The all-in-one Biometric Hardware Security Key
A fingerprint-authenticated hardware vault that types your passwords and generates live TOTP 2FA codes via USB
Author: Micu Bogdan-Cristian
Group: 1221EA
GitHub Project Link: https://github.com/UPB-PMRust-Students/project-2026-bogdanmicu
Description
A standalone embedded security device built on the NUCLEO-U545RE-Q microcontroller. You plug it into your PC via USB and scan your fingerprint to unlock it. A rotary encoder lets you scroll through a menu of accounts on an OLED display. Selecting an account either injects the stored password directly into your PC (acting as a USB HID keyboard) or shows a live, expiring 6-digit TOTP code derived from HMAC-SHA1 cryptography. A hardware real-time clock ensures the TOTP timestamps are always accurate, even after the device has been powered off.
Motivation
The motivation for this project was to create a dedicated, self-contained physical key for passwords and 2FA, bypassing the need for phone-based authenticators. From an engineering standpoint, it offered a compelling system integration challenge: tying together async Rust with Embassy, USB HID communication, and constrained cryptography on the STM32 platform to deliver a responsive, standalone tool.
Architecture
+----------------------------------+
+----------------+ | NUCLEO-U545RE-Q | +----------------+
| 9V Li-ion | | (Central Controller) | | Host PC |
| Rechargeable +-->| +-->| (USB HID |
| Battery |VIN| |USB| Keyboard) |
+----------------+ +----+----------+----------+-------+ +----------------+
| | |
UART | I2C | GPIO |
(TX/RX) (SDA/SCK) (CLK/DT/SW)
| | |
v | v
+---------+--+ | +-----+---------+
| AS608 | | | EC11 Rotary |
| Optical | | | Encoder |
| Fingerprint| | | + Push-Button |
| Sensor | | +---------------+
+------------+ |
+--------+--------+
| |
v v
+------+------+ +------+------+
| SH1106 | | DS3231 |
| OLED Display| | RTC Module |
| (addr 0x3C) | | (addr 0x68) |
+-------------+ +------+------+
|
coin-cell backup
(keeps time while
unplugged)
HARDWARE CONNECTIONS:
+--------------------+ +----------------------------+
| 9V Li-ion Battery | VIN | NUCLEO-U545RE-Q |
| (power source) +--------->| VIN / GND |
+--------------------+ +----------------------------+
+--------------------+ +----------------------------+
| AS608 | VCC -->| 3V3 |
| Fingerprint | VA -->| 3V3 |
| Sensor | GND -->| GND |
| | TX -->| UART RX (PA10) |
| | RX <--+| UART TX (PA9) |
+--------------------+ +----------------------------+
(* sensor arrived with pre-crimped connector; requires adapter before wiring)
+--------------------+ +--------------------+
| SH1106 | SDA +-----------------------------------+| DS3231 |
| OLED Display +---->| I2C Bus - PB7 (SDA) / PB6 (SCL) |<+ RTC Module |
| (addr: 0x3C) | SCL | shared by both devices || (addr: 0x68) |
| +---->| || |
+--------------------+ +------------------+----------------+ +--------------------+
|
v
NUCLEO I2C peripheral
+--------------------+ +----------------------------+
| EC11 Rotary | CLK -->| PA0 - GPIO input |
| Encoder | | |
| + Push-Button | DT -->| PA1 - GPIO input |
| | | |
| | SW -->| PA4 - GPIO input |
+--------------------+ +----------------------------+
+-----------------------------+
| STM32 User USB Port |
| (to Host PC; on-board) |
| No external D+/D− wiring |
+-----------------------------+
Log
Week 4 (Idea Research)
- Explored the concept of a dedicated hardware security device as the project theme.
- Initially considered a password manager and a TOTP generator as two separate projects, then decided to merge them into a single integrated device, a biometric hardware key.
- Researched existing commercial solutions (YubiKey, Nitrokey, Ledger for crypto) for inspiration on scope and feature set.
Week 5 (Component Research & Procurement)
- Researched all required hardware components: microcontroller, fingerprint sensor, OLED display, RTC module, rotary encoder, and battery.
- Compared alternatives for each component (e.g. internal RTC vs DS3231 external module, I2C vs SPI display).
- Placed purchase orders for all components.
Week 6 (Components Arrive - Initial Testing)
- All components arrived; began a first testing phase powered via USB only (no battery yet).
- Verified I2C bus connectivity for the SH1106 OLED and DS3231 RTC on PB7 (SDA) and PB6 (SCL).
