Every time I log into GitHub or Google with 2FA, I reach for my YubiKey. On my MacBook at work, I just touch the Touch ID sensor — it's seamless, built right into the browser. But on my ThinkPad P14s running Linux? My laptop has a perfectly good fingerprint reader and a TPM 2.0 chip, yet Chrome treats them like they don't exist.
So I built a virtual FIDO2 security key that uses both. No browser extension. No external hardware. Just touch your fingerprint sensor and you're authenticated.
Here's how I did it — and how I used Claude to audit the security along the way. Please note that all of these are done via Claude Code, not a single line of code was written without AI assistance. This is a deep dive into the architecture, implementation, and security considerations of the project.
