How viable is the Trezor Safe 7 as a FIDO passkey storage device assuming a passwordless future?

Hello guys,

I am considering buying a Trezor Safe 7 to use primarily as a FIDO2 passkey storage for my online and offline accounts. (Instead of a software solution like Bitwarden.)
The benefit I seek is that the keys are stored on an external device while still allowing backup, and the ability to enter pin on an external device. I also strongly prefer open source and updateable firmware.
But I have questions that I wasn’t able to find the answers to on the website.

FIDO2 questions:
Does Trezor inform the user whether the current login is a passkey or a U2F? This matters for backup.

How many passkeys can the Trezor 7 hold? I have read the Trezor 5 can hold a 100, but that’s not quite enough if passkeys are to replace passwords completely. (The iShield Key 2 can store 300 passkeys for example. I found this at random, if you know of a site that compares many different passkey storage options I’d like to know.)

How reliable is restoring the backup? I’ve read that sometimes websites reject the way Trezor restores the signature counter. And presumably it’s impossible to tell which will work until you need to restore the backup.
If this is indeed a problem it would be nice to be able to refuse creating a passkey for a website that requires the signature counter, to ensure my backup is sound.

And finally what FIDO standard does Trezor comply with exactly? Will I be able to use Trezor anywhere I can use a Yubikey for example?

I am aware that most of these problems are not the fault of Trezor, but FIDO2 being a fractured and confusing standard, but the website could really use more information on it’s use specific to Trezor devices.

Bluetooth security questions:
I don’t question the Trezor protocol’s ability to sing things securely over Bluetooth, but I don’t like the idea of having a device in my pocket that constantly identifies itself to it’s surroundings, increasing the danger of the “5 dollar wrench attack”. What steps does Trezor take to protect users from being tracked in the physical world through the collection of Bluetooth signals. (Assuming the user uses Bluetooth.) Does the Trezor always emit signals when Bluetooth is enabled in the settings? How hard is it to turn Bluetooth on and off again?

Does the Trezor Safe 7 support NFC?
NFC seems a superior option to Bluetooth striking a balance between convenience and tracking resistance, being “near field communications”, especially on mobile devices I would much prefer it over Bluetooth. On desktop I’m content with just plugging it in.

Předem díky za odpovědi. / “Thanks for answers in advance.”

Zdarec @halvamatic
I wrote short experiences here - in recent post labeled: Trezor 7 marketing

Does Trezor inform the user whether the current login is a passkey or a U2F?

Well, you can find out that easily - when it asks for username & password + “FIDO2” key, than it is most likely legacy U2F. Rare example is AppleID, where it asks for user & password + Security Key, but it is actually FIDO2 / CTAP2 / Resident credential. I’m not sure, but it is probably intentional, if you lose Security Key and you don’t have any Trusted Device (i.e. AppleID is lost forever, there are no exceptions possible, read Reddit - forget about Apple’s Recovery key, Recovery contacts… your access is lost forever), you can still use Find my.

Another way to tell if Resident credentials are being stored in your FIDO2 HW key is by CTAP 2.1, which is not supported by Trezor. But you have trezorctl command to list and backup stored credentials. They are encrypted by your “SEED” and Passpharse is ignored in this case. So personally, in case of Model T without Secure Element, i prefer SD card encryption.

As you can backup those FIDO2 encrypted credentials (NOT wallet backup aka SEED!) safely to cloud and restore when needed, there is actually no storage limit. For comparison older firmware of Yubikey supports 25 credentials, newer firmware v5.7.1 supports 100 credentials, GoTrust 30 credentials… Anyway, Passkeys are still pretty rare, only major/bigger companies offer them. Hopefully it will improve in upcoming years.

Will I be able to use Trezor anywhere I can use a Yubikey for example?

No. For example it works for MojeID, but it is useless for government services (not FIDO 2 L1/L2 certified EAL6+, no support for Attestation to my knowledge yet).