- Verified GPIO connectivity for the EC11 rotary encoder on PA0 (CLK), PA1 (DT), and PA4 (SW).
Week 7 (Extended Testing - Known Issues)
- Continued testing and identified the following issues to address before final integration:
- Fingerprint sensor wiring - The AS608 module arrived with a pre-crimped connector head; the wires cannot be inserted directly into a breadboard. A connector adapter or manual re-crimping is required before it can be wired to the MCU.
- MCU power source - To run from the 9V Li-ion battery instead of USB, the NUCLEO onboard jumper must be moved from the
STLKposition toVIN 5V. - External RTC - Switching to the DS3231 external RTC module to ensure accurate timestamps at all times even when the device is switched off or loses power.
- (Optional) External USB-C module - Soldering an external USB-C breakout would allow cleaner cable management and a more polished physical build.
- External EEPROM Module - Exploring the possibility of not using the internal flash, and instead adding an external EEPROM Module to store the hashed passwords. Link_OptimusDigital
Week 8 (Integration Progress)
-
Continued the first integration steps and made the following updates:
- Fingerprint sensor wiring - Soldered the AS608 wires.
- External EEPROM module - Purchased an EEPROM module, but decided to use the internal flash as the main storage option and keep the EEPROM as a backup.
- USB connectivity - Dropped the USB-C breakout board idea and switched to using the STM32 User USB port for PC - MCU communication.
- Firmware testing - Extended the component testing code.
- New issue - Battery wires need to be soldered before use.
Week 9 (Development)
-
Started the actual development:
- Testing - Wrote test code for the display, RTC Module and Rotary Encoder.
- Documentation - Documented the crates that needed to be added for more security.
Week 10 (Development)
- Continued the development process:
- Testing - Added test modules and helpers for the fingerprint sensor.
- App flow - Designed a State machine (Locked -> MenuBrowse -> ActionMenu -> ShowTotp) for the main use flow.
Week 11 (Development)
- Continued the development process:
- Main - Finalized the first main prototype, a flow that integrates all sensors and is a skeleton for future improvements.
- Power - Removed the external battery (after soldering the cables and testing it) as the main power source. Instead, the device will receive power via USB.
- To do - Improve security, add memory protection and data verification.
Week 12 (Development)
- Continued the development process:
- Main - Implemented memory protection, better security and data verification. Added a host CLI to send data through the terminal to the device.
- 3D Design - Created a 3D Box render to store all of the components, making it a true embedded device.
- To do - Create a desktop app with GUI for easier usage. Improve overall app flow.
Week 13 (Development)
- Continued the development process:
- Desktop App - Added the desktop app that uses the host to add and update account details on the device.
- 3D Print - Printed the 3D Box and fit the components inside. The middle "floor" had to be removed because the cables did not fit properly.
- To do - Improve the app flow, add UI animations.
Week 14 (Finishing touches)
- Finalized the development process:
- In progress - Updating the main code.
Hardware
The project centres on a NUCLEO-U545RE-Q development board as the microcontroller. An AS608 optical fingerprint sensor handles biometric authentication over UART. A 1.3" SH1106 OLED display and a DS3231 RTC module share the I2C bus, the RTC keeps accurate time for TOTP generation even while unplugged, backed by a coin-cell battery. An EC11 rotary encoder with integrated push-button provides all navigation input via GPIO. A 9V 3700 mWh Li-ion rechargeable battery makes the device fully portable. Everything is wired on a breadboard with jumper wires and supporting passives. An optional future goal is implementing ARM TrustZone to secure cryptographic operations and password storage.
NUCLEO-U545RE-Q (Central Hub) - Runs the async Rust firmware (embassy-stm32). Stores password strings and TOTP secret seeds in flash, orchestrates all peripherals, computes HMAC-SHA1 hashes, and drives the USB HID stack.
AS608 Fingerprint Sensor - Connected over UART. The device stays in a locked idle state until a recognised fingerprint is presented. On a match, it signals the MCU to unlock the vault.
- Connection: UART TX/RX to USART peripheral on the NUCLEO board.
SH1106 OLED Display (1.3") - Shows the lock screen, the scrollable account list, and live TOTP codes.
- Connection: I2C (SDA/SCL) shared bus with the RTC module.
DS3231 Real-Time Clock - Provides a precise Unix timestamp at all times, even when the device is unplugged, via its onboard coin-cell backup.
- Connection: I2C (SDA/SCL) shared bus with the OLED display.
EC11 Rotary Encoder (with push-button) - The sole physical input. Rotating scrolls the account menu; pressing selects an account to either inject a password or display a TOTP code.
