Building upon the Universal Authentication Framework (UAF) and Universal Second Factor (U2F), FIDO2 aims to provide users with the ability to access online services without requiring user-generated passwords.
FIDO2 leverages two vital specifications: Web Authentication (WebAuthn) and Client-to-Authenticator Protocol (CTAP), both working in tandem to enable secure and efficient login authentication.
When you set up your Trezor Model T or Trezor Safe 3 for passwordless login, a device-resident credential is stored on your Trezor. This credential contains specific information about your account, allowing you to log in without having to manually enter your username and password.
In the event your Trezor is wiped or lost, your resident credentials would also be lost. In such a case, you would have to access your account through conventional authentication methods. However, you can mitigate this risk by backing up your credentials. If your wallet is recovered from your recovery seed or recovery shares, your backed-up credentials can also be restored. It's critical to note that these credentials are tethered to the original seed that generated them, meaning they can't be transferred to a device set up with a different seed.
Before testing this feature, update trezorctl to the latest version:
There are three commands in trezorctl:
This command lists all the credentials stored on the device. Each resident credential will look something like this:
FIDO credential at index 0:
You can make a backup of the credential by copying its Credential ID. This ID is encrypted using your seed. It is therefore useless to any attackers and can be safely stored e.g. as a text file on your computer. In this list you will only see the credentials which can be used for passwordless login, i.e., device-resident credentials. Ordinary credentials are stored on the server, so you don't have to worry about backing them up.
The following command adds the credential with the given ID as a resident credential to your device:
To remove the credential index:
This command removes the resident credential at the given index from the device.