Crayonic Badge™
Specification of Version B1.0 & B1.5
© Crayonic B.V.
Passwordless Access & Identity Wallet
Crayonic Badge™ (CB) is a smart wearable device in a badge holder form factor for securing digital transactions in online and offline environments. CB implements multiple open standards with well-defined protocols and enables highly secure identification and authentication of its owner across a range of use cases.
The Badge secures all sensitive personal information such as biometric templates, cryptographic keys, FIDO2 credentials, legacy passwords, and X.509 certificates. With this data, users can interact with various devices and applications - from logical access to desktop PCs, mobile devices, and IoT to cloud applications and even physical access systems.
The Badge can augment existing PKI or physical access proximity card infrastructure by accepting legacy smart cards with RFID and/or physical contact interfaces. This can speed up and further secure their usage.
Multiple Authentication Factors On-Device
Identification and authentication of the user are based on knowledge and biometric factors, thus meeting the triple factor authentication criteria for even the highest security use cases - possession, knowledge, and inherence. Version B1 supports static biometrics (fingerprint) and the knowledge factor (4-digit PIN code).
Future versions of CB will support additional static (face) and behavioral biometrics with dynamic characteristics such as the user's gestures, body motions, and voice. Processing of biometrics and PIN verification takes place on the device and within a secure environment of the authenticator, without dependence on external resources or connectivity.
On-Body Detection & Gestures
The CB authenticator supports on-body detection, enabling continuous authentication so users can log in with one simple button press on CB. Embedded motion sensors keep the user logged into the authenticator while wearing it. If no motion is detected for an administrator-defined period of time (e.g., 20 seconds), the user will be logged out of the CB authenticator.
Additionally, the motion sensors can be used for gestures (e.g., double tap) to confirm the user's intent to access a nearby device/desktop/IoT, if this is preferred to pressing a button.
Proximity Login & Logout
When enabled, Crayonic Badge smart authenticator allows automatic login and logout via a specifically designed Bluetooth-USB dongle called Crayonic Bridge (CBLE) or via compatible NFC/BLE readers (e.g., mobile NFC rfIDEAS).
The Bridge requires no additional software or drivers installed on the endpoint devices. It serves as a "virtual cable" connecting the PC with Crayonic authenticators over a secured factory pre-paired Bluetooth protocol.
Remote or On-Premises Secure Access
Being compatible with multiple existing standards, communication channels, and operating systems, the Crayonic Badge can enable access to enterprise resources on-premises (e.g., desktop login) or remotely (e.g., RDP remote desktop, VPN, cloud services).
Legacy Application Authentication*
Crayonic Badge can act as a decentralized password manager that can autofill usernames and passwords for legacy Windows applications. For this functionality, a Crayonic Agent needs to be installed on an endpoint PC.
*This feature is planned for H2 2025 unless re-prioritized based on demand.
Configuration & Manageability
Crayonic Badges can be managed and configured using compatible device and credential management solutions with the Crayonic Agent middleware installed on MS Windows endpoints, such as Crayonic's open-source solution Crayonic Gateway.
Indoor Tracking and Paging
Besides identity and authentication use cases, Crayonic Badge has optional support for on-premises text paging functionality along with indoor location tracking when used with compatible services - including optional support for the Android Find My Device network *.
Core Specifications - Crayonic Badge™ Model B1
| Logical Access | FIDO2 & PIV over USB, BLE, NFC, Crayonic Bridge BLE (CBLE) |
| Physical Access | (Optional) (LF) 125kHz Proxcard, (HF) MIFARE Desfire, NTAG |
| Biometric verification factors | Fingerprint (up to 4 templates), FAR < 1:50 000 , FRR < 1:20 |
| Additional verification factors | On-device PIN |
| Protection mechanisms | Secure Element for cryptographic operations; Key storage; Trust root and certified TRNG. Certified against Common Criteria EAL5+ profile. |
| Key management features | FIDO resident key management with master entropy secure recovery; (Optional) PIV key and X.509 certificate issuance; Key/value storage; |
| Cryptographic algorithms | ECDSA P-256, SHA-1, SHA-2, AES-256, HMAC, RSA 2048 |
| Secure display | 128x32 px OLED (for transaction confirmation, OTPs and on-device admin) |
| Visual feedback | Orange LED |
| Audio feedback | Beeper |
| Mechanical protection | Waterproof, shock-proof |
| Sanitization | Healthcare disinfectants, UV light and cleaning agents (alcohol, chloride) compatible |
| Temperature ranges | Operation: 0 °C to 45 °C, Storage: -10 °C to 55 °C |
| Battery | Rechargeable LiPo min. 490 mAh. Average expected duration - up to 6 months per charge. |
| Communication interfaces | NFC - ISO 14443; USB - ISO 7816/CCID, BLE 5.2 |
| Physical Card Interfaces (B1.5) | Optional: Contact smart card reader (ISO/IEC 7816-1:2011) - connects card to nearby device over CCID standard protocol |
| Mass Storage | AES-256 encrypted (32MB - 64MB or more per request w/FAT support format) |
| Manufacturing standards | Auditable secure manufacturing in the European Union (Slovakia); RoHS |
| Certifications | FIDO2 Level 1, Microsoft Azure AD, Secure Element Common Criteria EAL5+, CE |
| Dimensions | max. 95 mm x 59 mm x 8,5 mm (85g) |
See also Crayonic KeyVault Technical & Security Whitepaper
Authentication Use Cases Compatibility Table
| Use Case | Support | Connectivity |
| Badge personalization | ||
| Fingerprint, PIN code authentication | on-device | - |
| Gesture | on-device | - |
| Badge settings & security policies | on-device, Crayonic Gateway, Mobile App* | |
| Passwordless biometric login | ||
| to a PC over FIDO2, U2F | Windows 10 1903+ with MS Azure AD/hybrid | USB, BLE, NFC, CBLE |
| to a PC over PIV (X.509) | Windows 7+, Linux*, Mac OS 10.12+ | USB, NFC, CBLE(Windows) |
| to a web service over FIDO2 | Windows 10 1903+ (Edge, Chrome, Firefox, Brave) | USB, BLE, NFC, CBLE |
| Linux, Mac OS, ChromeOS | USB, CBLE | |
| iOS Safari | USB, NFC, CBLE* | |
| to a web service over U2F | Android | USB, BLE, NFC, CBLE* |
| to a web service with X.509 client certificate over PIV | Windows 7+, Windows 10 (Edge, Chrome, Brave) | USB, NFC |
| FIDO2 credentials backup & recovery via Crayonic Gateway | Windows 10+, Linux, Mac OS | USB |
| Certificate issuance (X.509) | ||
| Locally | Windows 7+ using the Crayonic PIV Manager app | USB |
| Remotely over FIDO2 via Crayonic Gateway | Windows 10+, Linux, Mac OS 10.12+ | USB |
| Mass storage | ||
| AES128 encrypted (min. 30MB) FAT16/32 | Windows 7+, Linux, Mac OS 10.12+ | USB |
| Digital signing | ||
| Using internal X.509 certificate over CCID | Windows 7+, Linux, Mac OS | USB, NFC, CBLE |
| Using external card X.509 certificate over CCID | Windows 7+, Linux, Mac OS | USB, CBLE |
| Physical Access | ||
| ISO 14443 standard | N/A | NFC |
| RFID(125kHz), MIFARE DESFire protocols | N/A | NFC |
| OTP (per request TOTP, HOTP...)* | on-device | stand-alone, USB |
* Functionality planned for H2 2025 unless re-prioritized based on demand.