When you order a 2-factor item from me, you’re protecting it with a passphrase. The 2-factor system ensures that nobody (not even me) can redeem the value from the item unless they have the passphrase. That begs the question: how can I (as Casascius) create a 2-factor item for you (as the buyer) if I don’t know the passphrase?
The short answer: there is a way to do it, and it involves converting your passphrase to an “intermediate code”. The long technical answer is explained in BIP38.
The Intermediate Code preserves enough information about the passphrase to be able to create a public key and 2-factor bitcoin address from it, but not the private key.
I know of three ways to create an intermediate code:
1. At the website http://bit2factor.org. This is a web-based intermediate code generator. It will work on any computer, and I recommend using the Chrome browser as it is CPU-intensive. (It probably will not work on a mobile device, sorry)
2. Using Casascius Bitcoin Address Utility. This program is for Windows, but will also run on Mac/Linux using Mono (since it’s not a true x86 program, but rather, an application written with C#/.NET). Source can be found at https://github.com/casascius/Bitcoin-Address-Utility and binaries can be downloaded at https://casascius.com/btcaddress.zip.
3. Using an iPhone app I wrote, whose source code I have released, but I have not put the app in the App Store. This app is called PaperTool and can be found at https://github.com/casascius/PaperTool – if you can compile it.
Here is an example of what an intermediate code looks like:
passphraseojqQBUQkNdma7JJbZ6ptAxdECZ4smJxjV3RV9NLAkQKmSpR6SwVJnqwFvmRZU2
Any time I send out a 2-factor product, I also include a confirmation code. This is a code that allows the Intermediate Code generator utility to mathematically confirm that the Bitcoin address I’ve asked you to fund is one that actually is protected by your passphrase. The confirmation code allows the utility to validate the correctness of both the passphrase and the Bitcoin address, but does not allow access to the private key or the spending of funds. You should always check the confirmation code – it also serves as verification that you have the correct passphrase to decrypt the item when the time comes.
In addition to the confirmation code, I typically send out one or more unused empty private keys that are encrypted with the same passphrase. You can use them to become better acquainted with the 2-factor system without ripping open your Casascius item. For example, you could send 0.01 BTC to one of the extra keys, and then test your ability to decrypt and redeem it.
Once you feel comfortable with the 2-factor system, check out my post on how to choose the best passphrase for a 2-factor Casascius item that you may later want to resell: https://casascius.wordpress.com/2013/05/16/suggestions-for-choosing-the-passphrase-for-your-two-factor-item/
casascius 
Doesn’t this mean that, having ordered one of these coins, if I was to give the coin to someone else, I also need to provide them with the password? Doesn’t that rather defeat the purpose of having a coin? Sorry if I haven’t followed how this works properly!
Ben
Yes, so choose a password they won’t think is weird, and that you don’t use anywhere else.
The whole point of the password is to protect the coin from me the maker – it doesn’t so much matter who else sees it.
Thanks, Mike. I’m not sure it’s a good solution, unless one intends to use the coin only as an offline wallet. A coin that was in actual circulation would I imagine be prone to people forgetting the password as it changed hands… and each would need to record the password as an association with the specific coin in question. Probably not very practical, and rather defeats the originally envisaged purpose. What if you used a simple 5-digit pin instead, and printed that on the coin itself, along with the coin identifier?
That’s the most typical usage anyway. I don’t 2-factor 1BTC coins, but I do for the larger value items, as well as the savings bar.
Sorry – it would need to be put on the coin by the buyer of course.