User manual:Two-factor Authentication with U2F

From Trezor Wiki
Revision as of 23:29, 8 June 2018 by Sipak (talk | contribs) (TREZOR > Trezor)
Jump to: navigation, search
Trezor Wiki/User portal/User manual/ Two-factor Authentication with U2F
User-manual u2f.png

Two-factor authentication (2FA) is currently the most common way how you can protect your online accounts from unauthorized access. In addition to what you know (your username and password), you use something that only you have — a phone, an app or a specialized hardware token, in order to login securely.

However, some methods of 2FA are inherently insecure. The most popular 2FA implementation, Time-based One-Time Password (TOTP), popularized by its use on Google Auth services, transmits the shared secret (master key) over the internet during the setup process. This weakness has been recognized by major players who created FIDO Alliance and defined new, more secure standards such as U2F.

Starting with firmware 1.4.0, Trezor officially supports the U2F specification. After updating your device firmware, you can start using Trezor as your 2nd factor authentication token with services such as Google or Dropbox. Check out services using U2F at

One further improvement of Trezor on top of U2F is that Trezor users can truly verify what they are about to authorize via the on-device display.

NoteYou can find a list of websites which support U2F at

How to Setup Trezor as a U2F key?[edit]

In this short tutorial, we will use Dropbox as the example, however, all services should have a similar setup procedure.

  1. In Settings, click on ‘Add’ to setup Trezor as your U2F Security Key
User-manual u2f-dropbox1.png
  1. Plug in your Trezor
User-manual u2f-dropbox2.png
  1. Wait for the prompt on your Trezor
User-manual u2f-dropbox3.png
  1. Confirm after checking
User-manual u2f-dropbox4.jpg
  1. Done! You can start using Trezor to log into Dropbox alongside with a simple password.
User-manual u2f-dropbox5.png

Using Trezor as a U2F Key[edit]

We are using GitHub as an example, but all services should have similar login procedures.

  1. Log in as usual
User-manual u2f-github1.png
  1. Plug in Trezor
User-manual u2f-github2.png
  1. The device will not ask you for your PIN. Your login credentials for the service serve as the first factor. Your Trezor as the second factor.
User-manual u2f-github3.jpg

Restoring U2F Counter on Trezor[edit]

Restoring a seed on another Trezor restores all the U2F keys too, as they are derived from one master key. However, due to the design of U2F, some services might implement a counter that records the number of sign-ins. When recovering a seed, or cloning a Trezor, this counter will be off and might have to be increased, in order for the recovered Trezor to work successfully with a service.

NoteIf you have firmware from version 1.4.2 and higher, U2F counter will be restored automatically on Wallet Recovery. Simply restore your wallet, and the U2F counter will be set to the UNIX time at the moment of recovery.

You can increase the counter manually with python-trezor:

trezorctl set_u2f_counter $(date +%s)

This command will increase the counter to the current UNIX time. (As long as the counter is higher than the one recorded on provider’s side, login will be successful.)

Relevant discussion: Reddit Thread.

Like Trezor? Get one here!