Does the Trezor Safe 7 support NFC?

I heard that TS7 should be NFC ready in future, not now. But NFC is also a thing you want/need for Android & Apple devices. Again plus points for GoTrust and YubiKey.

Anyway, i’m big fan of Trezor’s FIDO2 application

Thank you @Bitcoin_Lover for the reply. However I’m not content with having to perpetually export and import logins to fit into a predefined storage limit. As far as I know the limit is a 100 keys. I don’t know how you got the information that there is no storage limit, but that is physically impossible on the device itself.

The absence of NFC is unfortunate, but I might yet be convinced that Bluetooth is fine if the tracking concern is addressed.

Right now I’m leaning to the conclusion that passkeys are just not ready yet and that the Trezor is not quite what I’m looking for. It seems I’ll have to revisit passkeys in a couple years when they’re ready. Thought I might try to split this big topic into multiple smaller ones in an effort to get some more answers before I throw in the towel.

For people looking for something similar in the future I’ve also found one alternative that would solve some of my issues. (passkey storage limit, potentially backup - even through syncing) - An open source hardware password manager called Mooltipass. It is currently unfortunately sold out, but a new model should be in the works.

(Apparently I can’t post links, so no sources, sorry.)

Sorry for misunderstanding about unlimited Passkeys. I truly meant that by exporting to external or cloud backups. You need to back them up anyway compared to legacy U2F which are probably unlimited (at least Yubikey advertises it exactly this way U2F unlimited vs, 100 Passkeys limit).

And also intention is not to discourage anyone from FIDO2 Passkeys. We need to start somehow, and some services are already available and some will need more time. And people will use it through their Windows Hello / Androids / iPhones QR code scanning, auto sync solved by cloud… I’m positive here Hmmm… I checked Trezor forum right now and Passkey is supported here So i need to “fix” that soon

BTW: if you are looking for open source alternative check OnlyKey. You can back up the private keys too (even though it goes against the HW keys idea same way as synced Passkeys on Android & iPhone = possible lost control above private key usage). But I guess OnlyKey will fail if attestation is needed. So probably not too much benefits and i rather stay with Trezor for some services.

OK, I decided to make some stress testing of Model T and it worked flawlessly till 25 Passkeys. That was also a point, where I made last successful backup by trezorctl command. Next randomly chosen checkpoint was at 41th Passkey created and it is also a point, where trezorctl fails and hangs up indefinitely, so Passkeys are probably lost Not big deal as this is just a lab but the plan was to keep them for further testing.

Maybe it is just limitation of trezorctl as i can even login with Passkeys higher than 25 and even with the latest 41th one.

Anyway I also wanted to take a look, if TS7 could solve something by better & more capable MCU and higher amount of RAM, so I was digging in GitHub and revealed couple of other minor things:

• 6.3 device naming section on GitHub does not mention TS7
• TS5 in electronic is missing bom.txt and other files like it used to be for previous open HW models (TS7 section is missing completely)

Wait, is NFC already present but inactive in the Trezor 7? Meaning it could be made available with a software update?

@SlowWiseTurtle That is correct, NFC is a feature included with Trezor Safe 7, although we don’t market it due to the lack of functionality at present. Nothing is definitive yet as to when we will begin using it, but stay tuned

@bitcoin_lover Our GitHub frequently (but not always) uses internal model names, which is T3W1 for Trezor Safe 7.

Is it possible to log in with FIDO2 or 2FA on a phone via Bluetooth? I can’t find this information anywhere. On my laptop, it’s via cable, but my phone doesn’t have a USB-C port and can’t connect my Trezor with a cable. Can anyone help me?

Looks like I missed this. That’s awesome! I’m looking forward to these new updates!!

Hi @Christian

Currently, it’s not possible to use TS7 FIDO2/WebAuthN over BLE. You should expect FIDO2 to work over USB-C, not via BT.

I think 100 is more then enough, if you look at how many services support passkeys at the moment.