[Guide] How to Set Up Ledger Nano S To be Hardware 2Fa

[Chikito]

We all know ledger Nano S as Bitcoin hardware wallet had another function as hardware 2fa. we don't need to buy another hardware 2fa like Yubikey, Fido u2f, Google Titan, and etc.

What is hardware 2fa? hardware for confirming users’ claimed identities by using a combination of two different pieces of information or factors. Like Google, Facebook, or exchange. You don't need to download google 2fa, authy, and aegis, you just need to connect the ledger into a PC or phone to solving 2fa.

why we need hardware 2fa?. because we all know the scammer out there had methods and technical skills to watching your phone and 2fa SMS to solving another gadget. https://www.mdsny.com/hackers-can-bypass-two-factor-authentication-with-new-scam/


How to set up

1. Open the ledger live application by download https://www.ledger.com/ledger-live and don't forget to update your firmware to the latest version.



2. connect Ledger hardware wallet into PC, go to tab manager in a left application, searching in-app catalog fido U2F, then installing.



3. let's confirming in your ledger the Fido application has installed.



so, we are done here. your ledger was setting up as a bitcoin wallet and hardware 2fa.


Hot to use? example in google.

1. login into a google account and go to the 2fa page and searching security key to register



let's confirming in a ledger to registering, from now security key added into a google account, If you lost your ledger you will be lost your 2fa. but, if you keep 12-24 mnemonic seed you will be fine, you can restoring into a new ledger wallet using the same seed with the same 2fa key.


I make an example of connecting into google.

1. after login, google will ask my security key to connect it to pc



2. in my ledger device also warn me to sign 2fa.



so we are done, My google account had set up as ledger hardware 2fa also.


your ledger can to be use for security exchange also such binance, Gemini, coinbase and etc.

with this guide, you got double, ledger as hardware wallet and ledger as hardware 2fa, keep safe your money.

original thread

do with your own risk

[Darker45]

I haven't known this all along. Thanks for this, OP.

I have a few questions, though. The hardware wallet itself serves as the key, right? So you only need to insert it? Meaning, there is no number combination that would pop out on your Ledger screen to be typed upon login on Google, Binance, and so on?

What happens if the hardware is lost or destroyed? Would there be a temporary option like a backup phrase or something like that? Or you won't be able to login until you bought a new Ledger and restore it as your old 2FA key with your seed?

[Chikito]

I have a few questions, though. The hardware wallet itself serves as the key, right? So you only need to insert it? Meaning, there is no number combination that would pop out on your Ledger screen to be typed upon login on Google, Binance, and so on?

yes, no number appears, you only sign by clicking the button on Ledger wallet.

What happens if the hardware is lost or destroyed? Would there be a temporary option like a backup phrase or something like that? Or you won't be able to login until you bought a new Ledger and restore it as your old 2FA key with your seed?

If you have a 12-24 phrase mnemonic seed, you will be fine. you can restore it with a new ledger device with the same seed as the old 2FA key of course.

[Darker45]

What happens if the hardware is lost or destroyed? Would there be a temporary option like a backup phrase or something like that? Or you won't be able to login until you bought a new Ledger and restore it as your old 2FA key with your seed?

If you have a 12-24 phrase mnemonic seed, you will be fine. you can restore it with a new ledger device with the same seed as the old 2FA key of course.

Yes, of course, but pending a new Ledger device if your old one is lost or destroyed, you wouldn't be able to login to your Google, Binance, Coinbase, and other accounts?

I'm asking because that would be a huge disaster if it happens. I'm currently using mobile 2FA. If my phone is lost or destroyed, it wouldn't be much of a problem because I have a backup password that could be used in lieu of a 2FA code. Is this the same with a hardware 2FA using Ledger?

Thanks for answering, by the way!

[DdmrDdmr]

One thing to look into are potential associated problems. There is some information on the matter that I’ve found, although I cannot vouch for its certainty nor recurrence. Some that I’ve found are related to what happens or may happen when performing a firmware upgrade on the Ledger device:

Since the most recent update I am unable to get the Fido U2F to work with Google or Dropbox. When trying to login to either site I just get an error saying there is a problem when I open the app of the Ledger before I am even prompted to press the button on the Ledger to verify. Does anyone know of an easy fix for this problem?

See: https://www.reddit.com/r/ledgerwallet/comments/8gkox7/fido_u2f_not_working_since_most_recent_update/

After updating the Ledger firmware all apps must be reinstalled, involving the reset of the counter. This makes impossible to access the service using the device’s FIDO U2F app, hence you must reconfigure the service.
The FIDO U2F app of the Ledger device maintains an internal counter which changes every time U2F is used to access a third-party service.
That said, whenever you want to update the Ledger firmware or still reinstall the FIDO U2F app, take the following precautions:
1) use an alternative tool - such as an Authenticator app - to log in to the services you wish to access;
2) once logged in, go to the security settings of the services where you use FIDO U2F. Then remove the FIDO U2F authentication method you had set up with the Ledger device;
3) register again your Ledger device as an authentication method.
 

See:
https://brogna.medium.com/how-to-use-the-ledger-nano-as-a-key-for-two-factor-authentication-u2f-c4b23391e6e

Now whether the above is a constant, sporadic, or eradicated issue I cannot tell (although I’d say it persists), and it’s important to consider when using Ledger as a FIDO U2F device.

