In article from the Trezor team you guys state, “if somebody compromised your physical copy of the recovery seed, they still would not be able to access your passphrase protected wallet unless they knew the passphrase.”
You guys also state “Passphrases serve as a function of second-factor protection of the recovery seed and are an ultimate protection against attacks involving physical access to the device or the recovery seed.”
However, I just did a test of my own on my end and I did not find this to be the case. The steps I took were the following:
- I opened up a new Trezor Wallet and wrote down my recovery seed phase
- I created a new Trezor Wallet with no passphrase
- I created a new Trezor Wallet with a passphrase
I then did the following
- Logged onto a new computer, opened up metamask and imported the recovery seed phase that I mentioned earlier
- Without any further steps, I was then able to transfer ETH from both Trezor accounts that I mentioned earlier - both the account that had no passphrase and the account that did have a passphrase. I was not required to sign anything nor was I required to enter a passphrase.
You guys claim that if someone gets access to the recovery phrase that they would not be able to hack you unless they got access to the passphrase. However, with the test example I did above, all that was needed was the seed phase to gain full control of the account.