// the find
polhenarejos/pico-fido
FIDO Passkey for Raspberry Pico and ESP32
Turns a $4 Raspberry Pi Pico or ESP32 into a hardware security key supporting CTAP 2.1, WebAuthn, U2F, TOTP/HOTP, and Yubikey-compatible OTP. Feature parity with commercial keys is surprisingly close — credential management, large blobs, enterprise attestation, CredProtect, the works. Target audience is security-minded developers who want a cheap hardware token they can audit and build themselves.
Full CTAP 2.1 implementation including the less-common extensions (credBlobs, largeBlobKey, minPinLength) — not just the basics most hobby projects stop at. Yubico Authenticator and YKMAN compatibility means it drops into existing Yubikey workflows without friction. RP2350 and ESP32-S3 support Secure Boot with OTP-stored master key encryption, so the security story on those chips is legitimate. Test suite is real — based on Solokeys' FIDO2 tests, updated for python-fido2 v1.0/CTAP 2.1, runnable in Docker.
RP2040 (the original Pico) has no hardware key storage, so private keys on flash are trivially dumpable if the device is stolen — the README is honest about this, but it means the common cheap board is only useful for low-stakes 2FA, not protecting anything serious. The commercial edition dual-licensing with AGPLv3 creates a real friction point: any org wanting to deploy this internally needs to either open-source their integration or pay for a license, which will surprise people who assume 'open source' means 'free to use'. Build setup requires the full Pico SDK toolchain plus recursive submodule init — no prebuilt dev container or Nix flake, so onboarding is more friction than it needs to be. The 2048-byte large blob limit is a hard cap that will bite anyone trying to store meaningful data alongside credentials.