Two-factor Authentication with U2F¶
Two-factor authentication (2FA) is currently the most common way how you can protect your online accounts from unauthorized access. In addition to what you know (your username and password), you use something that only you have — a phone, an app or a specialized hardware token, in order to login securely.
However, some methods of 2FA are inherently insecure. The most popular 2FA implementation, Time-based One-Time Password (TOTP), popularized by its use on Google Auth services, transmits the shared secret (master key) over the internet during the setup process. This weakness has been recognized by major players who created FIDO Alliance and defined new, more secure standards such as U2F.
Starting with firmware 1.4.0, TREZOR officially supports the U2F specification. After updating your device firmware, you can start using TREZOR as your 2nd factor authentication token with services such as Google or Dropbox. Check out services using U2F at dongleauth.info.
One further improvement of TREZOR on top of U2F is that TREZOR users can truly verify what they are about to authorize via the on-device display.
You can find a list of websites which support U2F at dongleauth.info.
How to Setup TREZOR as a U2F key?¶
In this short tutorial, we will use Dropbox as the example, however, all services should have a similar setup procedure.
- In Settings, click on ‘Add’ to setup TREZOR as your U2F Security Key
- Plug in your TREZOR
- Wait for the prompt on your TREZOR
- Confirm after checking
- Done! You can start using TREZOR to log into Dropbox alongside with a simple password.
Using TREZOR as a U2F Key¶
We are using GitHub as an example, but all services should have similar login procedures.
- Log in as usual
- Plug in TREZOR
- The device will not ask you for your PIN. Your login credentials for the service serve as the first factor. Your TREZOR as the second factor.
Restoring U2F Counter on TREZOR¶
Restoring a seed on another TREZOR restores all the U2F keys too, as they are derived from one master key. However, due to the design of U2F, some services might implement a counter that records the number of sign-ins. When recovering a seed, or cloning a TREZOR, this counter will be off and might have to be increased, in order for the recovered TREZOR to work successfully with a service.
If you have firmware from version 1.4.2 and higher, U2F counter will be restored automatically on Wallet Recovery. Simply restore your wallet, and the U2F counter will be set to the UNIX time at the moment of recovery.
You can increase the counter manually with python-trezor:
trezorctl set_u2f_counter $(date +%s)
This command will increase the counter to the current UNIX time. (As long as the counter is higher than the one recorded on provider’s side, login will be successful.)
Relevant discussion: Reddit Thread.