Your Phantom wallet is secured by your recovery method: the credentials that prove ownership and let you restore access if you lose your device. Because Phantom is self-custodial, protecting those credentials is your responsibility.
Public and private keys
Every wallet uses a public and private key pair. Your public key is your wallet address. It's visible on the blockchain and safe to share. Your private key authorizes transactions and proves ownership of your funds. It should never be shared.
Deriving a private key from a public address is practically impossible, so your funds remain secure even though your address is public.
Wallets created with a Secret Recovery Phrase
A Secret Recovery Phrase is a unique sequence of 12 or 24 words that is the root from which all your private keys are derived. One phrase generates every private key across every account in your wallet. It cannot be changed. If you lose it, access to your wallet cannot be restored. Anyone who has it can regenerate every private key and has full control of your wallet. Never share it with anyone, including Phantom Support, and only enter it when restoring a wallet.
Wallets created with a Google or Apple account
You can create a wallet with a Google or Apple account, secured with a four-digit PIN. To restore access, you need both your account and your PIN. Neither one alone is enough.
This wallet also has a Secret Recovery Phrase you can export as an additional backup. Just like a recovery phrase wallet, your private keys are derived from this phrase, which means exporting and storing it offline gives you a portable backup that works in any compatible wallet app. Never share your PIN or recovery phrase with anyone, including Phantom Support.
Device-level protections
On mobile, your wallet is protected by your device's authentication such as Face ID or fingerprint. In the browser extension, it's protected by a password. These protect access on your current device but do not replace your recovery method.
Built-in protections
Phantom includes features designed to reduce common security risks:
- Transaction previews show what you're about to sign and flag suspicious activity before you approve it.
- Scam and spam protection lets you report, hide, or burn unwanted tokens and NFTs.
- A blocklist warns you before interacting with known malicious sites and domains.
These features help reduce risk but don't replace careful review of every site, signature request, and transaction.