Crayonic Digital Identity HW Wallets
Technical Resources
Audience: IT administrators, security professionals, developers
Introduction
Crayonic Digital ID Wallets are hardware wearables for critical infrastructure that primarily facilitate secure passwordless multifactor authentication for logical or physical access. These wallets are designed to eliminate the need for traditional passwords, thus enhancing security measures and reducing the risk of unauthorized access.
The wallets can be easily adjusted to fit specific user needs, adapting to the different requirements of businesses and organizations. They offer configurability, allowing IT administrators to set them up to meet specific security policies and protocols that align with existing IT infrastructure.
Additionally, Crayonic Digital ID Wallets can be extensively customized. This customization potential allows organizations to request modifications to suit unique operational demands, integration needs, and user experiences, making them versatile tools in enhancing cybersecurity while ensuring seamless adaptability to varied technological ecosystems.
For a quick technical overview of existing digital ID hardware wallets in different form factors:
-
Crayonic Badge and its counterpart enabling proximity login Crayonic Bridge
-
Crayonic Badge 2.0 - coming in 2026
-
Crayonic Soft Badge - coming in 2025
All wallets include support for the two most commonly used passwordless credentials: FIDO2 passkeys and X509 certificates via NIST standard PIV protocol.
All wallets (except Crayonic Soft Badge) currently use Common Criteria EAL 4+ certified secure key store with the following specifications.
Furthermore, Crayonic Badge version 1.5 supports the use of external smart cards, including those certified for specific applications such as Qualified Electronic Signatures (QES), military Common Access Cards (CAC), and others.
Note: To check for compatibility or if you have issues connecting the KeyVault to your web browser, please verify if your browser supports the W3C WebAuthn standard here: Web browser support
Settings and Firmware Updates
Settings and Device Configurations
Crayonic wallets are designed to be as standalone as possible, allowing users to modify settings directly via the built-in menu. However, it may be easier to change some advanced settings using a web browser via this link: Crayonic wallet settings
Crayonic devices support secure firmware updates that are digitally signed to provide the latest features and fix any bugs. The following instructions are for performing manual updates. For enterprise users managing devices centrally, please refer to the Crayonic Device Management (CDM) guidelines.
Firmware for Crayonic KeyVault
To manually update firmware without Crayonic Agent (download link below):
-
Connect the device via USB to Windows 10+ OS
-
Hold down the button and select "Update Firmware" in the device main menu. NOTE: This menu item is ONLY available while connected to PC via USB cable.
-
Unzip the downloaded ZIP file and launch update.bat, then press Enter to start the update process.
-
Factory Reset is suggested and may be required if your biometrics don't work. NOTE: Factory reset will delete all credentials, so you may have to recover them via Crayonic Gateway if they are managed by it.
KeyVault_Update_1.2.95.zip
Firmware for Crayonic Badge
To manually update firmware without Crayonic Agent:
Instructions for the firmware update are included in the zip file, or you can simply launch the .bat file to automatically update a USB-connected Badge. Alternatively, you can watch the video tutorial below if you need to enter bootloader manually:
Badge_Update_V1.3.16.zip
https://www.youtube.com/watch?v=mVD36eksXz0
For the latest Crayonic Badge beta version you can also try auto updater which will automatically update your Badge with the latest beta version of the firmware:
https://release.crayonic.io/Firmware/tools/badge_update_beta.exe
Firmware for Crayonic Bridge
To manually update firmware without Crayonic Agent:
Bridge_1.1.34.zip
For the latest Crayonic Bridge beta version you can also try auto updater which will automatically update your Bridge with the latest beta version of the firmware:
https://release.crayonic.io/Firmware/tools/bridge_update_beta.exe
Crayonic Bridge Settings
To adjust the login/logout proximity distance settings, you will need the Bridge settings tool, available below.
https://release.crayonic.io/Firmware/tools/bridge_settings.exe
Physical Access
Crayonic wallets offer significant benefits when utilized for more than just securing access to computers and IT systems. They also provide advantages in allowing entry to physical locations and supporting other practical applications.
