Pairing Guide
This guide walks you through pairing your Linux desktop with your Android device to enable WebAuthn authentication via NFC.
Pairing Overview
Pairing establishes a secure, encrypted channel between your Linux client and Android device using:
- SPAKE2 protocol: Password-authenticated key exchange
- 6-digit PIN: Shared secret for authentication
- QR code: Convenient way to transfer pairing ID and PIN
After pairing, both devices share a 32-byte secret that's used to encrypt all future communications.
Prerequisites
Before pairing:
-
Linux client is running:
# If installed as a service
systemctl --user start fido-bridge
# Or run directly
sudo ./target/release/fido-bridge daemon -
Android app is installed and opened
-
Both devices can reach the relay server:
- If using embedded server: Android device must be on same network as Linux machine
- If using remote server: Both devices need internet connection
-
QR code scanner ready: Android device camera must have permission
Step-by-Step Pairing
Step 1: Initiate Pairing on Linux
-
Start the client (if not already running):
# If installed as a service
systemctl --user start fido-bridge
# Or run directly
sudo ./target/release/fido-bridge daemon -
Trigger pairing mode:
- The client automatically starts in pairing mode if no devices are paired
- OR press
Pin the interactive mode to start a new pairing session
-
Observe the terminal output:
[INFO] Starting pairing session...
[INFO] Pairing ID: pair-123e4567-e89b-12d3-a456-426614174000
[INFO] PIN: 123456
┌─────────────────────────────────────┐
│ █▀▀▀▀▀█ ▀▀█▄ ▀█▀▄▀▄ █ █▀▀▀▀▀█ │
│ █ ███ █ ▀ █▀▀▀█ ▀▄█▀ █ ███ █ │
│ █ ▀▀▀ █ █▄▄ █▄▀█▄ ▄▀ █ ▀▀▀ █ │
│ ▀▀▀▀▀▀▀ █ ▀ ▀ █▄▀ ▀ █ ▀▀▀▀▀▀▀ │
│ ...QR code continues... │
└─────────────────────────────────────┘
[INFO] Scan this QR code with your Android device
[INFO] Pairing session expires in 5 minutes -
Note the PIN: The 6-digit PIN displayed (e.g.,
123456)
Step 2: Scan QR Code on Android
-
Open the FIDO Bridge app on your Android device
-
Tap the "+" button or "Pair New Device" button
-
Grant camera permission if prompted
-
Point camera at the QR code displayed on your Linux terminal
- The app will automatically scan and parse the QR code
- QR code contains:
{pairing_id: "pair-...", pin: "123456"}
-
Verify the PIN matches:
- The app will display the PIN from the QR code
- IMPORTANT: Verify it matches the PIN shown on your Linux terminal
- This prevents man-in-the-middle attacks
-
Tap "Confirm and Pair"
Step 3: Wait for Pairing Completion
-
Android app shows "Pairing in progress..."
- The app sends its SPAKE2 response to the server
- Both devices derive the shared secret
-
Linux client shows:
[INFO] Received pairing response from android-device-1
[INFO] Pairing completed successfully!
[INFO] Device name: Pixel 7 (Android 14)
[INFO] Paired devices: 1 -
Android app shows:
✓ Pairing successful!
Paired with: ThinkPad X1 (Linux)
Device ID: linux-desktop-1 -
You're ready to authenticate! Both devices are now paired and can communicate securely.
Pairing Multiple Devices
You can pair multiple Android devices to one Linux client, or multiple Linux clients to one Android device.
Pairing a Second Android Device
- On Linux: Press
Pto start a new pairing session (generates new PIN and QR code) - On second Android device: Follow the same pairing steps above
- Result: Linux client now has 2 paired Android devices
Note: During WebAuthn authentication, the first device to respond wins. Both devices will receive the request.
Pairing a Second Linux Client
- On second Linux machine: Start the client and initiate pairing
- On Android: Pair with the new Linux machine (scan its QR code)
- Result: Android device now has 2 paired Linux clients
Note: Each pairing is independent with its own shared secret.
Managing Paired Devices
View Paired Devices
On Linux:
# List paired devices
cat ~/.config/fido-bridge/devices.json | jq
Output:
[
{
"device_id": "android-phone-1",
"device_name": "Pixel 7",
"device_type": "android",
"device_token": "token-abc123...",
"shared_secret": "...",
"paired_at": 1704067200
}
]
On Android:
- Open FIDO Bridge app
- Paired devices are listed on the home screen
- Tap a device to view details or unpair
Unpair a Device
On Linux:
- Stop the client (if running)
- Edit the devices file:
nano ~/.config/fido-bridge/devices.json - Remove the device entry from the JSON array
- Restart the client
On Android:
- Open FIDO Bridge app
- Tap the device you want to unpair
- Tap "Unpair" or swipe left and tap "Delete"
- Confirm the action
Re-pair After Unpair
If you unpaired by mistake or want to re-establish the pairing:
- Unpair on both devices (to avoid confusion)
- Initiate a fresh pairing following the steps above
- New shared secret will be generated
Pairing Security
PIN Verification is Critical
Always verify the PIN matches on both devices before confirming pairing.
