Biometric authentication in Trezor Suit

[m2017]

The Trezor Suit's latest update, v.25.9.3, added some "interesting" features: biometric authentication using your face or fingerprints.

From a security standpoint, in my opinion, biometric authentication isn't a stronger defense because someone can be forced to unlock their device under physical duress (or, as technology advances, biometrics can be counterfeited). Simply put, simply tapping the victim's face or finger into a Face ID\Touch ID app is impossible. This isn't possible with a PIN code, meaning only you know (unless you can read their minds or force them to voluntarily reveal their identity ).

Would you use biometric authentication to unlock your wallet?

Aren't you afraid that your gf will use your finger to unlock and empty your wallet while you sleep? There are various possible scenarios with a similar outcome.

[Charles-Tim]

Would you use biometric authentication to unlock your wallet?

No.

Although, I decided to have it on my online wallets on my phone if the wallet supports it because I have just little amount of coins there which are often the coins that I receive from signature campaign but I moved it from the wallet as soon as I see it each week.

Aren't you afraid that your gf will use your finger to unlock and empty your wallet while you sleep? There are various possible scenarios with a similar outcome.

While sleeping? Face ID can not work while sleeping, but fingerprint would unlock the wallet. Very bad for a hardware wallet that people will use to access and spend huge amount of money.

[Hatchy]

Since we have an option to choose not to use the biometric authentication, then I'll rather stick with my pin or a password to access the wallet. There are many possibilities when it comes to biometric security, it might put you in danger, if some kind of intel is leaked about you having used it for security purposes. The pin or password option is fine enough, and I'll just stick with the old horse instead.

Although, I decided to have it on my online wallets on my phone if the wallet supports it because I have just little amount of coins there which are often the coins that I receive from signature campaign but I moved it from the wallet as soon as I see it each week.

Most hot wallet has the biometric authentication features, but I don't actually use it on my wallet. The mobile where I have my hot wallet can only be unlocked by my password, so no one is getting an access to it that easily. One thing I noticed about the biometric authentication, is I somehow do forget what my password actually is. The last time I had a cut on my finger, my device refused to unlock. I had to think my password several times before I got it right. This might be another advantage of using the password all the time..

[Forsyth Jones]

Would you use biometric authentication to unlock your wallet?

Since it's a security measure that only unlocks the Trezor Suite interface, where you can check your balances, but for signing transactions it continues in the same way, requiring the user to provide a PIN and passphrase (if enabled) on the Trezor device. I don't see any problem with enabling it. Furthermore, I believe that for this feature to work properly, you must have Trezor Suite remember/store your wallet's extended public key (XPUB) from previous use.

I enable biometric authentication on my PC and my mobile devices without any problems. On my Android,  even though biometrics are enabled, from time to time it asks for my password, which helps me always remember the password.

Most hot wallet has the biometric authentication features, but I don't actually use it on my wallet. The mobile where I have my hot wallet can only be unlocked by my password, so no one is getting an access to it that easily. One thing I noticed about the biometric authentication, is I somehow do forget what my password actually is. The last time I had a cut on my finger, my device refused to unlock. I had to think my password several times before I got it right. This might be another advantage of using the password all the time..

I use a password manager called Strongbox PRO on iOS. It also has the feature to biometric authentication via Face ID, but I can adjust it to ask for my database password from time to time. This way, I still have to remember my password, as I will have to enter it at some point (within a week).

While I find biometric authentication efficient for unlocking my mobile devices and PC, I'd never use it on a hardware wallet for obvious reasons: I can be forced to transfer at any time just by pressing my finger or looking at the camera.

[PX-Z]

Would you use biometric authentication to unlock your wallet?

Aren't you afraid that your gf will use your finger to unlock and empty your wallet while you sleep? There are various possible scenarios with a similar outcome.

I always use it on any financial apps i used on my mobile phone if there is available feature. Such data are not saved on apps but just on the device itself so you don't need to worry. Unless your device is infected by malware and this data can be extracted too.

About my gf or partner, no she won't, as i give what always needs/wants and that's why you choose right people to be your partner.

[FinneysTrueVision]

Biometric authentication is only used to open their wallet application, but you cannot spend funds with this feature. The hardware device still requires a pin to unlock and you also can choose to set a passphrase for your wallet.

