Assets still not secured while using trezor

so i use my trezor, its connected to a metamask on my pc (via connect hardware wallet option)
while using pc its fine it asks a confirmation on the trezor for every transaction.
image_2022-03-02_180707
(they are currently having the same 12 word seed phrase, then i have another 24 seed phrase on the trezor setup)

but i tried setting up my metamask(hot wallet) on my phone (same metamask configured on my pc)
and i tried sending my assets out to another metamask and i can successfully send it without the confirmation on my trezor…

so what is the use of the trezor if i just need the seed phrase of my metamask(hot wallet) if I can successfully send assets to another wallet on my phone without the confirmation from trezor?

by the way the assets i am pertaining to is my coins for a p2e game.

1 Like

Hei @ IvanPogiDinglas

As I don’t really understand how you were able to send without confirming on the device (@MichalZ is this possible?), my guess is - not correctly configured.

how did you setup your MM hot wallet?
Did you import your seed on your MMask wallet on your phone?

1 Like

@IvanPogiDinglas the only possibility is that you loaded MM seed onto Trezor.

Which means they became same wallet…otherwise, not possible. You are saying you those two accounts have same seed so that is what happened most likely.

2 Likes

okay so to clear everything and to ensure we are on the same page.

while using metamask on PC, every transaction i need to click the confirmation on trezor.

now i switched to mobile…
i input the 24 seed phrase of trezor…
for any transaction there is no need for a confirmation on my trezor…
why is that?

follow up question::::
i was thinking you can only be hack if, the other person knew your 24 seed(trezor) and input it on their trezor.

okay so to clear everything and to ensure we are on the same page.

while using metamask on PC, every transaction i need to click the confirmation on trezor.

now i switched to mobile…
i input the 24 seed phrase of trezor…
for any transaction there is no need for a confirmation on my trezor…
why is that?

follow up question::::
i was thinking you can only be hack if, the other person knew your 24 seed(trezor) and input it on their trezor…
so yeah…

What you have to do is sync the wallet on your pc with your mobile metamask.

Every time you input your recovery seed on a wallet you are creating a new wallet with that seed if that wallet is not connected/paired with a Trezor then you won’t be asked to confirm on device.

The way it works is if any person gets your recovery seed and there is no passphrase associated, that person can restore your funds on any wallet let it be cold or hot wallet.
If theres is a passphrase created for that recovery seed, this passphrase behaves as a 25th word, so the hacker would need to input all 24 recovery seed words plus the phrase you created.

So security wise your recovery seed should be locked away in a secure place, out of anything that is connected to the internet.
Use your trezor to validate your transactions.
If your trezor is compromised you can always use the recovery seed to restore your funds on a new wallet.

1 Like

how do i configure the 25th word? cause i only have 24 words on my seed written on my notes.

Ok @IvanPogiDinglas

you don’t.

You add a passphrase and this acts as a 25th word.
For that you need to create a hidden wallet on your trezor suite.

check these links:

Use a passphrase

Security best practises

Hope this helps :crossed_fingers: :four_leaf_clover:

1 Like

okay thanks before i check the links you provided…
the metamask app on phone only allows 12,15,18,21 or 24 words.
not allowed for 25

so we can only add our trezor account to metamask app on phone by sync only.

okay last one and thanks for your help.

i have my 24 seed then i have a hidden wallet configured.

sample my hidden wallet passphrase is…
ivan jerome

so the 25th word will be the ivan right? or it can be any other word like jerome as long as its listed on the hidden wallet phrase

no your 25th word will be ivan jerome. be very careful as there are no wrong passphrases. Any miss spelling or miss typing is not considered wrong

if you input a wrong character what will happen is you will be redirected to a different wallet, different path and it won´t show your funds

pay lot of attention when entering your phrase because if you define/write on paper ivan jerome as your phrase and input on trezor suite these examples ivan / Ivan jerome / Ivan Jerome this is different from what you wrote down and will be accepted.

Test all these settings with minimal funds on the wallet

:facepunch: :muscle:

1 Like

thank you @forgi and @rimaS looks like i need to transfer all my assets first to a cold wallet. then reconfigure everything on the trezor to make sure i have it all correctly.

its been a long discussion but it was very helpful.