Universal 2nd Factor (U2F) is an open authentication standard that strengthens and simplifies two-factor authentication (2FA) by using specialized USB or NFC devices based on a similar security technology found in smart cards. While initially developed by Google and Yubico, with a contribution from NXP Semiconductors, the standard is now hosted by the FIDO Alliance. The safe characteristics of asymmetric cryptography fall into the security philosophy of Trezor. With U2F support in Trezor, it is possible to secure accounts and identities online.
While a backup is theoretically easier, it is not possible for all U2F keys. When using U2F there is no secret shared and no confidential databases stored by the provider, a hacker cannot simply steal the entire databases to get access. Instead, he has to target individual users, which is much more costly and time-consuming. Moreover, it is possible to back up a secret (private key).
When logging into a website, the user generally authenticates himself by providing a username and a password. With Trezor and U2F, the user will have to additionally confirm the login with a click of the button on the Trezor device.
Trezor always uses a unique signature for each and every user account registered.
To boost your online security, Trezor can serve as a hardware security token for U2F, but with backup/recovery functions and convenience. You can start using Trezor as your second-factor authentication token with services such as Google, GitHub or Dropbox. A further advantage of Trezor is that its users can truly verify what they are about to authorize on the device display.
In this short tutorial, we will show you how to enable Two-Factor Authentication on a Google account and register a Trezor device as a U2F authentication token.
1. Visit Google.com and sign in to your account
2. Access the "Security" settings and enable "2-Step Verification"
After accessing your Google account, navigate to the security settings on the left of the page. You will see an option to enable 2-Step Verification. When this feature is enabled, your Google account requires a second verification in addition to your standard password.
Restoring a seed on another Trezor (see the dedicated recovery pages for the Trezor Model One and Trezor Model T) restores all the U2F keys too, since they are derived from one master key. Due to the design of U2F, some services might implement a counter that records the number of sign-ins. However, if you have firmware version 1.4.2 or higher, the U2F counter is restored automatically.
1. Open up the sudo configuration file:
2. Add this at the end of the file:
Test your configuration by opening up another terminal window and running a sudo command. If these things are done correctly, you will be asked for your password and then prompted to “Please touch the device.” Your Trezor device will also be prompting you to authorize the request. Congratulations, your system now requires your Trezor to run sudo.