Trezor Safe device authentication check
The Trezor Safe 3 and Safe 5 each include a Secure Element chip that help protect your wallet and verify your device's authenticity.
The Trezor Safe 3 and Safe 5 each include a Secure Element chip that helps protect your wallet and verify your device's authenticity.
Trezor Safe 7 builds on this design with three hardware layers of security: TROPIC01 and OPTIGA Trust M (the two secure elements), and the STM32U5, a hardened security MCU, which coordinates verification between them. Learn more in our article How Trezor Safe 7's three hardware layers protect your wallet.
How does device authentication work?
During the manufacturing process of the Trezor Safe hardware wallets, a unique certificate is issued to each new device before it leaves the production line.
The device certificate is securely stored inside the Secure Element on Trezor Safe 3 and Trezor Safe 5. On Trezor Safe 7, both secure elements (TROPIC01 and OPTIGA Trust M) participate in the authentication process, with the main microcontroller coordinating verification and checking the signed responses against SatoshiLabs' public keys.
When setting up your device:
- Trezor Suite generates a random challenge, which is then sent to the Trezor.
- The Trezor Safe 3 and Trezor Safe 5 use the OPTIGA Secure Element to sign this random challenge and return both the signature and the device certificate. On Trezor Safe 7, the TROPIC01 Secure Element also participates in this verification process, adding an independently auditable step.
- Trezor Suite verifies the signatures of the challenge and the signature on the certificate to confirm the authenticity of the device.
This process helps to verify the authenticity of your brand-new Trezor Safe 3 or Safe 5 and makes it significantly harder to tamper with. We’ve introduced this feature to ensure you are using a genuine device, safeguarding your coins and tokens.
Trezor Safe 7 performs the same authenticity check across its three chips: TROPIC01 and OPTIGA Trust M (the secure elements), plus the main microcontroller, which verifies their signed responses against SatoshiLabs' public keys.
Learn more in Dual Secure Elements in Trezor Safe 7.
Is device authentication mandatory?
If you only use Trezor Suite with official Trezor devices, do not turn off this check. This feature is a security measure designed to protect you from using a fake or compromised device.
Users may opt out of the device authentication process, but we strongly advise against it.
The authenticity check should only be disabled if you need to connect unofficial devices to Trezor Suite, such as DIY builds.
If you’re absolutely sure you want to turn off the Device Check feature, you can do so in the Settings menu in Trezor Suite.
Are there any privacy concerns associated with device authentication?
No. The device certificate is neither tracked nor stored anywhere. It is checked only by Trezor Suite and then immediately discarded. It is not sent anywhere, meaning your privacy is always preserved.