FIDO2 is a joint initiative of FIDO alliance and World Wide Web Consortium’s (W3C). Expanding on Universal Authentication Framework (UAF) and Universal Second Factor (U2F), FIDO2 aspires to enable access to online services completely without the need of user-generated passwords.
FIDO2 incorporates the Web Authentication (WebAuthn) and Client-to-Authenticator Protocol (CTAP) specifications to enable secure login authentication.
Within the Trezor ecosystem, FIDO2 was first implemented in Trezor Model T firmware version 2.1.6.
When you register your Model T for passwordless login, a device-resident credential needs to be stored on your device. The credential carries information about your account so that you can log in without having to type in your username.
If your Trezor got wiped or lost, then these credentials would also be lost and you would have to log in to your account using traditional authentication. However, it is possible to back up these credentials so that when you recover your wallet from your recovery seed or from your recovery shares you will also be able to reload the credentials onto the device. Bear in mind that the credentials are bound to the seed with which they were created. You cannot transfer them to a device which is initialized with a different seed.
Before testing this feature, update trezorctl to the latest version:
There are three new commands in trezorctl:
This command lists all the credentials stored on the device. Each resident credential will look something like this:
FIDO credential at index 0:
You can make a backup of the credential by copying its Credential ID. This ID is encrypted using your seed. It is therefore useless to any attackers and can be safely stored for example in a text file on your computer. In this list you will only see the credentials which can be used for passwordless login, aka device-resident credentials. Ordinary credentials are stored on the server, so you don't have to worry about backing up those.
<HEXADECIMAL_CREDENTIAL_ID>
For example:
Removing the credential index
This command removes the resident credential at the given index from the device.
For example:
See also:
The FIDO feature page
The Trezor Blog article: Make Passwords a Thing of the Past