MFA Only With Windows Hello and Apple ID? Time for Linux-ID!

24 May 2024

You no longer have to use TOTP tokens on Linux; now, you can get the same user experience as on other operating systems—it's time to improve MFA authentication using the Golang tool Linux-id to get closer to MFA capabilities on different operating systems.

In this post, I'll explain how the Linux-id tool works to enhance second-factor authentication on Linux.

The process involves installation, registration of a new token, and authentication.

Table of Contents

This post includes the following sections:

  1. MFA - Multi-Factor Authentication in more detail
  2. Showcase - This section showcases the Linux-ID tool.
  3. Setup - How to setup Linux-ID.
  4. How it works - Explanation of the Linux-ID functioning.
  5. Fork - The original project
  6. Repository - Link to Linux-ID.


MFA, or Multi-Factor Authentication, is typically done in several ways: via SMS, email, OTP, TOTP, and FIDO keys such as Yubikey or a key stored in a TPM (Trusted Platform Module). The last way, which is the easiest for the user, is used by Windows Hello and Apple ID; thanks to this tool, you can achieve similar functionality.


In the GIF below, you can see the whole workflow.

  1. First, I registered the Linux-id in the Unified Login to use it for Web Authentification.
  2. Then, I click on a new tab where I am not logged in and perform the sign-up process with the Linux-id tool as MFA.

Example of registering and authentication on MUNI Unified Login


You can install it by running the following commands:

git clone cd linux-id

go install

chmod +x ./

Or you can download the latest release without installing Go:

curl -L | tar xz chmod +x linux-id curl | bash

How It Works

  1. On registration, linux-id generates a new P256 primary key under the Owner hierarchy on the TPM. To ensure that the key is unique per site and registration, linux-id generates a random 20-byte seed for each registration.

  2. The primary key template is populated with unique values from a sha256 HKDF of the 20-byte random seed and the application parameter provided by the browser.

  3. A signing child key is then generated from that primary key. The key handle returned to the caller concatenates the child key's public and private key handles and the 20-byte seed.

  4. On an authentication request, linux-id will attempt to load the primary key by initializing the hkdf in the same manner as above. It will then attempt to load the child key from the provided key handle. Any incorrect values or values created by a different TPM will fail to load.


This project is a fork of Psanford's tpm-fido project. To be transparent, this would not have been possible without his contributions, and I am grateful to him for creating this unique project.

However, after a discussion with the author, I created a new repository because I had different ideas about the project.

The key differences are:

  • This project aims to be more accessible to average users.
  • I have updated old methods according to the latest Go standards.
  • Old dependencies (e.g. pinetry) were replaced with updated ones.
  • UX improvements.


Visit the Linux-ID for more information.