3

Aside from being a bitcoin wallet, the Trezor supports FIDO U2F and seems to offer some unique benefits over a Yubikey:

  1. The keys are always generated on the device and never rely on the manufacturer supplied secrets. (vs. yubikey issuing the key, meaning mass hacks may happen in the future)
  2. User can confirm login on the Trezor screen. (Yubikey has no screen)
  3. The U2F keys can be backed up and restored with the 24-word seed phrase. (Yubikey has no backup option)

Cons:

  1. I understand that the Trezor does not use a secure element, so this might mean that keys are easier to steal in a lab context.
  2. More complex = greater attack surface.

Are there any other security benefits / issues one should be aware of that would make the Yubikey a better option specifically with regards to FIDO U2F?

Jonathan Cross
  • 1,548
  • 1
  • 12
  • 25
  • "keys are always generated on the device...vs. yubikey _issuing_ the key" - Doesn't seem to me like much is different (trust wise at least), you either have to trust that Yubico doesn't keep a copy of your key or that Trezor doesn't send you a key with a backdoor. Sure it _sounds_ better that the key is generated by the device, but you still have to trust them that it's actually doing that. – AndrolGenhald Nov 01 '17 at 13:15
  • Thanks @AndrolGenhald,The trezor is open hardware and users have the option to compile and load their own firmware onto the device. They can also provide a seed phrase generated elsewhere which would allow them to confirm it is operating correctly at least. Modern Yubikeys (v4+) now rely on closed-source, proprietary components, so I don't think this is possible. – Jonathan Cross Nov 01 '17 at 16:58

0 Answers0