Safe 3 and FIDO2

Hello, I have a question about using Safe 3 for FIDO2. If I utilize my Trezor device as a passkey, will I always be able to regain access to the key pair, provided I have the recovery phrase generated by my device during the initial setup?

I plan to use my Trezor as a passkey for my Bitwarden account, as well as accessing my internet identity. Therefore, it is very important that I do not lose access.

I ran the command ‘trezorctl fido credentials list,’ and it said, ‘There are no resident credentials stored on the device.’ Now, I am confused about how Trezor handles all of this and whether it’s possible to lose access if all I have is my 12-word recovery phrase.

1 Like

There’s two distinct features under the FIDO2 label:

  1. non-discoverable credentials, which are pretty much a tweak of the older “FIDO1” U2F standard. These are mostly second-factor: you first need to log in with you username and password, and then you tap your Trezor to confirm the login.

    This kind of credential is part of the recovery seed, and this is (as far as I can tell) what Bitwarden uses for authentication. You only need the seed in order to regain access.

  2. discoverable credentials, or passkeys. These are a more advanced thing, enabling transparent logins. In this case, the key needs to be stored on Trezor. It is not part of the recovery seed. If you lose or destroy your Trezor, you also lose the key. You need to back it up manually via trezorctl fido credentials list, and restore it by trezorctl fido credentials add

How to tell them apart? Not easy at the moment, unfortunately.

A big hint is that with a passkey, you don’t enter your password when logging in (sometimes not even the username). You just click the Trezor prompt and then you’re in.

But the only 100% way to know is to see whether there is an entry in fido credentials list for that login. If yes, you need to manually back up that entry.

Good news is that the credentials are encrypted by your seed, so it’s safe to back them up digitally, e.g., in your Google Drive or something.

1 Like

Thank you for taking the time to explain and help me understand better. I recently upgraded from Model One to the Safe 3, keeping my recovery seed. I successfully authenticated both my Bitwarden and Internet Identity. Does this mean that no further steps are necessary, aside from safeguarding my seed phrase?

trezorctl fido credentials list
Please confirm action on your Trezor device.
There are no resident credentials stored on the device.

1 Like