Question about device recovery and FIDO2 Counter

I am looking to buy a Trezor-T and use it as a FIDO2 security key, because from my understanding, I can restore the FIDO2 credentials onto another device if I lose my current one. (And I do understand the passwordless credentials must also be backed up separately.)

I have two questions:

  1. If I have an additional passphrase / hidden wallet phrase, are the FIDO2 credentials also generated using that, and not just the seed? I assume so, but wanted to double check.

  2. How does the Trezor recovery process handle the FIDO2 counter (meant to deal with duplicate keys)? Does it do something like set the counter based on the current time upon recovery? If so, is there a theoretical date after which recovery wouldn’t work because the counter would be larger than the maximum counter number used by FIDO2? (I’m not sure what it is but I know there is one)

FIDO credentials are always generated using only the seed without passphrase (resp. with an empty one).


Yes. I would need to double-check, but it seems like that is sometime around the year 2100.

1 Like

Awesome thanks, appreciate your insight :+1: