User manual:Two-factor Authentication with U2F

From Trezor Wiki
Jump to: navigation, search
Trezor Wiki/User/User manual/ Two-factor Authentication with U2F

To boost your online security, you can use your Trezor device to log in using U2F standards. You can start using Trezor as your second-factor authentication token with services such as Google, GitHub or Dropbox. A further advantage of Trezor is that its users can truly verify what they are about to authorize on the device display.

NoteFor a list of websites and services supporting U2F, see

How to set up Trezor as a U2F key[edit]

NoteIt is not possible to use multiple devices with the same recovery seed for U2F if the service has a counter mechanism in place.

In this short tutorial, we use Dropbox as an example. However, all services should have a similar setup procedure.

  1. In the Security tab of Settings, click on Add to set up Trezor as your U2F Security Key.
  1. Plug in your Trezor.
  1. Wait for the prompt on your Trezor
  1. Confirm the action on your Trezor device after checking.
  1. Done! You can start using Trezor to log in to Dropbox in addition to your password.

Restoring U2F Counter on Trezor[edit]

Restoring a seed on another Trezor (see Recovery) restores all the U2F keys too, since they are derived from one master key. Due to the design of U2F, some services might implement a counter that records the number of sign-ins. However, if you have firmware version 1.4.2 or higher, the U2F counter is restored automatically.

TREZOR/U2F Login on Your Linux Mint[edit]

Note We would like to thank Shane Antyr who wrote this manual and let us use it.

Warning This manual requires certain skills in working with the command line. There is no guarantee it will work, and we cannot ensure that you will not make any mistakes. Be aware that if something goes wrong, or you do not have your Trezor handy after you finish configuring U2F on your workstation, you will be locked out.

To start with the installation, it is necessary to upgrade your Trezor device to the latest firmware. Follow this step by step guide:

1. Install the needed U2F packages, run:

sudo apt-get install libpam-u2f pamu2fcfg

2. Generate your U2F mappings file. Plug in your Trezor device and run:

pamu2fcfg -u $USER > /tmp/u2f_mappings
echo >> /tmp/u2f_mappings
pamu2fcfg -u root >> /tmp/u2f_mappings

Confirm the action on your Trezor device.

3. Move the u2f_mappings file into /etc and set correct permissions:

sudo mv /tmp/u2f_mappings /etc/u2f_mappings
sudo chown root:root /etc/u2f_mappings

4. Configuring Pam to Use U2F:

The u2f_mappings file that was put into /etc will be used by the pam-u2f module. Set up PAM so that it would use this module, to add two-factor authentication to your system. This can be done by adding a couple of config lines into the appropriate pam configuration files

ls /etc/pam.d

Examples of where to add U2F authentication module:

  • sudo
  • login
  • su
  • mdm, lightdm or gdm
  • cinnamon-screensaver

NoteIt is possible to see all the things which require U2F authentication by looking in /etc/pam.d/

How to add U2F to sudo command[edit]

1. Open up the sudo configuration file:

sudo nano /etc/pam.d/sudo

2. Add this at the end of the file:

# u2f authentication
auth required authfile=/etc/u2f_mappings cue

Test your configuration by opening up another terminal window and running a sudo command. If these things are done correctly, you will be asked for your password and then prompted to “Please touch the device.” Your Trezor device will also be prompting you to authorize the request. Congratulations, your system now requires your Trezor to run sudo.

See also this blog for detailed information

Like Trezor? Get one here!