Skip to content

Crayonic Digital Identity HW Wallets

Technical Resources

Audience: IT administrators, security professionals, developers

Introduction

Crayonic Digital ID Wallets are hardware wearables for critical infrastructure that primarily facilitate secure passwordless multifactor authentication for logical or physical access. These wallets are designed to eliminate the need for traditional passwords, thus enhancing security measures and reducing the risk of unauthorized access.

The wallets can be easily adjusted to fit specific user needs, adapting to the different requirements of businesses and organizations. They offer configurability, allowing IT administrators to set them up to meet specific security policies and protocols that align with existing IT infrastructure.

Additionally, Crayonic Digital ID Wallets can be extensively customized. This customization potential allows organizations to request modifications to suit unique operational demands, integration needs, and user experiences, making them versatile tools in enhancing cybersecurity while ensuring seamless adaptability to varied technological ecosystems.

For a quick technical overview of existing digital ID hardware wallets in different form factors:

  1. Crayonic Badge and its counterpart enabling proximity login Crayonic Bridge

  2. Crayonic KeyVault

  3. Crayonic Badge 2.0 - coming in 2026

  4. Crayonic Soft Badge - coming in 2025

All wallets include support for the two most commonly used passwordless credentials: FIDO2 passkeys and X509 certificates via NIST standard PIV protocol.

All wallets (except Crayonic Soft Badge) currently use Common Criteria EAL 4+ certified secure key store with the following specifications.

Furthermore, Crayonic Badge version 1.5 supports the use of external smart cards, including those certified for specific applications such as Qualified Electronic Signatures (QES), military Common Access Cards (CAC), and others.

Note: To check for compatibility or if you have issues connecting the KeyVault to your web browser, please verify if your browser supports the W3C WebAuthn standard here: Web browser support

Settings and Firmware Updates

Settings and Device Configurations

Crayonic wallets are designed to be as standalone as possible, allowing users to modify settings directly via the built-in menu. However, it may be easier to change some advanced settings using a web browser via this link: Crayonic wallet settings

Crayonic devices support secure firmware updates that are digitally signed to provide the latest features and fix any bugs. The following instructions are for performing manual updates. For enterprise users managing devices centrally, please refer to the Crayonic Device Management (CDM) guidelines.

Firmware for Crayonic KeyVault

To manually update firmware without Crayonic Agent (download link below):

  1. Connect the device via USB to Windows 10+ OS

  2. Hold down the button and select "Update Firmware" in the device main menu. NOTE: This menu item is ONLY available while connected to PC via USB cable.

  3. Unzip the downloaded ZIP file and launch update.bat, then press Enter to start the update process.

  4. Factory Reset is suggested and may be required if your biometrics don't work. NOTE: Factory reset will delete all credentials, so you may have to recover them via Crayonic Gateway if they are managed by it.

KeyVault_Update_1.2.95.zip

Download (15.4 MB)


Firmware for Crayonic Badge

To manually update firmware without Crayonic Agent:

Instructions for the firmware update are included in the zip file, or you can simply launch the .bat file to automatically update a USB-connected Badge. Alternatively, you can watch the video tutorial below if you need to enter bootloader manually:

Badge_Update_V1.3.16.zip

Download (15.3 MB)

https://www.youtube.com/watch?v=mVD36eksXz0

For the latest Crayonic Badge beta version you can also try auto updater which will automatically update your Badge with the latest beta version of the firmware:

https://release.crayonic.io/Firmware/tools/badge_update_beta.exe


Firmware for Crayonic Bridge

To manually update firmware without Crayonic Agent:

Bridge_1.1.34.zip

Download (27.4 MB)

For the latest Crayonic Bridge beta version you can also try auto updater which will automatically update your Bridge with the latest beta version of the firmware:

https://release.crayonic.io/Firmware/tools/bridge_update_beta.exe

Crayonic Bridge Settings

To adjust the login/logout proximity distance settings, you will need the Bridge settings tool, available below.

https://release.crayonic.io/Firmware/tools/bridge_settings.exe


Physical Access

Crayonic wallets offer significant benefits when utilized for more than just securing access to computers and IT systems. They also provide advantages in allowing entry to physical locations and supporting other practical applications.

