User manual:Two-factor Authentication with U2F

From Trezor Wiki
Jump to: navigation, search
Trezor Wiki/User/User manual/ Two-factor Authentication with U2F

To boost your online security, you can use your Trezor device to log in using U2F standards. You can start using Trezor as your second-factor authentication token with services such as Google, GitHub or Dropbox. A further advantage of Trezor is that its users can truly verify what they are about to authorize on the device display.

NoteFor a list of websites and services supporting U2F, see

How to Setup Trezor as a U2F key?

NoteIt is not possible to use multiple devices with the same recovery seed for U2F if the service has a counter mechanism in place.

In this short tutorial, we use Dropbox as an example. However, all services should have a similar setup procedure.

  1. In the Security tab of Settings, click on Add to setup Trezor as your U2F Security Key.
  1. Plug in your Trezor.
  1. Wait for the prompt on your Trezor
  1. Confirm the action on your Trezor device after checking.
  1. Done! You can start using Trezor to log into Dropbox in addition to your password.

Restoring U2F Counter on Trezor

Restoring a seed on another Trezor (see Recovery) restores all the U2F keys too, as they are derived from one master key. Due to the design of U2F, some services might implement a counter that records the number of sign-ins. However, if you have firmware version 1.4.2 or higher, U2F counter is restored automatically.

TREZOR/U2F Login into Your Linux Mint

Note We would like to thank Shane Antyr who wrote this manual and let us use it.

Warning: This manual require certain skill in working with command line. There is no guarantee it will work, and we cannot ascertain that you will not make any mistakes. Be aware that if you mess things up, or don’t have your Trezor handy after you finish configuring U2F on your workstation you’ll be locked out.

To start with installation it is needed to upgrade your Trezor device to the latest firmware. Follow this step by step guide:

1. Install the needed U2F packages, run:

sudo apt-get install libpam-u2f pamu2fcfg

2. Generate your U2F mappings file. Plug in your Trezor device and run:

pamu2fcfg -u $USER > /tmp/u2f_mappings
echo >> /tmp/u2f_mappings
pamu2fcfg -u root >> /tmp/u2f_mappings

Confirm the action on your Trezor device.

3. Move the u2f_mappings file into /etc and set correct permissions:

sudo mv /tmp/u2f_mappings /etc/u2f_mappings
sudo chown root:root /etc/u2f_mappings

4. Configuring Pam to Use U2F:

The u2f_mappings file that were put into /etc will be used by the pam-u2f module. Set up PAM so that it would use this module, in order to add two factor authentication to your system. This can be done by adding a couple of config lines into the appropriate pam configuration files

ls /etc/pam.d

Examples of where to add U2F authentication module:

  • sudo
  • login
  • su
  • mdm, lightdm or gdm
  • cinnamon-screensaver

NoteIt is possible to see all the things which require U2F authentication by looking in /etc/pam.d/

How to add U2F to sudo command

1. Open up the sudo configuration file:

sudo nano /etc/pam.d/sudo

2. Add this at the end of the file:

# u2f authentication
auth required authfile=/etc/u2f_mappings cue

Test your configuration by opening up another terminal window and running a sudo command. If the things were done correctly you’ll be asked for your password and then prompted to “Please touch the device.” Your Trezor device will also be prompting you to authorize the request. Congratulations, your system now requires your Trezor to run sudo.

See also this blog for detailed information