This article aims to clarify definitions FIDO, FIDO2, Security Key and suggested practices for OneKey Hardware wallets as a Security Key.
What is Security Key?
A Security Key is a physical device that implements the FIDO standard to provide two-factor (2FA), multi-factor (MFA), or passwordless authentication. When you log into a service that supports FIDO, you can add a Security Key as a complementary authentication method to your passkeys(biometrics ID or authenticator applications).
Protocol | Supported devices |
FIDO U2F | All models of OneKey hardware wallets |
FIDO2 | OneKey Pro, OneKey Touch, OneKey 1S |
Please note that all models of OneKey hardware wallets currently only support FIDO/FIDO2 authentication via USB connection.
What is FIDO and FIDO2 Authentication?
FIDO (Fast IDentity Online) is an open standard designed to simplify and strengthen authentication processes. The standard, originally designed by Google and Yubico with support from NXP Semiconductors, is now hosted by the FIDO Alliance, aiming to reduce the reliance on passwords, which can be weak and easily compromised. Instead, FIDO uses public key cryptography to provide strong, phishing-resistant authentication.
FIDO2 is the latest set of specifications from the FIDO Alliance and the World Wide Web Consortium (W3C). It builds on the original FIDO U2F (Universal 2nd Factor) standard and includes two main components:
- WebAuthn (Web Authentication): An API that allows web applications to perform passwordless authentication, token-based authentication, and second-factor authentication(2FA) using public-key cryptography.
- CTAP (Client to Authenticator Protocol): A protocol that allows external devices (such as hardware tokens) to interact with browsers through standardized interfaces.
Key Differences between FIDO and FIDO2:
- Passwordless Authentication: FIDO2 extends the capabilities of FIDO U2F by allowing passwordless logins, which FIDO U2F does not support.
- Broader Web Integration: With the introduction of WebAuthn, FIDO2 is designed for seamless integration with web applications, making it easier to implement across various platforms and services.
- Enhanced Security Features: FIDO2 offers more robust protection against phishing attacks and other forms of credential theft.
Using OneKey Devices as Security Keys
Our OneKey hardware wallets are designed to offer strong security features, including FIDO and FIDO2 support. Here's a general workflow for using a OneKey hardware wallet as a FIDO Security Key for web authentication:
-
Register Your OneKey Device:
- Connect your OneKey hardware wallet (via USB) to your computer.
- Go to the security settings of the web service you want to use (such as Google, Facebook, or any supported service).
- Select the option to add a security key and follow the prompts to register your OneKey device.
-
Authenticate with Your OneKey Device:
- Choose security key as the verification method.
- Connect your OneKey hardware wallet to your device via cable.
- Depending on the service and device, you may need to confirm on hardware wallet screen to finish.
-
Recommended Practice and Notices
- To avoid lock-outs: by your favorite web services due to a lost/reset hardware wallet, kindly set up additional verification methods(e.g.,FaceID,TouchID ) in addition to your hardware wallet security key.
- Recovery phrases alone cannot recover FIDO/FIDO 2: FIDO and crypto wallets both rely on recovery phrases to recover key pairs(public and private keys) but unlike crypto assets, FIDO authentication keys are also affected by hardware-device-specific info like serial number. The same set of recovery phrases in different hardware wallets could lead to a mismatch with the required FIDO2 authentication key pair - hence failed log-in. For example: Google and Binance accounts will not recognize the same recovery phrases in different hardware wallets as the same security key.
- The Counter Principle in FIDO2: The counter in FIDO2 is used to prevent replay attacks. Both the authentication server(the web service you try to log into) and the device (e.g., hardware wallet) count and keep records of each authentication request to prevent "replay attacks". For servers that adopted the "Counter" Principle, a hardware wallet reset generates a mismatch between the counter records in server and hardware wallet - hence failed log-in with the same device(reset) and same phrases.
For further assistance or detailed instructions, please refer to our Help Center or contact our support team. Stay secure with OneKey!