I recently bought a Safe 7 and am now playing around with the settings, trying to figure out how seed phrases work, how backups work with SLIP-39, connecting it to various existing wallets, generating wallets with different backup methods - basically, I’m exploring the new device’s capabilities and working through all the edge cases I might encounter during use.
And now I’ve gotten to FIDO2, meaning, using the Trezor Safe 7 as a security key. I started testing how it all works again and decided to create a separate Bitwarden account where I could connect the FIDO2 device as a means of two-factor authentication.
For the most part, there were no issues connecting the Trezor as a security key, Windows recognized it without a hitch. I connected the device, linked it to my Bitwarden account, and everything seemed fine. I log out of the account and test it using the “Log In with passkey” feature. It doesn’t work. The system doesn’t recognize the device. I check the official Trezor article on how to connect and verify that credentials are stored on the Trezor device itself using the command trezorctl fido credentials list. Here’s what it returned:
there are no resident credentials stored on the device.
I started Googling and found a thread on the Trezor forum about a similar issue, but with Safe 3. Developer @matejcik told the user that there are two situations:
non-discoverable credentials, which are pretty much a tweak of the older “FIDO1” U2F standard. These are mostly second-factor: you first need to log in with you username and password, and then you tap your Trezor to confirm the login. This kind of credential is part of the recovery seed, and this is (as far as I can tell) what Bitwarden uses for authentication. You only need the seed in order to regain access.
discoverable credentials, or passkeys. These are a more advanced thing, enabling transparent logins. In this case, the key needs to be stored on Trezor. It is not part of the recovery seed. If you lose or destroy your Trezor, you also lose the key. You need to back it up manually via
trezorctl fido credentials list, and restore it bytrezorctl fido credentials add
I fiddled around, re-linked my Trezor to Bitwarden, and realized I was selecting the wrong option. During the initial authorization step in Bitwarden, you can immediately choose “Log In with passkey,” or log in via email and a master password. That’s what I did, and then a window popped up asking me to verify via security key. And that’s when the system recognized my Trezor device and let me log in after I confirmed the action on the Trezor device. So this is the “non-discoverable credentials” method, and authentication happens directly using the seed phrase of an already activated Trezor.
Cool, time to test it out. I decided to reset my Trezor and created a wallet using a 12-character seed phrase. I activated it and went to log in to Bitwarden again. It wouldn’t let me, and the Trezor device itself displayed a message saying there were no credentials for this site. Great. I reset it again and went back to the wallet where I had linked the Trezor to Bitwarden. I made a backup and went through the Bitwarden authorization process again. I did everything the same way, and it asked me to enter the secret key. At this point, the Trezor device found the credentials with my email and asked me to confirm the action. I confirmed. But now, on the Bitwarden side, it says:
An error has occurred.
Invalid verification code
I tried it in a different browser, same result. I wonder if I’m somehow using the wrong wallet? I reset it, restored it, and tried again. Same thing. I started Googling, but didn’t find anything useful.
One thing is clear: the problem is on someone’s end. Either on the Trezor device’s end or on the service’s end that uses FIDO2 (in this case, Bitwarden). I’ll try to find other services that work similarly, but this is might be a warning not to use a Trezor device as a security key in Bitwarden, because if you reset the device, it will stop working.
I’m posting this as a note of my observations so that anyone who finds themselves in this situation knows they’re not alone. Or maybe there’s a solution out there and I’m just doing something wrong.
Keep testing the Trezor.