What started as a fun project quickly evolved into a fully functional FIDO2 authenticator with an office stapler masquerading as a push button. With carefully rigged GPIO (just kidding, I just cut the jumper wires and slammed it on the staplar with black tape) handling, this security key can seamlessly authenticate wit Google, Webauthn.io or most passkey-enabled services.

What's happening?

No, in short it is not another HID injection tool that enters your hardcoded password. It goes totally passwordless with the real FIDO2 standards, following the CTAP2 specifications from FIDO Alliance. It uses USB HID transport with RPi Gadget mode, credential discovery, creation and authentication and interoperability with major FIDO2 Relying parties like Google. It supports resident keys as well

Post Quantum Cryptography?

While the current FIDO2 standards do not directly support PQC, I have gone through the ongoing research, the IETF drafts by the COSE WG, the IANA COSE Identifier requests, and more and have come to the conclusion that ML-DSA (Crystals-Dilithum inspired) would be what FIDO2 will recommend for PQC with FIDO2. And I have implemented the same here. The key supports ML-DSA for quantum-resistant digital signatures and a fallback to ECDSA (P-256) for current standards. The key negotiates the most secure algorithm available for a particular relying party.

How it works?

The RPi runs a custom Python daemon that configures USB Gadget mode with CTAPHID descriptor. It emulates a FIDO2 Key over USB and stores cryptographic secrets on the SD card. It handles credential creation and authentication requests like any other security key. The stapler acts as a DIY push-button to fulfill the User Presence (UP) checks. The daemon implements all relevant CTAP2 commands.

Why do this?

Coz its cool. And it's fun. And coz why not?

Tested with Google and webauthn.io on Windows device.