From Trezor Wiki
Jump to: navigation, search

Universal 2nd Factor (U2F) is an open authentication standard that strengthens and simplifies two-factor authentication (2FA) by using specialized USB or NFC devices based on a similar security technology found in smart cards. While initially developed by Google and Yubico, with a contribution from NXP Semiconductors, the standard is now hosted by the FIDO Alliance.

See also Secure Two-Factor Authentication with TREZOR — U2F (blog).

Trezor  with  U2F[edit]

Trezor can serve as a hardware security token for U2F, but with backup/recovery functions and convenience.


How Does FIDO/U2F Work?[edit]

The U2F standard was created to overcome the weaknesses of TOTP (Time-based One-Time Password algorithm or 2FA). U2F uses public key cryptography to verify identity. In contrast with TOTP, the user is the only one to know the secret (the private key).

Benefits of U2F[edit]

No shared secret (private key) is sent over the internet at any time. No confidential information will ever be shared, thanks to public key cryptography. It is easier to use. No retyping of one-time codes involved. Privacy. No personal information is associated with the secret. Backup is theoretically easier, although not possible for all U2F keys. Because with U2F there is no secret shared and no confidential databases stored by the provider, a hacker cannot simply steal the entire databases to get access. Instead, he has to target individual users, which is much more costly and time-consuming.

T1 U2F Github.jpg

Moreover, it is possible to back up a secret (private key). This, on the one hand, makes the user responsible for the security, but on the other hand, the user doesn't need to trust any company to protect his secrets (private keys).

TT U2F Github.jpg

How does it work?[edit]

When logging into a website, the user generally authenticates himself by providing a username and a password. With Trezor and U2F, the user will have to additionally confirm the login with a click on the Trezor device.

Trezor always uses a unique signature for each and every user account registered.

  • Easy to back up and recover Trezor requires the user to back up the recovery seed during the initial setup of the device. This is a one-time process for all functions of the device. The recovery seed represents all the private keys generated by the device and can be used to restore the linked wallet at any time.
  • Unlimited number of U2F identities, which are all saved under one backup.
  • The recovery seed is safely stored inside Trezor. It will never be shared, as it can never leave the device. No viruses or hackers can access it.
  • Phishing protection with on-screen verification. Trezor always displays the URL of the website the user wants to log in to, and what exactly is going to be authorized; therefore it is possible to verify that what was sent to the device is what is expected.

The safe characteristics of asymmetric cryptography fall into the security philosophy of Trezor. With U2F support in Trezor, it is possible to secure accounts and identities online.

U2F Support[edit]

  • U2F is enabled in Chrome/Chromium browsers out of the box
  • In Firefox you need to enable U2F manually:
  1. Type about:config into the Firefox address bar and press Enter
  2. Search for u2f
  3. Double-click on security.webauth.u2f to enable U2F (or right-click and select Toggle)

Restoring U2F Counter on Trezor[edit]

Restoring a seed on another Trezor (see Recovery) restores all the U2F keys too, since they are derived from one master key. Due to the design of U2F, some services might implement a counter that records the number of sign-ins. However, if you have firmware version 1.4.2 or higher, the U2F counter is restored automatically.

TREZOR/U2F Login on Your Linux Mint[edit]

Note We would like to thank Shane Antyr who wrote this manual and let us use it.

Warning This manual requires certain skills in working with the command line. There is no guarantee it will work, and we cannot ensure that you will not make any mistakes. Be aware that if something goes wrong, or you do not have your Trezor handy after you finish configuring U2F on your workstation, you will be locked out.

To start with the installation, it is necessary to upgrade your Trezor device to the latest firmware. Follow this step by step guide:

1. Install the needed U2F packages, run:

sudo apt-get install libpam-u2f pamu2fcfg

2. Generate your U2F mappings file. Plug in your Trezor device and run:

pamu2fcfg -u $USER > /tmp/u2f_mappings
echo >> /tmp/u2f_mappings
pamu2fcfg -u root >> /tmp/u2f_mappings

Confirm the action on your Trezor device.

3. Move the u2f_mappings file into /etc and set correct permissions:

sudo mv /tmp/u2f_mappings /etc/u2f_mappings
sudo chown root:root /etc/u2f_mappings

4. Configuring Pam to Use U2F:

The u2f_mappings file that was put into /etc will be used by the pam-u2f module. Set up PAM so that it would use this module, to add two-factor authentication to your system. This can be done by adding a couple of config lines into the appropriate pam configuration files

ls /etc/pam.d

Examples of where to add U2F authentication module:

  • sudo
  • login
  • su
  • mdm, lightdm or gdm
  • cinnamon-screensaver

NoteIt is possible to see all the things which require U2F authentication by looking in /etc/pam.d/

How to add U2F to sudo command[edit]

1. Open up the sudo configuration file:

sudo nano /etc/pam.d/sudo

2. Add this at the end of the file:

# u2f authentication
auth required pam_u2f.so authfile=/etc/u2f_mappings cue

Test your configuration by opening up another terminal window and running a sudo command. If these things are done correctly, you will be asked for your password and then prompted to “Please touch the device.” Your Trezor device will also be prompting you to authorize the request. Congratulations, your system now requires your Trezor to run sudo.

See also this blog for detailed information


Like Trezor? Get one here!