Through these diverse capabilities, Crayonic wallets become an essential tool, promoting efficient and secure interactions in both digital and physical environments. Users can rely on these wallets not only for IT access but also for a variety of other scenarios, enhancing their overall utility and value in daily activities.
For details, please refer to the Physical Access subpage: Physical Access
Enterprise Setup for On-premises, Hybrid or Cloud MS Domains
You can download our complimentary guide below if you need to configure your on-premises Microsoft infrastructure. This guide will assist you in enabling on-premises Microsoft Domain Windows login using our digital wallets either through an X509 certificate or FIDO2 Passkeys, integrated with Azure or hybrid Microsoft Entra ID.
Crayonic_Enterprise_Setup.pdf
For Microsoft Entra ID FIDO2 passkey provisioning download:
Crayonic Credential Manager
The tool for administrators to provision FIDO2 passkeys on behalf of users into Crayonic wallets.
https://release.crayonic.io/CredentialManager/BLEEDING_EDGE/index.html
For Microsoft Certificate Services X509 certificates provisioning download:
Crayonic PIV Manager
The tool for administrators to provision X509 certificates on behalf of users into Crayonic wallets.
MS Windows zipped exe:
keyvault-piv-manager-1.4.16-win-debug.zip
And the source code:
https://gitlab.com/crayonic/keyvault-piv-manager
Credential Provider
This is an add-on to improve login and logout experience on Windows. It offers a cleaner UI than native MS Windows smartcard UI and removes the PIN dialog from the login screen, making the login experience similar to FIDO2 passkeys login UI. Supports X509, Passkey, and password credentials.
To install on MS Windows 7+ PCs, you can simply run the .bat file or use a shared network folder and AD policy to distribute to all Windows workstations in your domain.
CrayonicCredentialProviderEN.zip
Demo Credential Provider
The credential provider below is the basis for domain-less authentication for local accounts only. Its production version needs to be connected to a backend service that can control such local accounts.
For testing and demo purposes, you can download the credential provider and follow the included README to set up the correct local user for demonstration purposes only.
CrayonicCredentialProviderLocalUserEN.zip
Crayonic Agent
This tool allows management of large deployments of Crayonic Wallets with monitoring and automatic updates for all devices. It requires deployment on every endpoint where Crayonic devices are used. It should be used with a compatible CMS system.
Certificate-based Single File Encryption
One compelling application that can be realized through the use of digital wallets involves single file protection via encryption leveraging an X509 certificate. This represents a more sophisticated implementation, accompanied by Python example code. You are encouraged to explore this and report any issues encountered directly within the GitLab repository.
https://gitlab.com/crayonic/pivcrypt
Identity, Access and Credential Management
Crayonic products are already out-of-the-box compatible with most modern CMS, SSO, and IAM solutions such as Microsoft Active Directory, Microsoft Entra ID, Okta, Duo, ForgeRock, Ping, and many more that support FIDO2 passkeys and X509 certificates.
Crayonic Gateway
Crayonic Gateway provides additional benefits of a fully integrated solution where not just identities are managed but also devices and all of their credentials residing in Crayonic wallets can be centrally managed, including FIDO2 passkeys, X509 certificates, legacy passwords, and OTPs.
Some features worth mentioning include:
-
Remote X.509 certificate issuance over FIDO/passkeys compatible web browser - agentless (re)issuance suitable for at-home remote users.
-
Security policy customizations and enforcement for Crayonic wallets (e.g., allow proximity login, disable biometrics or PIN, etc.).
-
Credential self-service (re)issuance based on preferred identity provider (e.g., biometrics with physical ID documents, eID documents, QES certificates, etc.).
Note: Crayonic Gateway is a SaaS solution that can be hosted on-premises by your organization - just ask us for help or available implementation partners. For those more adventurous, use the GitLab link below to try it out yourself using Docker infrastructure.