Through these diverse capabilities, Crayonic wallets become an essential tool, promoting efficient and secure interactions in both digital and physical environments. Users can rely on these wallets not only for IT access but also for a variety of other scenarios, enhancing their overall utility and value in daily activities.

For details, please refer to the Physical Access subpage: Physical Access

Enterprise Setup for On-premises, Hybrid or Cloud MS Domains

You can download our complimentary guide below if you need to configure your on-premises Microsoft infrastructure. This guide will assist you in enabling on-premises Microsoft Domain Windows login using our digital wallets either through an X509 certificate or FIDO2 Passkeys, integrated with Azure or hybrid Microsoft Entra ID.

Crayonic_Enterprise_Setup.pdf

Download (2.5 MB)

For Microsoft Entra ID FIDO2 passkey provisioning download:

Crayonic Credential Manager

The tool for administrators to provision FIDO2 passkeys on behalf of users into Crayonic wallets.

https://release.crayonic.io/CredentialManager/BLEEDING_EDGE/index.html

For Microsoft Certificate Services X509 certificates provisioning download:

Crayonic PIV Manager

The tool for administrators to provision X509 certificates on behalf of users into Crayonic wallets.

MS Windows zipped exe:

keyvault-piv-manager-1.4.16-win-debug.zip

Download (11.3 MB)

And the source code:

https://gitlab.com/crayonic/keyvault-piv-manager

Credential Provider

This is an add-on to improve login and logout experience on Windows. It offers a cleaner UI than native MS Windows smartcard UI and removes the PIN dialog from the login screen, making the login experience similar to FIDO2 passkeys login UI. Supports X509, Passkey, and password credentials.

To install on MS Windows 7+ PCs, you can simply run the .bat file or use a shared network folder and AD policy to distribute to all Windows workstations in your domain.

CrayonicCredentialProviderEN.zip

Download (13.3 MB)


Demo Credential Provider

The credential provider below is the basis for domain-less authentication for local accounts only. Its production version needs to be connected to a backend service that can control such local accounts.

For testing and demo purposes, you can download the credential provider and follow the included README to set up the correct local user for demonstration purposes only.

CrayonicCredentialProviderLocalUserEN.zip

Download (13.3 MB)


Crayonic Agent

This tool allows management of large deployments of Crayonic Wallets with monitoring and automatic updates for all devices. It requires deployment on every endpoint where Crayonic devices are used. It should be used with a compatible CMS system.

Crayonic Agent


Certificate-based Single File Encryption

One compelling application that can be realized through the use of digital wallets involves single file protection via encryption leveraging an X509 certificate. This represents a more sophisticated implementation, accompanied by Python example code. You are encouraged to explore this and report any issues encountered directly within the GitLab repository.

https://gitlab.com/crayonic/pivcrypt


Identity, Access and Credential Management

Crayonic products are already out-of-the-box compatible with most modern CMS, SSO, and IAM solutions such as Microsoft Active Directory, Microsoft Entra ID, Okta, Duo, ForgeRock, Ping, and many more that support FIDO2 passkeys and X509 certificates.

Crayonic Gateway

Crayonic Gateway provides additional benefits of a fully integrated solution where not just identities are managed but also devices and all of their credentials residing in Crayonic wallets can be centrally managed, including FIDO2 passkeys, X509 certificates, legacy passwords, and OTPs.

Some features worth mentioning include:

  • Remote X.509 certificate issuance over FIDO/passkeys compatible web browser - agentless (re)issuance suitable for at-home remote users.

  • Security policy customizations and enforcement for Crayonic wallets (e.g., allow proximity login, disable biometrics or PIN, etc.).

  • Credential self-service (re)issuance based on preferred identity provider (e.g., biometrics with physical ID documents, eID documents, QES certificates, etc.).

Note: Crayonic Gateway is a SaaS solution that can be hosted on-premises by your organization - just ask us for help or available implementation partners. For those more adventurous, use the GitLab link below to try it out yourself using Docker infrastructure.


Comparing Crayonic Products to Other Passwordless Authentication Solutions