Back in May 2024 a GrapheneOS developer mentioned the Trezor Safe 3 as what they consider a more secure alternative to FIDO2 with Yubikeys (source).
Quote:
https://trezor.io/trezor-safe-3 has a decent secure element and can be used for FIDO2, and using it requires unlocking it with a PIN with secure element enforcing a max attempt limit
that's not the main purpose of that but it can be used for FIDO2, SSH, PGP and other things like that despite it not being the main use
fid02 Outside of it main purpose, the documentation is terrible. Someone please send sources if I'm wrong somewhere.
It's an interesting device for u2f if you already use it for crypto, but it's more lie OnlyKey than Yubikey or Nitrokey.
It's not unique and unforgeable. It has a secure element, but the main key is not derived from unreadable hidden key, but from a dice password you remember. So in practice everything I talked about OnlyKey applies.
No NFC, not waterproof. There is some documentation on GPG, but it looks like it doesn't work as standard Smartcard. Isn't it only a backup for GPG stored inhome directory?
Updated table:
| Feature\Device......| Yubikey..| Nitrokey..| OnlyKey..| Trezor..|
| Unique/unforgeable..| yes......| yes...... | no...... | no......|
| Updatable.......... | no...... | yes...... | yes......| yes.... |
| Smartcard.......... | yes......| yes...... | no...... | no......|
| Passkeys............| 128......| 50?...... | 12?......| no?.... |
| NFC................ | yes......| yes...... | no...... | no......|
| IP68................| yes......| no........| yes......| no......|
| Backup..............| no...... | no........| yes......| yes.... |
| Long-term cost......| $$$......| $$........| $........| $...... |
DeletedUser43 I deliberately didn't comment on the practicality of Trezors as FIDO keys, seeing as the original post was asking about security features. Thought it would be nice to quote a security researcher on the matter, as my own insight into hardware security is severely restricted. But I agree with you on the practical challenges of using a Trezor if you're intending to carry a key around with you wherever you go, indoors and outdoors; it's clearly not designed for that practical purpose.
I'm still unsure what to buy and use. Maybe @GrapheneOS can explain about Trezor Safe 3 and why I should buy it, instead of for example Yubikey. Because I wanted to buy it before, but now I'm unsure of this decision...
Guillaume
Change your bank cher ami , you don't need a proper signature to make a Sepa mandate.
Everything get leaked from Free, including your signature you put on your contract and sepa mandate.
If you don't want to change your bank, at least enable a sepa white list.
fid02 I saw that there is Trezor Safe 5 too? I'm wondering if the Safe 3 is less or more secure?
DeletedUser34
Look at their comparison site? There don't appear to be any security differences between the two, the Safe 5 is simply a more premium device.
DeletedUser34 You asked which one is the most secure one. Maybe you should describe what you want to use it for?
phnx Interesting. But look here: https://blog.trezor.io/choosing-the-best-trezor-hardware-wallet-for-your-needs-trezor-safe-5-trezor-safe-3-or-trezor-448a06de07b3
It says this specially:
The Trezor Safe 5 is the latest and most advanced hardware wallet in the Trezor lineup. It’s perfect for those who demand the highest level of security and usability.
DeletedUser43 I want to use it as U2F Key and only with my Phone. And maybe Passkeys, but I don't think, that I will use it. What is SmartCards? And no Crypto or NFC for me. No, I would only buy one Key.
DeletedUser34 We've explained at length what a SmartCard is in this discussion.
Take a look at the table I've prepared. The best fit is the OnlyKey, which @EmLeX932 recommends. If you don't know what a SmartCard is, then you don't need it. If you want a backup, then Yubikey and Nitrokeys are out. If you don't need crypto, then OnlyKey will give you IP68 and PassKey support instead.
@GrapheneOS What is your recommendation?
