unique vs. a Ledger or Trezor seed-phrase wallet?

Three things, all from the paired dual-card ceremony that ships with every Cryptnox Dual Card Set:

  1. The seed is never displayed in the clear — ever. Traditional hardware wallets generate a 12/24-word seed phrase that you must read off the device's screen and write down on paper. That moment, and that piece of paper, is the single biggest attack surface in self-custody (theft, photography, weak storage, social engineering). Cryptnox doesn't have that moment. The seed is computed inside both Secure Elements simultaneously via a three-step ECDH exchange (dual-generation mode) and committed to both cards immediately one after the other. It never appears on any screen, never gets written down, and cannot be seen — not by you, not by Cryptnox, not by anyone, not even briefly. There is nothing to photograph, nothing to memorize, nothing to lose.
  2. Built-in backup, generated atomically with the primary. Instead of "write down a seed phrase and hide it somewhere," you get a second physical card that already holds the same seed. The backup is identical to the primary but you never use it for daily signing — it sits in the NFC-shielded casing alongside the pre-printed Access Card (PIN/PUK) somewhere safe. If you ever lose or damage the primary, the backup restores full access instantly with a single tap.
  3. Fast: under 23 seconds end to end. Tap card 1, tap card 2, ceremony completes — both cards are initialized with matching seeds and ready to use. The Access Card is already factory-printed with your PIN and PUK, so there is no key-ceremony setup overhead. Store the Access Card together with the backup card in the casing, and you're done.

Underneath, the chip is the same Common Criteria EAL6+ class used in electronic passports and national ID cards — a high-assurance secure element with Common Criteria EAL6+ certification. The difference is what Cryptnox does around that chip: it removes the seed-phrase ritual entirely and replaces it with a pair of physical cards that share a never-displayed seed.

For the step-by-step procedure, see the Dual Card setup tutorial.

Can I also use the wallet cards as FIDO2 security keys?

Yes — both wallet cards in the Dual Card Set are dual-tech. Each runs the same FIDO2 2.1 stack as the standalone Cryptnox FIDO2 (non-MIFARE) cards, so either can be registered with any service that supports FIDO2 / WebAuthn as a 2FA or MFA security key, and as a passwordless authenticator on the services that support FIDO2 passwordless (Microsoft Entra, Google, login.gov, AGOV, etc.). This is an accessory feature; the card's primary role is crypto cold storage. If your primary need is MFA / passwordless login rather than crypto custody, consider the standalone Cryptnox FIDO2 cards instead — they’re optimized for that role.

If the Cryptnox mobile app is ever unavailable, can I still access my coins?

Yes. Your funds do not depend on Cryptnox-the-company continuing to ship a mobile app. The card runs standard cryptographic primitives (SLIP-0010 / BIP32 hierarchical key derivation with secp256k1 and secp256R1 / NIST P-256 signing) on a Common Criteria EAL6+ secure element and speaks over standard ISO 7816 contact / ISO 14443 NFC interfaces. There are several escape paths:

  1. Use the free desktop app, or the open-source CLI available on GitHub. The desktop app ships on Windows (Microsoft Store), macOS (Homebrew tap), and Linux (Snapcraft); the cross-platform Cryptnox CLI is open source on GitHub. With your card and the PIN you set at initialization (or the factory PIN printed on your Access Card), you can authenticate to the card and sign transactions from any computer with a smart-card reader — see cryptnox.com/get-software.
  2. Use the open-source primitives directly. The card's protocol is documented in the open-source codebase, so any sufficiently technical user (or a third-party tool you trust) can reproduce the signing flow without depending on Cryptnox software at all.
  3. If you used Method 2 (external seed injection). You initialized the cards with a 12/24-word BIP39 seed of your own. That seed is yours; you can re-import it into any other BIP39-compatible wallet at any time.

How does the open-source CLI authenticate to the card?

The CLI accepts either the card PIN, or a hardware-backed user public key (RSA 2048 or P-256 / NIST) that you have loaded onto the card. With key-based auth, the CLI signs a challenge from the card using a private key held in a Windows TPM (via Windows Hello) or a YubiKey PIV slot (cross-platform: macOS, Windows, and Linux) — no PIN typed on the desktop, two physical factors required for signing.

Between the open-source codebase, the standard cryptography, and (optionally) your own seed phrase, your funds are not locked to a single vendor. The Access Card you receive in the box is the long-term escape hatch: keep it together with the backup card in the NFC-shielded casing and you have everything needed to recover, in any future scenario.

Is the Cryptnox Hardware Wallet FIDO2 certified?

The Hardware Wallet ships with two applets on the same secure-element chip:

  • Cryptnox Hardware Wallet applet (primary, for BIP32 / SLIP-10 key derivation and Bitcoin / Ethereum signing) — no applet-level certification; relies on the chip-platform certifications.
  • Cryptnox FIDO2 applet (shipped as accessory) — FIDO Alliance Certified, FIDO2 v2.1 + CTAP Level 1. The same FIDO2 cert as our standalone FIDO2 cards.

So yes, the Hardware Wallet doubles as a FIDO Certified FIDO2 / WebAuthn security key for logging into Google, Microsoft, GitHub, login.gov, AGOV, SwissID, and any service supporting external FIDO2 keys.

What certifications does the Cryptnox Hardware Wallet carry?

Three layers of certification:

  • Underlying chip platform (NXP JCOP 4 on P71D321): Common Criteria EAL 6+ augmented (NSCIB-CC-180212_3) and FIPS 140-2 Overall Level 3 with Physical Security at Level 4 — NIST CMVP certificate #3746.
  • Cryptnox FIDO2 applet (shipped alongside the wallet applet): FIDO Alliance Certified — FIDO2 v2.1 + CTAP Level 1.
  • Cryptnox Hardware Wallet applet: no applet-level certification — it relies on the chip-platform certifications above for the security guarantees on key material.

Which elliptic curves does the Cryptnox Hardware Wallet support?

The Hardware Wallet applet uses two curves:

  • Secp256k1 (also known as the Koblitz / Bitcoin curve) — the canonical curve for Bitcoin (BTC), Ethereum (ETH and ERC-20 tokens), BNB Chain (BEP-20), Tron (TRX and TRC-20), and most major blockchains.
  • NIST P-256 (P-256 r1) — used for FIDO2 / WebAuthn flows and some smart-card authentication.

Both curves are accelerated on the chip’s ECC coprocessor. The bundled Cryptnox FIDO2 applet additionally uses only NIST P-256 (per the FIDO2 spec).

Select your currency
EUR Euro
CHF Swiss franc
0
    0
    Shopping cart
    Your cart is emptyReturn to Shop
    Continue shopping