All articles

What is FIDO2?

FIDO2 is a collaborative project of FIDO alliance and World Wide Web Consortium’s (W3C).

Building upon the Universal Authentication Framework (UAF) and Universal Second Factor (U2F), FIDO2 aims to provide users with the ability to access online services without requiring user-generated passwords.
 

FIDO2 leverages two vital specifications: Web Authentication (WebAuthn) and Client-to-Authenticator Protocol (CTAP), both working in tandem to enable secure and efficient login authentication.
 

FIDO2 was first implemented in Trezor Model T firmware version 2.1.6.

 
FIDO2 passwordless authentication is only possible with the Trezor Model T

 

 

FIDO2 Credentials and the Trezor Model T 

When you set up your Trezor Model T for passwordless login, a device-resident credential is required to be stored on your device. This credential contains specific information about your account, allowing you to log in without having to manually enter your username.

Device-resident credential management

In the event your Trezor Model T is wiped or lost, your resident credentials would also be lost. This scenario would require you to access your account through conventional authentication methods. However, you can mitigate this risk by backing up your credentials. If your wallet is recovered from your recovery seed or recovery shares, your backed-up credentials can also be restored. It's critical to note that these credentials are tethered to the original seed that generated them, meaning they can't be transferred to a device initialized with a different seed.

 

Before testing this feature, update trezorctl to the latest version:

 

pip3 install --upgrade trezor


There are three commands in trezorctl:

 

trezorctl fido credentials list


This command lists all the credentials stored on the device. Each resident credential will look something like this:

FIDO credential at index 0:

Relying party ID:       example.com
User ID: 3082019330820138a0030201023082019330820138a003020102308201933082 User name: [email protected]
Creation time: 2
hmac-secret enabled: True
Use signature counter: False
Credential ID:f1d00200eb3b566f4ea0a219552b2efd2c76e1ffc2e641d3bf91ec92d47a4ed4d78cf42845248c4e982a503618bac0cecfb0fa91fa10821df1efe1d59ac8314eb57eb7f32a1a605f91e8692daf1a679b55ab1acadfded5e0c7fd1365e2801759bd3a4450dd5589586ab072da79

 

You can make a backup of the credential by copying its Credential ID. This ID is encrypted using your seed. It is therefore useless to any attackers and can be safely stored for example in a text file on your computer. In this list you will only see the credentials which can be used for passwordless login, aka device-resident credentials. Ordinary credentials are stored on the server, so you don't have to worry about backing up those.

 

trezorctl fido credentials add <HEXADECIMAL_CREDENTIAL_ID> 


This command adds the credential with the given ID as a resident credential to your device. This is the command you would use after device recovery to load your backed up credentials onto the recovered device.

For example:
 

trezorctl fido credentials add f1d00200eb3b566f4ea0a219552b2efd2c76e1ffc2e641d3bf91ec92d47a4ed4d78cf42845248c4e982a503618bac0cecfb0fa91fa10821df1efe1d59ac8314eb57eb7f32a1a605f91e8692daf1a679b55ab1acadfded5e0c7fd1365e2801759bd3a4450dd5589586ab072da79

Removing the credential index
trezorctl fido credentials remove -i <CREDENTIAL_INDEX>


This command removes the resident credential at the given index from the device.

For example: 
 

trezorctl fido credentials remove -i 0


See also: 

The FIDO feature page
The Trezor Blog article: Make Passwords a Thing of the Past

a part of SatoshiLabs Group
Products
AppCoins
Learn
Other
Copyright belongs to Trezor company s.r.o. All rights reserved.