User manual:Two-factor Authentication with U2F
To boost your online security, you can use your Trezor device to log in using U2F standards. You can start using Trezor as your second-factor authentication token with services such as Google, GitHub or Dropbox. A further advantage of Trezor is that its users can truly verify what they are about to authorize on the device display.
How to Setup Trezor as a U2F key?
In this short tutorial, we use Dropbox as an example. However, all services should have a similar setup procedure.
- In the Security tab of Settings, click on Add to setup Trezor as your U2F Security Key.
- Plug in your Trezor.
- Wait for the prompt on your Trezor
- Confirm the action on your Trezor device after checking.
- Done! You can start using Trezor to log into Dropbox in addition to your password.
Restoring U2F Counter on Trezor
Restoring a seed on another Trezor (see Recovery) restores all the U2F keys too, as they are derived from one master key. Due to the design of U2F, some services might implement a counter that records the number of sign-ins. However, if you have firmware version 1.4.2 or higher, U2F counter is restored automatically.
TREZOR/U2F Login into Your Linux Mint
To start with the installation, it is needed to upgrade your Trezor device to the latest firmware. Follow this step by step guide:
1. Install the needed U2F packages, run:
sudo apt-get install libpam-u2f pamu2fcfg
2. Generate your U2F mappings file. Plug in your Trezor device and run:
pamu2fcfg -u $USER > /tmp/u2f_mappings echo >> /tmp/u2f_mappings pamu2fcfg -u root >> /tmp/u2f_mappings
Confirm the action on your Trezor device.
3. Move the u2f_mappings file into /etc and set correct permissions:
sudo mv /tmp/u2f_mappings /etc/u2f_mappings sudo chown root:root /etc/u2f_mappings
4. Configuring Pam to Use U2F:
The u2f_mappings file that was put into /etc will be used by the pam-u2f module. Set up PAM so that it would use this module, to add two-factor authentication to your system. This can be done by adding a couple of config lines into the appropriate pam configuration files
Examples of where to add U2F authentication module:
- mdm, lightdm or gdm
How to add U2F to sudo command
1. Open up the sudo configuration file:
sudo nano /etc/pam.d/sudo
2. Add this at the end of the file:
# u2f authentication auth required pam_u2f.so authfile=/etc/u2f_mappings cue
Test your configuration by opening up another terminal window and running a sudo command. If the things are done correctly, you will be asked for your password and then prompted to “Please touch the device.” Your Trezor device will also be prompting you to authorize the request. Congratulations, your system now requires your Trezor to run sudo.
See also this blog for detailed information