Switching between Trezor One and T as GitHub security key

So I own both Trezor One and T initialized with the same seed.

  • If I add model T as a security key, model One cannot be used to unlock the account. Model T works just fine.
  • If I add model One as a security key it works just fine until I use model T for the first time ‒ then it stops working.
  • As expected, I cannot register both keys at the same time.

Anyone has any idea what is going on here? That is the only site that behaves this way I’ve seen so far.

U2F security keys have cloning protection, and only some sites enforce it. GitHub might be one of them.

Furthermore, Trezor T implements the FIDO2 standard, and Trezor One only has U2F (later subsumed into FIDO 1). Not all websites handle the difference gracefully.
This is most likely what is happening (see below for explanation).

For this reason, using two Trezors with the same seed as U2F security keys is not officially supported. You will need to pick one of your Trezors and only use that one.

Technical details:

U2F keys have a hidden counter that basically means “how many times has this key been used to log in”. A website can choose to check that the value it saw last is not lower than the current one – that would mean that somebody cloned the security key, which is a problem in the typical scenario.

When you restore a Trezor, the counter is set to current time in seconds since 1970 – a number so high that it’s plausibly always higher than “the number of times you have logged in”. There is also a possibility to set the counter to a specific value via trezorctl. You would need to do this every time you switch from one Trezor to the other, however.

For the FIDO1/FIDO2 thing: the keys are slightly different, and a website can choose to:
(a) always use FIDO1 and ignore the FIDO2 functionality, or
(b) use only the thing which you used to register (so if you start with TT then T1 won’t work)
(c) upgrade to FIDO2 if it can (so if you start with T1 and then use TT, you can’t use T1 again)
(d) store both separately. (nobody does this.)

1 Like