After a long break, I’m back working on my FIDO2 authenticator! With BLE dropped from Chrome, I’ve shifted gears to USB—and that meant switching from ESP32 to STM32 (and soon RP2040). The latest prototype features a fingerprint scanner, secure element, and a fresh USB PCB. Still lots to build, but it’s moving again!
Next step: power! I explored both CR2032 coin cells and tiny rechargeable LiPo batteries for the URU Auth device. Settled on a rechargeable setup with a TP4054 charger and USB-C—compact, convenient, and way more user-friendly. Bonus: added battery level monitoring and auto power-off to keep things efficient.
Everything’s finally coming together! I combined the ESP32, fingerprint scanner, and ATECC508A security chip into a single board—the first real version of my own FIDO2 Authenticator: URU Auth (You Are You). It’s handheld, it lights up, and it’s so close to being fully autonomous. Time to tackle power and fingerprint recognition!
The PCBs finally arrived—couldn’t resist jumping straight into assembly. Hot air soldering the ESP32 Pico D4 was a first for me, but surprisingly satisfying! The prototype is up and running, even on battery power. Now the real challenge begins: fingerprint scanning and matching. Let’s gooo!
Tried to go full DIY and desoldered the fingerprint sensor from the R300 module… but hit a wall—the pad layout doesn’t match any docs I could find 😕. So, switching gears: I’ve designed my own custom dev board for the authenticator with ESP32 Pico D4, ATECC508A, and room for a scanner. Boards are on the way!
Using a button for FIDO2 user verification felt… a bit too easy to spoof. So I grabbed two fingerprint modules—GROW R300 and FPC1020—to try adding real biometric authentication. R300 might even let me skip its built-in MCU and handle image processing myself. Let’s see where this goes!
After getting FIDO2 working on Android, I gave it a go on the ESP32. Started with Arduino, but switched to ESP-IDF for more control. It’s super stripped-down—only one in-memory credential and a button for user presence—but it works! Got both registration and login running. Video inside!
Spent a couple weekends deep-diving into a real FIDO2/WebAuthn implementation—and wow, it’s more complex than it looks. Ended up rebuilding the BLE GATT server on Android for better control. Got “Make Credential” working (video inside!), plus found a quirky Chrome spec mismatch along the way.
Spent the weekend turning an ESP32 into a FIDO2 BLE Authenticator! Chrome even recognizes it (though it doesn’t do much yet). Also found a neat secure chip—ATECC508A—that could store encrypted keys. Still brainstorming how to handle more than 16 keys. Nerdy fun!
Ever heard of logging in without passwords? I stumbled upon the FIDO2/WebAuthn standard and it’s actually pretty cool—just your fingerprint and you’re in. I looked into how it works, its pros, and some open questions that still bug me (like… what if you lose the device?). Check it out!