FIDO Bridge

Use your YubiKey via NFC for WebAuthn on Linux

FIDO Bridge is a secure, end-to-end encrypted bridge that allows Linux users to leverage their Android device's NFC capabilities to interact with FIDO2/WebAuthn security keys (like YubiKey) for browser authentication.

Project Status

Current Version: 0.0.1

Early development. Currently using it for my daily work / logins already tough.

Overview

The Problem

Linux desktop environments typically lack native NFC support for FIDO2/WebAuthn authentication. While you can use USB-connected security keys, NFC-based authentication with keys like YubiKey requires cumbersome workarounds or isn't possible at all.

The Solution

FIDO Bridge creates a secure channel between your Linux desktop and Android device:

Linux Chrome → Virtual UHID Device → Rust Client → E2EE Channel → Relay Server
                                                                        ↓
YubiKey ← NFC ← Android App ← Relay Server ← E2EE Channel ← Rust Client

All communication is end-to-end encrypted with double-layer encryption (SPAKE2 pairing + X25519 ECDH ephemeral keys), ensuring even the relay server cannot read your authentication data.

Features

Security & Encryption

• Double-Layer E2EE: SPAKE2 pairing protocol + X25519 ECDH with AES-256-GCM
• Server-Blind Design: Relay server never sees plaintext authentication data
• Strong Encryption at Rest: AES-256-GCM for stored credentials
• Argon2id Key Derivation: Memory-hard, side-channel resistant key derivation
• Persistent Cryptographic Salt: Securely stored with 0600 permissions
• Automatic Session Cleanup: Background cleanup prevents memory leaks from expired sessions

WebAuthn & FIDO2

• PRF Extension Support: Full WebAuthn PRF extension support for advanced use cases
• Session Caching: 30-second cache reduces repeated NFC taps during ClientPIN flows
• Transaction Management: 240-second timeout with automatic cleanup
• CTAP2 Compliant: Full CTAP2 protocol implementation via virtual UHID device

User Experience

• D-Bus Integration: Desktop notifications for pairing events
• Adaptive Polling: Smart polling intervals (250ms active, 5s background) for battery efficiency
• Systemd Service: Runs as background service with automatic start

Quick Start

Download Pre-built Releases

The fastest way to get started:

1. Download from GitHub Releases:

   • fido-bridge-android-v*.apk - Android app
   • fido-bridge-linux-v* - Linux client
   • fido-bridge-server-linux-v* - Server (optional)

2. Install on Android: Transfer APK and install, or use adb install fido-bridge-android-v*.apk

3. Install Linux client:

   chmod +x fido-bridge-linux-v*
   ./fido-bridge-linux-v* install

Deploy Server with Docker

For production server deployment:

# Using docker-compose (recommended)
docker compose up -d

# Or with docker run
docker run -d -p 8080:8080 ghcr.io/0xc9c3/fido-bridge-server:latest

Build from Source

See Building from Source for detailed instructions.

Documentation

Comprehensive documentation is available at fido-bridge-docs.stack.rip:

• Getting Started - Overview and quick start
• Installation Guide - Detailed setup instructions
• Architecture Overview - System design and component breakdown
• Security Model - Cryptographic design and threat model
• Protocol Documentation - CTAP2 and WebAuthn message formats
• Pairing Guide - How to pair devices
• Troubleshooting - Common issues and solutions
• Building from Source - Development setup
• Contributing - Contribution guidelines

Testing

# Run all Rust tests
cargo test

# Run Flutter tests
cd app && flutter test

# Run with coverage
cargo tarpaulin --out Html
cd app && flutter test --coverage

See Testing Guide for testing strategies.

Contributing

We welcome contributions! Please see our Contributing Guide for:

• Code of conduct
• How to report bugs
• How to suggest features
• Pull request process
• Code style guidelines

Quick Contribution Checklist

• Fork the repository
• Create a feature branch (git checkout -b feature/my-feature)
• Write tests for new functionality
• Ensure all tests pass (cargo test)
• Follow code style guidelines (cargo fmt, cargo clippy)
• Update documentation (if applicable)
• Commit with conventional commits (feat:, fix:, etc.)
• Open a pull request

License

FIDO Bridge is dual-licensed under:

• MIT License (LICENSE-MIT or http://opensource.org/licenses/MIT)
• Apache License 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)

You may choose either license for your use.

Why Dual License?

Dual licensing allows maximum compatibility:

• MIT for permissive use in proprietary projects
• Apache 2.0 for patent protection and contributor guarantees

Acknowledgments

• Yubico for YubiKey hardware and FIDO2 implementation
• FIDO Alliance for WebAuthn and CTAP2 specifications
• Rust Community for excellent cryptographic libraries
• All contributors who have helped improve FIDO Bridge

Support

• Documentation: https://fido-bridge-docs.stack.rip
• Issues: https://github.com/0xC9C3/fido-bridge/issues
• Discussions: https://github.com/0xC9C3/fido-bridge/discussions

Links

• Website: https://fido-bridge-docs.stack.rip
• Repository: https://github.com/0xC9C3/fido-bridge
• Issue Tracker: https://github.com/0xC9C3/fido-bridge/issues

---

Made with Rust, Flutter, and a YubiKey.