FIDO2 Credentials

From Trezor Wiki
Jump to: navigation, search

When you register your Model T for passwordless login, a device-resident credential needs to be stored on your device. The credential carries information about your account so that you can log in without having to type in your username.

See also FIDO2

Resident credential management[edit]

If your Trezor got wiped or lost, then these credentials would also be lost and you would have to log in to your account using traditional authentication. However, it is possible to back up these credentials so that when you recover your wallet from your recovery seed or from your recovery shares you will also be able to reload the credentials onto the device. Bear in mind that the credentials are bound to the seed with which they were created. You cannot transfer them to a device which is initialized with a different seed.

Before testing this feature, update trezorctl to the latest version:

pip3 install --upgrade trezor

There are three new commands in trezorctl:

trezorctl fido credentials list

This command lists all the credentials stored on the device. Each resident credential will look something like this: FIDO credential at index 0:

Relying party ID:   	example.com
User ID:            	3082019330820138a0030201023082019330820138a003020102308201933082
User name:          	[email protected]
Creation time:      	2
hmac-secret enabled:	True
Use signature counter:  False
Credential ID:f1d00200eb3b566f4ea0a219552b2efd2c76e1ffc2e641d3bf91ec92d47a4ed4d78cf42845248c4e982a503618bac0cecfb0fa91fa10821df1efe1d59ac8314eb57eb7
f32a1a605f91e8692daf1a679b55ab1acadfded5e0c7fd1365e2801759bd3a4450dd5589586ab072da79

You can make a backup of the credential by copying its Credential ID. This ID is encrypted using your seed. It is therefore useless to any attackers and can be safely stored for example in a text file on your computer. In this list you will only see the credentials which can be used for passwordless login, aka device-resident credentials. Ordinary credentials are stored on the server, so you don't have to worry about backing up those.

trezorctl fido credentials add <HEXADECIMAL_CREDENTIAL_ID> This command adds the credential with the given ID as a resident credential to your device. This is the command you would use after device recovery to load your backed up credentials onto the recovered device.

For example:

trezorctl fido credentials add f1d00200eb3b566f4ea0a219552b2efd2c76e1ffc2e641d3bf91ec92d47a4ed4d78cf42845248c4e982a503618bac0cecfb0fa91fa10821df1efe1d59ac8 314eb57eb7f32a1a605f91e8692daf1a679b55ab1acadfded5e0c7fd1365e2801759bd3a4450dd5589586ab072da79

Removing the credential index[edit]

trezorctl fido credentials remove -i <CREDENTIAL_INDEX>

This command removes the resident credential at the given index from the device.

For example: trezorctl fido credentials remove -i 0

Like Trezor? Get one here!