All articles

Trezor Safe device authentication check

The Trezor Safe 3 and Safe 5 hardware wallets have an added Secure Element. In addition to providing an extra layer of protection against physical attacks on your Trezor, this chip plays an important role in verifying the authenticity of your device.
 

How does device authentication work?

During the manufacturing process of the Trezor Safe hardware wallets, a unique certificate is issued to the new device before it leaves the production line. This certificate is stored in the Secure Element. When setting up your device,
 

  1. Trezor Suite generates a random challenge which is then sent to the Trezor.
  2. In response, the Trezor uses the Secure Element to sign this random challenge and returns both the signature and the device certificate.
  3. To confirm the authenticity of the device, Trezor Suite verifies the signatures of the challenge and the signature on the certificate.
 

We have taken great care to implement robust measures to ensure your privacy. During the authentication process, the device certificate is exclusively checked by Trezor Suite and is immediately discarded after that. It’s paramount to note that this certificate is never sent anywhere else and that Trezor Suite does not store any part of it.

 
This process helps to verify the authenticity of your brand new Trezor Safe 3 or Safe 5, and makes it significantly more difficult for it to be tampered with. We’ve introduced this feature to instill absolute confidence that you are using a genuine device, thus safeguarding your coins and tokens.
 

Is device authentication mandatory?

If you only use Trezor Suite with official Trezor devices, do not turn off this check. This feature is a security measure designed to keep you safe from potentially using a fake or compromised device. Users may opt out of the device authentication process, but we strongly advise against it.
 

The authenticity check should only be disabled if you need to connect unofficial devices to Trezor Suite, such as do-it-yourself builds.


If you're absolutely sure you want to turn off the Device check feature, you can do so in the Settings menu in Trezor Suite.


Are there any privacy concerns associated with device authentication?

No, as the device certificate is neither tracked nor stored anywhere. It is checked only by Trezor Suite, and then immediately discarded. It is not sent anywhere, meaning your privacy is always preserved.