Ledger Nano S Plus and X for Two-Factor Authentication (U2F)

How to use a Ledger Nano S Plus or a Ledger Nano X for two-factor authentication?

Jules Br0gn4
5 min readMay 25, 2019
Featured image: Ledger Nano S used as a key fot two-factor authentication

Do you know that both Ledger Nano S Plus and Ledger Nano X are also devices for two-factor authentication?

Using Ledger devices to store and manage cryptocurrencies is very common among enthusiasts, traders and investors.

Despite the widespread use of them as “hardware wallets”, most users don’t know that such devices have another, very useful, feature that doesn’t concern cryptocurrencies, at least not entirely.

A Ledger device can be also used as a two-factor authentication tool thanks to the FIDO U2F standard

What I mean is that if you decide not to deal with cryptocurrencies anymore, do not throw your device away. You may take advantage of it on websites and web services which support the FIDO U2F security protocol.

Two-factor authentication

Two-factor authentication is a security process where the user, in order to verify himself, provides two different authentication factors to better protect both his login data and the resources he wants to access.

Two-factor authentication provides a higher security level than access methods based on single-factor authentication, where the user typically provides only one password or a single pin.

Two-factor authentication methods require the user to provide not only something he “knows” (the password) but also something he “owns”, such as a security token, a smartphone, a biometric factor, etc.

Two-factor authentication adds another layer of security to the authentication process, making it harder for hackers the access to user’s devices or online accounts.

Knowing the victim’s password is not enough to pass the authentication check.

Many crypto enthusiasts use two-factor authentication techniques on exchange platforms. The most widespread authentication method is the Google Authenticator app, which is however based on the TOTP algorithm.

“Authenticator” apps remove the need of obtaining a verification code by sms, voice call or e-mail.

In order to access a website, or a web-based service, that supports Google Authenticator or other similar apps, the user must type his username and password: a knowledge factor.

The user is then prompted to enter a six-digit number. Rather than waiting a few seconds to receive a text message, the number is generated by the Authenticator.

These numbers change every thirty seconds and are different for each access. By entering the correct number, the user completes the verification procedure and demonstrates that he owns the right device: a possession factor.

The popularity of one-time password technology is due to its simplicity. In addition to a static credential (username/password) the user provides another dinamically generated authentication factor.

OTP technology is compatible with all the main platforms (desktop, laptop, mobile) and legacy systems, making it a very popular choice among second factor protocols.

Despite its usefulness and simplicity, OTP technology is not immune to phishing and man-in-the-middle attacks. Here is what can happen.

An hacker creates a fake website, designed to lead people to submit their login credentials. When a user falls into the trap and enters his information (username, password and one-time password), these data will be immediately intercepted by the hacker to access to the victim’s account.

The increased sophistication of attack techniques against OTP schemes was a motivating factor in the development of FIDO U2F protocol. Here is why this is better than the former.

When a user registers a U2F device for his account, a public/private key pair is generated.

After setting it up, when the user attempts to log in, the service provider sends a challenge to the client. The client compiles the requested information, which are then signed by the U2F device (using the private key) and sent to the server (to the service provider).

The real-time response scheme of the U2F protocol is able to face OTP vulnerabilities, such as phishing and several kinds of man-in-the-middle attacks.

Since the request is issued by the legitimate server, if a fake site or a man-in-the-middle manipulates the stream, the server will detect an anomaly in the response and will deny the access.

How to set up Ledger Nano as a U2F device

FIDO U2F is a two-factor authentication method being developed by FIDO Alliance and supported by both Ledger Nano S Plus and Ledger Nano X.

If you need a comparison between Ledger Nano S Plus, Ledger Nano X and Ledger Stax, read this article

In order to get started you need a Ledger Nano S Plus or a Ledger Nano X updated to the latest firmware version. The Ledger Live app must be installed as well.

Here are the step by step instructions:

1) open the “Manager” in the Ledger Live;

2) connect and unlock your Ledger device;

3) if required allow the “Manager” on your device;

4) find “FIDO U2F” in the apps catalog;

5) click on the “Install” button of the application;

6) open the “FIDO U2F” app from the device dashboard.

In order to enable the two-factor authentication for websites or web services that support FIDO U2F, go to the security settings of the website or service and follow the instructions to register the device.

As for crypto exchanges, Binance, Bitfinex and Coinbase already support such authentication protocol. In order to find out if you can use the U2F protocol for a specific exchange, simply check the security section of the settings.

Beyond the cryptocurrencies field you can still take advantage of the U2F technology in many online services: e.g. Facebook, Google, GitHub, Dropbox and many others.

U2F authentication with a Ledger Nano S
U2F authentication with a Ledger Nano S

Security tips

Always make sure you set an alternative access method. You can register a second key, with another U2F device, or a different authentication factor, such as the Google Authenticator.

Registering a second access method is essential, because if you remove and install again the FIDO U2F app - whatever the reason - you will need to reconfigure it for each service.

After updating the Ledger firmware all apps must be reinstalled, and this involves the reset of the counter. This makes impossible to access the service using the device’s FIDO U2F app, hence you must reconfigure the service.

The FIDO U2F app of the Ledger device maintains an internal counter which changes every time U2F is used to access a third-party service.

That said, whenever you want to update the Ledger firmware or install again the FIDO U2F app, take the following precautions:

1) use an alternative tool - such as an Authenticator app - to log in to the services you wish to access;

2) once logged in, go to the security settings of the services where you use FIDO U2F. Then remove the FIDO U2F authentication method that you had set up with your Ledger device;

3) register again your Ledger device as an authentication method.

Video tutorial: set up Fido U2F with Ledger Nano X for Google account

As an example, in this video tutorial you can learn how to secure a Google account using your Ledger Nano X with Fido U2F.

Hopefully this article helps you figure out how to use a Ledger Nano as a key for Two-Factor Authentication (U2F). Should you have any doubts or questions, ask me in the comments below.

--

--

Jules Br0gn4

Belgian researcher and consultant, crypto activist and DeFi expert.