- Connection: Three GPIO pins (CLK, DT, SW).
USB HID (to host PC) - The NUCLEO's USB port enumerates as a composite HID keyboard device. When a password injection is triggered, the firmware sends keystrokes directly to the connected computer.
Pin Assignments
| Pin | Signal | Peripheral |
|---|---|---|
| PA0 | GPIO input - CLK | EC11 Rotary Encoder |
| PA1 | GPIO input - DT | EC11 Rotary Encoder |
| PA4 | GPIO input - SW (push-button) | EC11 Rotary Encoder |
| - | USB (STM32 User USB port) | USB HID (to host PC; on-board connector) |
| PB6 | I2C SCL | SH1106 OLED + DS3231 RTC (shared I2C bus) |
| PB7 | I2C SDA | SH1106 OLED + DS3231 RTC (shared I2C bus) |
| PA9 | UART TX | AS608 Fingerprint Sensor |
| PA10 | UART RX | AS608 Fingerprint Sensor |
Photos
Schematics
Bill of Materials
| Device | Usage | Price |
|---|---|---|
| NUCLEO-U545RE-Q | Main microcontroller - runs Embassy/Rust firmware, stores credentials, computes TOTP | 125 RON |
| AS608 Optical Fingerprint Sensor | Biometric authentication over UART | 70 RON |
| 1.3" SH1106 OLED Display | Displays lock screen, account menu, and TOTP codes over I2C | 43 RON |
| DS3231 Real-Time Clock Module | Provides accurate Unix timestamps for TOTP over I2C | 16 RON |
| EC11 Rotary Encoder with push-button | Scroll and select accounts via GPIO | 21 RON |
| 9V 3700 mWh Li-ion Rechargeable Battery | Portable power source | 57 RON |
| Breadboard, jumper wires, battery cables, resistors, coin-cell batteries, USB-C module & extras | Prototyping and connectivity | 95 RON |
| Total | 427 RON |
Software
| Library | Description | Usage |
|---|---|---|
embassy-stm32 | Async HAL for STM32 microcontrollers | Peripheral drivers for UART, I2C, GPIO, USB on the NUCLEO-U545RE-Q |
embassy-executor | Async task executor for Embassy | Runs concurrent tasks for fingerprint, display, encoder, and USB |
embassy-time | Async timers and delays | Timing for TOTP windows, debounce, and animations |
embassy-sync | Mutexes and channels for shared state | Safely shares I2C bus and vault state between async tasks |
embassy-usb | Async USB device stack for Embassy | Enumerates the device as a USB HID composite device |
usbd-hid | USB HID descriptor and report types | Sends keyboard HID reports to inject passwords into the host PC |
sh1106 | Driver for the SH1106 OLED controller | Controls the 1.3" display over I2C |
embedded-graphics | 2D graphics library for embedded displays | Renders the lock screen, account list, and TOTP code UI |
ds323x | Driver for DS3231/DS3232 RTC chips | Reads the current Unix timestamp for TOTP calculation |
rotary-encoder-hal | Rotary encoder abstraction over embedded-hal | Decodes EC11 rotation direction and button presses |
embedded-hal | Hardware abstraction traits | Common interface gluing drivers to the Embassy HAL |
hmac | HMAC generic implementation | Computes HMAC-SHA1 as required by the TOTP (RFC 6238) algorithm |
sha1-smol | Minimal SHA-1 implementation (no-std) | SHA-1 digest used inside HMAC for TOTP |
aes | Pure Rust Advanced Encryption Standard (AES) | Encrypts and decrypts the password vault stored in the STM32's flash memory |
cipher | Traits for cryptographic ciphers | Provides the generic traits required to securely operate the AES cipher |
zeroize | Securely zeros memory | Wipes the plaintext passwords and derived keys from RAM immediately after use to prevent memory-dump attacks |
heapless | no_std data structures without dynamic allocation | Manages fixed-capacity buffers for passwords, account lists, and UI strings without needing a heap allocator |
anyhow | Flexible concrete error handling (for desktop app) | Simplifies error propagation and context management across UI events, file operations, and device communication |
eframe | Official framework for the egui library | Renders the cross-platform immediate-mode desktop interface for adding, editing, and managing vault entries |
serialport | Cross-platform serial port interface | Establishes a serial connection (UART over USB) to securely communicate and sync vault updates with the STM32 device |
clap | Command Line Argument Parser | Parses arguments, flags, and subcommands for the host CLI tool to manage and sync the hardware vault from the terminal |