LibremKey Authenticator -- MFA using TOTP (alpha for now)

Hey all, have you noticed, that LibremKey, which is based on NitroKey Pro2 supports TOTP and HOTP 2FA, but right now only HOTP is being used? I’m not aware of any app for TOTP side of things on LibremKey. I’m using LibremKey’s HOTP with PureBoot on my Librem 13. But I’ve also been using a TOTP 2FA using YubiKey thru their Authenticator app: Yubico Authenticator. It’s been working very well for me, but it’s a proprietary application for a closed-sourced firmware piece of closed-hardware USB key.

So my wife and I started writing an open-source equivalent for an open-source firmware, open-hardware USB key: LibremKey, LibremKey Authenticator. It’s pretty early into development, but the app is already functional and you can give it a go, if you’re interested. It’s a drop-in replacement for Google Authenticator, so you can scan the same QR-Codes with LibremKey Authenticator and Google Authenticator (or any other compatible authenticator app) for your initial testing. I’ve been using only LibremKey Authenticator on my personal desktop for for couple of days now. Still using Youbico Authenticator on my work computer (Mac) and my Android cellphone, though.

If you wanna try it out, you’ll have to compile it from source. Just follow the README, it’s really straightforward.

In the app we’re using libnitrokey to talk to LibremKey. For now it has to be compiled together with LibremKey Authenticator (described how in the README linked above), even though its newest release is already in Debian. At the moment that newest release (3.5) does not yet natively support LibremKey. But shortly after releasing 3.5, support for LibremKey got merged into master branch. So, when you do git submodule init, git submodule update, you’ll download the version of libnitrokey, that supports LibremKey and it’ll get linked against LibremKey Authenticator.

In addition to libnitrokey, we’re also using libzbar to process QR-Codes – when you click + button in LibremKey Authenticator, the app will take a screenshot (in memory only, not saving to disk) and will call libzbar to find and process QR-Code on that screenshot.

Also a word of warning – the app looks ugly at the moment – that’s just my artistic touch. Or should I say the lack thereof. :smiley: It’ll get improved, though – my wife’s actually working on that.

After the app matures a bit, and native support in libnitrokey lands in Debian, I’ll also package LibremKey Authenticator for Debian (I’m a Debian Developer), so it’ll be easily installable on Debian and derivatives (including PureOS).

If you do, or do not like it, want to try it out, lemme know. :slight_smile: Just message me here, or shoot my wife, or me an email at, or


Does the LibremKey support fido 2. I ask this as many other brand keys seems to support this standard. I’m in no way a security expert (the opposite) but like to know if the LibremKey is also useful for other, non linux, systems.

That is a two part question:

No it does not, but it supports One Time Passwords: HOTP and TOTP

Yes, you can use the Librem Key in non Linux systems. You can use it for:

  • Password manager (16 entries), using the Nitrokey app (as the original post says, the latest version that will soon be released supports the Librem Key). And you can use that in different Operating Systems

  • One Time Passwords (3x HOTP (RFC 4226), 15 x TOTP (RFC 6238) again using the nitrokey app

  • Email encryption OpenPGP in Thunderbird, outlook, Evolution, Claws Mail and some more.

  • PKCS#11 using OpenSC


The LibremKey is a NitrokeyPro, so assuming you are on GNU/Linux you can find a thorough list of places to use it, as well as detailed instructions about setup at the following.

The question was about non Linux systems :slight_smile:

But that reference page is a good pointer yes :slight_smile:

Oh, apologies - it was bias with the best of intentions :slight_smile:
The OP or any other that come past this thread could alternately choose a link from below.

or (*sighs) Mac

As someone that has not used windows in more than 12 years, I have the same bias