Plug-and-play hardware security key: ESP32-S3 + RFID RC522 + R307 fingerprint sensor.
Full FIDO2/WebAuthn passkey via pico-fido firmware, plus TOTP and Windows login. No soldering — breadboard-based.
- FIDO2 / CTAP 2.1 — passwordless WebAuthn in all major browsers
- TOTP / HOTP / Yubico OTP — managed via Yubico Authenticator or
ykman - Dual biometric gate — RFID card + fingerprint required before any crypto operation
- Windows Hello — native security key sign-in (Microsoft/Azure AD), custom credential provider for local accounts
- Hardware security — Secure Boot, flash encryption, OTP master key, 24-word BIP39 backup
Host PC ←── USB HID ──→ [Gate Task] ──→ [pico-fido]
│
RC522 (SPI) + R307 (UART)
The gate is a FreeRTOS task that blocks CTAP commands until RFID + fingerprint both pass. pico-fido handles all FIDO2/TOTP crypto unchanged.
- Flash pico-fido via web flasher (< 3 min)
- Wire RC522 + R307 per pin map
- Build & flash gate firmware:
idf.py build flash - Enroll RFID card + fingerprint (hold button on boot)
- Set FIDO2 PIN:
ykman fido access change-pin
See docs/flash-guide.md and docs/setup-guide.md for detailed walkthroughs.
firmware/
pico-fido/ # git submodule — polhenarejos/pico-fido
gate/main/ # Custom gate: auth state machine, RFID, fingerprint, LED, NVS
docs/ # Requirements, wiring, flash guide, setup guide
₹1,200 – ₹2,200 (India) / $15–$35 (US)
Gate firmware and Windows components: MIT. pico-fido submodule: AGPLv3 (upstream).