I'm not familiar with how Trezor and Ledger devices work, but my initial guess would be that your Ledger device doesn't recognize the key handles (WebAuthn calls them "credential IDs") created by the Trezor device.
U2F credentials, and non-resident WebAuthn credentials, work by encrypting the private key in some unspecified format and returning that ciphertext to the server as the key handle; when challenged to authenticate, the authenticator receives the key handle back, unwraps the private key and signs the challenge. So for that to work with the same credentials on two authenticators, the authenticators first of all need to have the same wrapping key. Second, both devices need to understand each other's key wrapping formats so they can unwrap each other's key handles. I wouldn't assume that either of these requirements is satisfied, as the Trezor and Ledger firmwares may differ both in how they derive the wrapping key from the root key material, and in their respective wrapping/unwrapping algorithms.
Even if there is a way to get all of that work, there is an
additional complication: the signature counter, which was
specifically designed to counter your use case. When a
credential's signature counter decreases, servers might reject the
login attempt or even invalidate the credential. So to make sure
everything works, you would have to also synchronize the signature
counter between the devices.
So I wouldn't expect it to be possible to use two different
authenticators as direct backups of one another. The generally
accepted workaround for U2F is to instead register both devices as
separate U2F authenticators.
Hello everybody, this is the situation I am trying to understand how that would be solved: I am running Windows 10 so I can use FIDO2 for login into my account in Windows, also I can use FIDO2 for logging into one protected web server I use. I tested both with Trezor device, which also is used for storing cryptocurrencies. I would really like to use my wallets as hardware tokens to access my devices and websites. In addition to my Trezor I also own Ledger Nano S. I can set both devices to use the same private keys and I can use them to access all the accounts in the cryptoworld. What I noticed is: I installed FIDO on Trezor and used it to protect Microsof account and the website. Both I can login with no problem. Then I installed FIDO app into Ledger Nano S while thinking I will be able to use it in a case I will lose one of those devices. I did a test and the outcome is: "This security key does not look familiar" message on my screen. When I look here: https://support.ledger.com/hc/en-us/articles/115005198545-FIDO-U2F it says I can use any other Ledger Nano S. But I cannot use FIDO on 2 of them. That confuses me even more. What will happen if my Trezor gets broken? Will I have to buy another Trezor even when I have another device using the same keys by hand? Am I forever stuck if Trezor stops selling their devices? Will the updates of firmware in Trezor present a danger for me? How about the Ledger Nano S... How the computer knows I am not using 2 devices when the seeds and passwords are the same? Is there any way how I could use the other brand as a replacement, without any further purchases? I will be happy for any clarification. Thank you all for any responses in advance.
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/ed8367db-e34d-42cb-9606-c9314a4e1b66%40fidoalliance.org.
On Dec 11, 2019, at 2:41 PM, Joe First <mail.no...@gmail.com> wrote:
Hello everybody, this is the situation I am trying to understand how that would be solved: I am running Windows 10 so I can use FIDO2 for login into my account in Windows, also I can use FIDO2 for logging into one protected web server I use. I tested both with Trezor device, which also is used for storing cryptocurrencies. I would really like to use my wallets as hardware tokens to access my devices and websites. In addition to my Trezor I also own Ledger Nano S. I can set both devices to use the same private keys and I can use them to access all the accounts in the cryptoworld. What I noticed is: I installed FIDO on Trezor and used it to protect Microsof account and the website. Both I can login with no problem. Then I installed FIDO app into Ledger Nano S while thinking I will be able to use it in a case I will lose one of those devices. I did a test and the outcome is: "This security key does not look familiar" message on my screen. When I look here: https://support.ledger.com/hc/en-us/articles/115005198545-FIDO-U2F it says I can use any other Ledger Nano S. But I cannot use FIDO on 2 of them. That confuses me even more. What will happen if my Trezor gets broken? Will I have to buy another Trezor even when I have another device using the same keys by hand? Am I forever stuck if Trezor stops selling their devices? Will the updates of firmware in Trezor present a danger for me? How about the Ledger Nano S... How the computer knows I am not using 2 devices when the seeds and passwords are the same? Is there any way how I could use the other brand as a replacement, without any further purchases? I will be happy for any clarification. Thank you all for any responses in advance.
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/ed8367db-e34d-42cb-9606-c9314a4e1b66%40fidoalliance.org.
What will happen if my Trezor gets broken?
Will I have to buy another Trezor even when I have another device using the same keys by hand?
Am I forever stuck if Trezor stops selling their devices?
Will the updates of firmware in Trezor present a danger for me?
How about the Ledger Nano S... How the computer knows I am not using 2 devices when the seeds and passwords are the same?
Is there any way how I could use the other brand as a replacement, without any further purchases?
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/EA31EB67-55A2-4B4E-911F-0BF87021A736%40gmail.com.