Can using a Trezor-T containing crypto for FIDO2 auth reveal balances?

Is it safe to use my Trezor-T as a FIDO2 device if it also holds crypto in that same seed phrase? I already know that I could create a hidden wallet, which would be a separate public key, so that is not my question.

Lately, I have decided to use my Trezor-T for both FIDO2 authentication of sites, as well as holding my crypto balances. However, was wondering if that is safe, since registration of the Trezor-T device for FIDO2 authentication requires that I provide the public key to each site.

It was my understanding, that providing a public key would allow that site to see all my crypto balances and transactions. Is this true?

1 Like

A Trezor does not have a single “public key” that shows you everything.

Furthermore, the FIDO2 standard itself is clever. You have a unique public key per website, so when using FIDO2, you can’t be tracked across sites. (This is true for Trezor and for every other FIDO2 compliant key too.)

The seed phrase (plus passphrase) is not a “private key” either, because you can’t sign or encrypt anything with it. It is just a “secret” – some material that is used to derive the actual private and public keys that you need.

Trezor can derive almost unlimited supply of private/public key pairs, that cannot be linked to each other. In fact, every Bitcoin address is its own public/private key pair.
What you need to see your balance for an account is an XPUB, or “extended” public key, which lets a wallet calculate all the subordinate public keys.

However, note that a Bitcoin XPUB is specific to one account, and it’s not possible to make an “xpub” that would show all your accounts at the same time. You would need to reveal the XPUB for every account.

(It’s somewhat different with Ethereum. Due to what are essentially historical reasons, you have a single XPUB that will reveal all your Ethereum addresses.)

…in any case, public keys and xpubs for your cryptocurrencies are completely distinct from your FIDO2 public keys. And it is impossible to link any of the things to any other of those things.