Memory-hard KDF
GPU and ASIC-resistant key derivation — brute-forcing your seed phrase is computationally infeasible.
App on Android: Argon2id · 64 MB memory · 3 iterations · parallelism 1. App on iOS and Recovery Kit (both platforms): PBKDF2-HMAC-SHA512 · 600,000 iterations — iOS has no native Argon2id support, and browsers (WebCrypto API) don't support it either. The seed phrase's 128-bit entropy makes brute-force infeasible in both cases.