How to use Trezor as a FIDO2 security key? (Passwordless login)

Hardware Wallet Dual-Use Capability

1. Trezor devices support FIDO2 authentication starting from firmware version 2.5.0 for Model T and 23.1.0 for Safe 3 and Safe 7.

2. The device must be physically connected via USB or paired over Bluetooth, depending on model capabilities and host OS support.

3. No additional software installation is required on modern operating systems — Windows 10/11, macOS 12+, and Linux kernels 5.10+ include native FIDO2 drivers.

4. Users must enable the FIDO2 feature explicitly in Trezor Suite under Settings > Security > FIDO2 Authentication.

5. Once enabled, the device appears as a WebAuthn authenticator to compatible websites and services such as GitHub, Google, Dropbox, and Microsoft Entra ID.

Registration Process on Supported Platforms

1. Navigate to the account security settings of a service that supports passkeys or FIDO2, like GitHub’s “Password and authentication” section.

2. Select “Add security key” or “Register new passkey”, then insert or wake the Trezor device.

3. Confirm registration on the Trezor screen using button press or biometric verification if supported.

4. Assign a human-readable nickname (e.g., “Trezor Safe 7 – Work”) during registration — this label is stored locally on the host, not on the device.

5. Completion triggers a cryptographic attestation exchange; the service stores only the public key and credential ID, never the private key.

Authentication Flow During Login

1. When prompted for second-factor or passwordless login, the browser initiates a WebAuthn assertion request.

2. Trezor receives the challenge through CTAP2 protocol and displays the relying party’s domain name (e.g., “login.microsoft.com”).

3. User confirms intent by pressing both buttons simultaneously on Safe 3, or tapping the screen on Safe 7 or Model T.

4. Device signs the challenge with its internal ECDSA key and returns the signature without exposing the private material.

5. The relying party verifies the signature using the previously registered public key and grants access upon validation.

Security Boundaries and Limitations

1. Each FIDO2 credential is bound to a specific origin — a Trezor registered at “github.com” cannot authenticate at “gitlab.com”.

2. Credentials are not synced across devices; losing the Trezor means losing access unless backup credentials (e.g., recovery codes or alternate keys) exist.

3. PIN protection for FIDO2 operations is enforced only when the device’s main wallet PIN is active — disabling wallet PIN disables FIDO2 PIN enforcement.

4. Trezor does not store biometric templates; fingerprint or face data remains entirely on the host system, never touching the hardware wallet.

5. Firmware updates may reset FIDO2 credentials — users must re-register keys after major firmware upgrades unless migration support is explicitly documented.

Frequently Asked Questions

Q1. Can I use the same Trezor for both cryptocurrency signing and FIDO2 login simultaneously?Yes. Cryptocurrency signing and FIDO2 operations use separate key derivation paths and do not interfere. The device handles concurrent contexts internally.

Q2. Does Trezor support resident keys (discoverable credentials)?Yes. Trezor Safe 7 and Model T support resident keys when configured with user verification enabled. Safe 3 requires external user verification via host system and does not store discoverable credential metadata.

Q3. Why does my Trezor not appear as an option during FIDO2 registration on Chrome?This occurs when USB permissions are blocked, the site lacks HTTPS, or the device is in bootloader mode. Ensure Trezor Suite is closed, the site uses a valid TLS certificate, and the device shows the home screen before initiating registration.

Q4. Is it possible to export or back up a FIDO2 credential from Trezor?No. FIDO2 credentials are non-exportable by design. They are cryptographically bound to the device and cannot be extracted, cloned, or migrated to another authenticator.