Note: This project was forked from psanford/tpm-fido and extensively refactored to use fingerprint authentication only, removing the TPM dependency.
VerifidoD is a FIDO2/U2F token implementation for Linux that secures authentication using fingerprint verification. It creates a virtual FIDO device using Linux's uhid facility, making it fully compatible with standard browsers.
- Biometric Authentication: Requires fingerprint verification (something you are) for all operations
- Persistent Credential Storage: Credentials are securely stored in a JSON file
- Key Revocation: Built-in ability to revoke compromised keys
- Enhanced Logging: Detailed security event tracking
- Secure Configuration: Hardened defaults with security-focused settings
- Service Hardening: Comprehensive systemd service hardening
VerifidoD implements a security-focused workflow that ensures proper authentication at every step:
- User initiates FIDO registration in their browser
- VerifidoD requires fingerprint verification via fprintd
- A unique P256 key is generated and stored in the credential store
- Each registration creates a secure key handle with the necessary parameters
- The credentials are persistently stored for future authentications
- The registration process completes with the key handle returned to the browser
- User initiates FIDO authentication in their browser
- VerifidoD validates the key handle with the stored credentials
- User must provide fingerprint verification via fprintd
- The key is used to sign the challenge after fingerprint verification succeeds
- Signature is returned to the browser to complete authentication
VerifidoD has been tested with Chrome and Firefox on Linux. It implements the FIDO U2F protocol and works with websites supporting FIDO security keys.
Please see the INSTALL.md file for detailed installation and configuration instructions.
- Go 1.22 or later
- Fingerprint reader with enrolled fingerprints
pinentryprogram (usually installed with GPG)- Linux with systemd and fprintd installed
go buildPlease refer to SECURITY.md for a comprehensive security assessment and recommendations. The implemented security fixes include:
- ✅ Updated dependencies to latest security-patched versions
- ✅ Hardened authentication flow requiring both factors
- ✅ Improved thread safety and race condition handling
- ✅ Enhanced error handling and secure logging
- ✅ Added input validation and defense-in-depth mechanisms
- ✅ Implemented secure configuration management
- ✅ Added service hardening measures
You must have proper udev rules in place for VerifidoD to access your fingerprint reader and create the virtual FIDO device:
# /etc/udev/rules.d/70-fido.rules
# Goodix fingerprint reader WebAuthn access
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="27c6", ATTRS{idProduct}=="658c", TAG+="uaccess"
# Configure uhid permissions for fingerprint authentication
KERNEL=="uhid", SUBSYSTEM=="misc", GROUP="input", MODE="0660"
After adding these rules, reload the udev rules and trigger them:
sudo udevadm control --reload-rules
sudo udevadm triggerEnsure your user belongs to the appropriate groups based on your distribution:
# On most Linux systems:
sudo usermod -aG input $USER
# On some systems you might need a specific uhid group:
sudo groupadd -r uhid # Create group if it doesn't exist
sudo usermod -aG uhid $USERNote: You'll need to log out and back in for group changes to take effect.
VerifidoD is designed to run as a user systemd service. Refer to INSTALL.md for complete setup instructions.
# Enable and start the service (after installation):
systemctl --user enable verifidod.service
systemctl --user start verifidod.service
# View service status:
systemctl --user status verifidod.serviceThis project is licensed under the MIT License.
Copyright (c) 2021 Peter Sanford (original author)
Copyright (c) 2025 Scott Rushforth
See the LICENSE file for the full license text.