[Husna QA]

I have tried using the Trezor T and Ledger Nano X hardware wallets as 2fa hardware to access my Gmail account via PC and successfully log in. It's just that when using the Bluetooth to try the FIDO U2F app (Ledger Nano X) on a smartphone, the connection was a little constrained.
Of the two, I would prefer Trezor T if it were to be used as 2FA hardware.

[dkbit98]

This all looks nice in theory but the problem with using FIDO U2F app on ledger nano S is low capacity of this device (only 160Kb).
I think you can install maximum two or three apps before you run out of space and I also heard some people complaining about FIDO U2F issues on ledger.

[Chikito]

One thing to look into are potential associated problems. There is some information on the matter that I’ve found, although I cannot vouch for its certainty nor recurrence. Some that I’ve found are related to what happens or may happen when performing a firmware upgrade on the Ledger device:

I also heard some people complaining about FIDO U2F issues on ledger.

Maybe the issue had fixed for the latest version of the firmware (I don't have the data). we all know the issue about 2 years ago. but, do with your own risk also.

Yes, of course, but pending a new Ledger device if your old one is lost or destroyed, you wouldn't be able to login to your Google, Binance, Coinbase, and other accounts?

I'm asking because that would be a huge disaster if it happens. I'm currently using mobile 2FA. If my phone is lost or destroyed, it wouldn't be much of a problem because I have a backup password that could be used in lieu of a 2FA code. Is this the same with a hardware 2FA using Ledger?

I never tried it, maybe it works when recovering to Trezor T with the same mnemonic phrase.

but, https://support.ledger.com/hc/en-us/articles/115005198545-FIDO-U2F

If you're managing the same private keys on multiple Ledger hardware wallets, only one device can be used for Fido U2F.

dwyor

[Husna QA]

Yes, of course, but pending a new Ledger device if your old one is lost or destroyed, you wouldn't be able to login to your Google, Binance, Coinbase, and other accounts?

I'm asking because that would be a huge disaster if it happens. I'm currently using mobile 2FA. If my phone is lost or destroyed, it wouldn't be much of a problem because I have a backup password that could be used in lieu of a 2FA code. Is this the same with a hardware 2FA using Ledger?

Maybe you should add other 2fa options (such as Google authenticator) besides the hardware wallet which functions as the 2FA hardware. Even if the Ledger is lost or damaged, it can still be recovered using a seed to another Ledger. However, a Ledger developer can close in certain situations before getting a replacement Ledger to recover U2F on the damaged device.

I never tried it, maybe it works when recovering to Trezor T with the same mnemonic phrase. -snip-

I'm also unsure whether the U2F used in the Ledger can be applied to Trezor or other hardware and vice versa.

If you lose access to your device, you can restore your recovery phrase on any Ledger hardware wallet and reinstall the Fido U2F app to get access to your account.

Restoring a seed on another Trezor (see Recovery) restores all the U2F keys too, since they are derived from one master key. Due to the design of U2F, some services might implement a counter that records the number of sign-ins. However, if you have firmware version 1.4.2 or higher, the U2F counter is restored automatically.

[Husna QA]

Bad idea to use HW wallets (with U2F  enabled)  in public because by doing this you are  bragging around with the message " I'm dealing  with crypto". -snip-

I also prefer to use hardware specifically for 2fa (such as Yubico YubiKey 5 NFC, Thetis, Google Titan, or others). Keep in mind that Trezor or Nano mainly functions as a hardware wallet. The function as a security key is an additional function that has nothing to do with cryptocurrency. So it's up to the user to use this feature or not.

[Chikito]

Bad idea to use HW wallets (with U2F  enabled)  in public because by doing this you are  bragging around with the message " I'm dealing  with crypto". In this respect dedicated U2F keys are much better because they are just HW tokens that ensure authorization. Now even government agencies and corporations hand out  such HW tokens to employees in order to grant them access to their websites so that such keys would not draw  attention to them.

I have 2 Hardware wallets at the moment which I used for 2fa HW with a small balance only, if I want to exchange it I don't need to prepare any key for it, just my ledger in one place. I want to make it simple with just one step.

People who deal with crypto do not use the same email and any credentials to showing in public. make sure not to use your email with related crypto in your office or public pc.

[libert19]

Sounds good but still this will make your literally everything under 1 mnemonic.

[dkbit98]

It would be nice if someone who owns both ledger and Trezor hardware wallets tried to create 2FA in one hardware wallet and then try to restore in different manufacturer hardware wallet.
This would be just for testing purposes, so it's better creating some alt email account for doing this and not your main account.

[Chikito]

It would be nice if someone who owns both ledger and Trezor hardware wallets tried to create 2FA in one hardware wallet and then try to restore in different manufacturer hardware wallet.

I just tried both (ledger nano s and Trezor one) with the same 24  mnemonic seed to an authentic login page, the result isn't worked (worked for only trezor one for the first set up). in this case, the user must use one hardware only.

Trezor one



Ledger nano s

[dkbit98]

I just tried both (ledger nano s and Trezor one) with the same 24  mnemonic seed to an authentic login page, the result isn't worked (worked for only trezor one for the first set up). in this case, the user must use one hardware only.

Good to know this and maybe we should contact developers of both wallets for more explanation.

Related with other 2FA hardware devices used for this purpose, someone yesterday created they can be vulnerable to attacks because of flaws found in 'secure elements'
https://bitcointalk.org/index.php?topic=5309112