→ 2FA adds an extra layer of security to your online accounts by requiring two forms of verification during login.
→ U2F is an open standard that enhances and simplifies 2FA using specialized USB or NFC devices.
So again I believe the Trezor enables U2F and not 2FA.
Are there any Trezor security experts in this forum that can confirm?
Saying “Trezor enables U2F but not 2FA” is like saying “Trezor supports Bitcoin but not cryptocurrency”.
2FA is a general term meaning “two factor authentication”, whatever form it may take. Your bank sending you SMS is 2FA too.
U2F is a specific technology - an older standard for a second-factor token. Trezor supports U2F, as well as the newer and more general FIDO2 standard. FIDO2 is the same standard behind Passkeys, btw.
In other words, you can use Trezor for 2FA, if a website supports U2F or FIDO.
This is a cool feature, in fact. Now many sites are supported by logins and an additional level of protection through a hardware key. I am now using Ledger with “Security Key” application and I am waiting for Trezor Safe 5 delivery to try this feature.
On this forum, in the profile in the Security tab, there are two hardware configurations:
Passkeys
Physical Security Keys
With Ledger, I can only configure the “Physical Security Keys” in “Two-Factor Authentication”. He does not support “Passkeys” feature.
As I see in the manual, Trezor Safe 5 supports Security Keys, but will it also support Passkeys as another type of hardware configuration?
Trezor works as a passkey right now, and in fact supported the relevant tech before passkeys existed.
(Passkeys are actually “just” FIDO2, and the new thing is that the browser itself will act as a passkey. What’s nice about that is that it motivates websites to implement support right now.
That also makes the UI a little confusing if you want to use an external device. But if you just keep the Trezor plugged in, you’ll see a prompt to register as passkey.)
Problem with passkeys, or “discoverable credentials”, is that it stores data on your Trezor unit – so in other words, you cannot recover your passkey logins from your seed!
(that’s unlike the regular “security key” feature, which is derived from the seed)
you can backup and restore the passkeys manually via trezorctl but it’s not supported by Suite at this time
Thanks. I haven’t tested Trezor One on all the sites where I have hardware login configured (about ten), but it doesn’t work on github (Mozilla Firefox), for example. But it works well for this forum and, for example, for Proton mail. When I have more time, I will test the Trezor One and Trezor Safe 5 models more thoroughly on the services I use and report. The comments below are currently relevant for Trezor One, since I don’t have a Safe 5 device on hand yet.
There is one significant or maybe critical security issue - Trezor One does not require a PIN code when using access to a hardware security key when login somewhere. Anyone with my Trezor One in their hands will be able to log into my services and mails. This is critical if Trezor is stolen. When using Ledger, firstly, it always requires a PIN code to start working; secondly, the security key identifier is different for the standard and hidden wallets, while Trezor One uses the same security key identifier for the standard and any hidden wallet.
Trezor One only supports the older U2F standard, so it won’t work as a passkey. Trezor T and all the Safe family models support FIDO2 and work as passkeys.
We don’t consider this behavior a “security issue”. It’s the same as with YubiKey or any other similar product where you only need to tap a button to log in.
In the overall FIDO security model, this makes sense: the token is already your second factor. You are proving (1) what you know (the password) and (2) what you have (the YubiKey, or Trezor unit). Adding a PIN just adds the “what you know” factor again.
Simply put, you are not supposed to get both your password and your token stolen at the same time ; ) Assuming that scenario, what’s to say the thieves don’t also know your PIN.
Models newer than Trezor One do require a PIN for FIDO unlock; in my personal experience, it is very annoying and I actually reverted to using a thumb FIDO token for this reason. We are considering skipping the PIN also on the Safe family, or at least making it configurable.
I’m not sure how Ledger works in this regard, but for Trezor it’s not possible to “select” a wallet when using it as a FIDO token. In theory you could make a selection screen on Trezor at login time, but that would be one more obstacle, UX-wise.
I’m not trying to use it as Passkey, I just noticed that GitHub uses WebAuthn authentication for 2FA, which should support the U2F standard, but as you said, Trezor One uses the old U2F standard, so it might not be supported everywhere, although in reality it’s still relevant.
Some services may only provide access via a hardware key without the ability to enter a password (instead of password may used SMS or Restore Codes), but many sites use this as an additional layer of security method instead of 2FA software, this is true.
Requiring a PIN (once upon connection, not for every login) to unlock FIDO is actually a good thing because there are paranoid people like me It would be better to make this option configurable.
In any case, using a hardware crypto wallet for extra security of your email or other accounts is a very cool feature that allows you to save money on Yubi and similar dongles
It would be better to make this option configurable.