Attack Scenario:
- Attacker intercepts QR code scan
- Attacker displays their own QR code with different PIN
- If you don't verify, you'll pair with attacker's device instead
Protection:
- PIN is displayed on both devices
- User must manually confirm they match
- 6-digit PIN provides 1,000,000 combinations (1 in 1M guess rate)
QR Code Security
The QR code contains:
{
"pairing_id": "pair-123e4567-e89b-12d3-a456-426614174000",
"pin": "123456",
"server_url": "http://localhost:3000" // optional
}
Security Considerations:
- QR code is not encrypted (it's just base64-encoded JSON)
- QR code should only be displayed in trusted environments
- Don't share screenshots of QR codes publicly
- Pairing session expires after 5 minutes
Shared Secret Storage
On Linux: Stored in ~/.config/fido-bridge/devices.json
- Plaintext on disk (relies on OS-level encryption)
- Recommendation: Use full-disk encryption (LUKS, dm-crypt)
On Android: Stored in app's secure storage
- Encrypted by Android's app sandbox
- Recommendation: Use device encryption + PIN/biometric lock
Impact of Compromise:
- Attacker with shared secret can impersonate the device
- Attacker can decrypt messages intended for that device
- Attacker cannot access YubiKey credentials (they remain on hardware)
Troubleshooting Pairing
QR Code Won't Scan
Issue: Android app doesn't recognize QR code
Solutions:
- Ensure good lighting: QR code needs clear visibility
- Adjust terminal window size: Make QR code larger
# Increase terminal font size, then restart pairing - Manually enter pairing details:
- In Android app, tap "Manual entry" instead of scanning
- Enter the pairing ID and PIN shown on Linux terminal
"Pairing Failed: Invalid PIN"
Issue: SPAKE2 key derivation failed (PINs don't match)
Cause:
- Typo in manual PIN entry
- QR code parsing error
- PIN mismatch attack attempt
Solution:
- Verify PIN exactly matches on both devices
- Restart pairing on both sides (generates new PIN)
- Try manual entry if QR scanning is unreliable
"Pairing Timeout"
Issue: Pairing session expired (5-minute limit)
Cause:
- User took too long to complete pairing
- Network connectivity issues prevented message delivery
Solution:
- Restart pairing on Linux (press
Pagain) - Complete pairing within 5 minutes
- Check network connectivity between devices and server
"Connection Refused"
Issue: Android app can't reach relay server
Cause:
- Server is not running
- Wrong server URL in app configuration
- Firewall blocking port 3000
Solutions:
-
Verify server is running:
curl http://localhost:3000/health
# Should return: {"status": "ok"} -
Check server URL in Android app:
- Go to app settings
- Verify server URL matches actual server address
- For embedded server: Use Linux machine's local IP (e.g.,
http://192.168.1.100:3000)
-
Check firewall:
# Allow port 3000 on Linux
sudo ufw allow 3000/tcp # Ubuntu/Debian
sudo firewall-cmd --add-port=3000/tcp --permanent # Fedora
"Device Already Paired"
Issue: Attempting to re-pair without unpairing first
Solution:
- Unpair existing pairing on both devices
- Initiate fresh pairing with new QR code/PIN
Pairing Best Practices
Security Best Practices
- Verify PIN on both devices - Don't skip this step!
- Complete pairing in private - Don't display QR codes in public
- Use strong device authentication - Enable PIN/biometric lock on Android
- Enable full-disk encryption - Protect shared secret at rest on Linux
- Unpair unused devices - Remove old pairings you no longer need
Usability Best Practices
- Pair in a well-lit area - Improves QR code scanning reliability
- Keep devices close to router - Ensures good network connectivity during pairing
- Name devices descriptively - Makes it easier to identify pairings later
- Pair before you need it - Don't wait until you urgently need to authenticate
Advanced: Manual Pairing
If QR code scanning isn't available, you can manually pair:
On Linux
- Start pairing and note the pairing ID and PIN:
Pairing ID: pair-123e4567-e89b-12d3-a456-426614174000
PIN: 123456
On Android
- In the app, tap "Manual Pairing"
- Enter the pairing ID:
pair-123e4567-e89b-12d3-a456-426614174000 - Enter the PIN:
123456 - Enter server URL (if not using default):
http://192.168.1.100:3000 - Tap "Pair"
The rest of the pairing process is identical to QR code pairing.
Next Steps
- Using FIDO Bridge - Authenticate with WebAuthn
- Troubleshooting - Solve common issues
- Security Architecture - Understand pairing security