If someone made a replica of your biometrics, it could only give them access to a watch-only version of your wallet as long as you set a device PIN and a passphrase. Before this update, it wasn’t even possible to lock the Trezor Suite application on desktop, although you can set it to automatically eject the watch-only wallets whenever you disconnect if you want more privacy.

[satscraper]

Would you use biometric authentication to unlock your wallet?

Nope. Biometric on HW would be not my choice. I had a bad experience with biometric authentication on my desktop, which prevented me from logging into the system. Because of that, I wouldn't trust it on hardware wallets, especially when quick transaction sending is important ^{as with this feature, there's always the risk of hardware glitches, which could lock me out when I need access the most}. A long PIN is more than enough to keep authentication secure and stash safe.

[Charles-Tim]

Most hot wallet has the biometric authentication features, but I don't actually use it on my wallet. The mobile where I have my hot wallet can only be unlocked by my password, so no one is getting an access to it that easily. One thing I noticed about the biometric authentication, is I somehow do forget what my password actually is. The last time I had a cut on my finger, my device refused to unlock. I had to think my password several times before I got it right. This might be another advantage of using the password all the time..

I do not support fingerprint to be used to unlock a wallet, but just that I used it on my mobile wallet which are not funded more than some minutes or some hours not up to a day. That is super easy, all you need to do is to get your seed phrase backup if you have forgotten the password, go to the wallet storage under app settings and clear the storage. Open the wallet and import the seed phrase and set another password.

Where huge amount of money is, use just password and no biometry.

[Lucius]

I used the facial recognition method to unlock my laptop 15 years ago and was honestly surprised that it only started to become standard many years later. Today, it seems to me too trivial a method of authentication, considering that this method can be quite unreliable if we take into account that the face can change due to illness or a traffic accident or a physical attack, and that the same can happen with fingerprints.

I am not saying that such methods are not very attractive due to their simplicity and speed of authentication, but I personally would not use them for crypto wallets.

[dkbit98]

We already talked about this new feature before in forum, it's just for locking of Trezor Suite app, not for Trezor device.
This is mostly for people who own laptops with fingerprint scanners, and they are usually used for logging in, or opening something with administrative rights.
It's important that this is only option feature in Trezor Suite, so you don't have to use it if you don't want.

[m2017]

I always use it on any financial apps i used on my mobile phone if there is available feature. Such data are not saved on apps but just on the device itself so you don't need to worry. Unless your device is infected by malware and this data can be extracted too.

It's up to each user to decide whether to use biometric app unlocking. I'm not pushing it, and I'd be interested to hear others' opinions.

Yes, I know that biometric data is stored only on the device itself, as the developers claim, but there's still a "fear" that this isn't entirely true.

"If" your device isn't infected. Usually, by the time people find out, it's too late. But I think this is just another "horror story", since according to the biometric unlocking technical specifications, the data is stored encrypted, not clear. So, even if this data is stolen, there's no guarantee that attackers will be able to use it for their own gain.

About my gf or partner, no she won't, as i give what always needs/wants and that's why you choose right people to be your partner.

About my gf or partner, no she won't, as i give what always needs\wants and that's why you choose right people to be your partner.

Choices aren't always the right ones, and they're discovered too late, and I wouldn't be so sure about what other people will or can do. Over time, relationships can deteriorate, revealing new traits in a partner. Blind faith is bad, but being prepared for negative consequences (predictability) is good.

[Forsyth Jones]

About my gf or partner, no she won't, as i give what always needs\wants and that's why you choose right people to be your partner.

Choices aren't always the right ones, and they're discovered too late, and I wouldn't be so sure about what other people will or can do. Over time, relationships can deteriorate, revealing new traits in a partner. Blind faith is bad, but being prepared for negative consequences (predictability) is good.

Regarding the risk of someone using your finger to unlock an app with your registered biometrics, as in the case of Trezor Suite (I used it as an example, even though Trezor Suite is just a manager, to send coins, you need to physically confirm on the HW device), there's also the security layer of your operating system user, which should be protected by a strong password.

Or, if it's another app that allows biometric registration + 2FA, it's another interesting solution to prevent this type of attack from third parties using your finger while you sleep.

That's why we shouldn't rely on just one authentication method, use as many as necessary, depending on the importance of the data contained in the app or the threat model. Always enable TOPT 2FA and use a strong password for everything.

Another interesting method is to choose your partner carefully  or always be vigilant.