Crayonic KeyVault™
Specification of version K1
© Crayonic B.V.
Identity & Access
Crayonic KeyVault™ is a digital identity hardware wallet for securing digital transactions in online and offline environments. Crayonic KeyVault™ implements multiple open standards with well-defined protocols and enables highly secure identification and authentication of its owner in a range of use cases.
The KeyVault secures all personal sensitive information such as biometric templates, cryptographic keys, FIDO2 credentials, X.509 certificates, etc. It allows the owner of the device to securely use this data to interact with other devices and applications.
Multiple authentication factors on-device
Identification and authentication of the user are based on knowledge and biometric factors, thus meeting the triple factor authentication criteria for high-security use cases - knowledge, possession, inherence. Version K1 supports static biometrics (fingerprint) and the knowledge factor (4-digit PIN code). Future versions of KeyVault firmware may support behavioral biometrics with dynamic characteristics such as the user's handwriting, gestures, body motions, and voice*.
Processing of biometrics and PIN verification takes place on the device and within a secure environment of the authenticator, without dependence on external resources or internet connectivity.
Proximity login & logout
Crayonic KeyVault™ smart authenticator enables auto login and logout via a specifically designed Bluetooth-USB dongle called Crayonic Bridge (CBLE). The Bridge requires no additional software or drivers installed on the end-point devices. It serves as a "virtual cable" connecting the PC with Crayonic KeyVault™ or Crayonic Badge™ authenticators over secured Bluetooth protocol.
Configuration & manageability
Crayonic KeyVaults™ can be managed and configured with compatible device and credential management solution using Crayonic Agent. Crayonic Agent is a middleware currently available for MS Windows end-points only. It is often combined with Crayonic Credential provider to enhance the login and auto logout experience especially for FIDO2 passkey credentials.
Updates and recovery
Crayonic KeyVault supports secure firmware updates for maximum flexibility and possible security patches. For enterprise deployments of FIDO2 passkeys, it features an option to backup and restore master entropy within secure enterprise environments (HSM) to enable self-service recovery of FIDO2 passkey credentials.
Use Cases & Compatibility Table
| Use Case | Support | Connectivity |
| KeyVault personalization | ||
| Fingerprint, PIN code authentication | on-device | - |
| FIDO2 credentials backup | Mobile app, CMS | USB, BLE |
| KeyVault settings & security policies | on-device, Mobile app, CMS | USB, BLE |
| Passwordless biometric login | ||
| MS Domain login over FIDO2, U2F | Windows 10 1903+ with MS Azure AD/hybrid | USB, BLE, NFC, CBLE |
| MS Domain login over PIV (X.509) | Windows 7+, Linux*, Mac OS 10.12+ | USB, NFC, CBLE |
| Website login over FIDO2 | Windows 10 1903+ (Edge, Chrome, Firefox, Brave) | USB, BLE, NFC, CBLE |
| Linux, Mac OS, ChromeOS | USB, CBLE | |
| iOS Safari | USB, NFC, CBLE* | |
| Website login over U2F | Android | USB, BLE, NFC, CBLE* |
| Website login with X.509 client certificate over PIV | Windows 7+, Windows 10 (Edge, Chrome, Brave) | USB, NFC |
| Certificate issuance (X.509) | ||
| Locally on-behalf of user | Windows 7+ using the Crayonic PIV Manager app | USB |
| Remotely via web browser | Windows 10+, Linux, Mac OS 10.12+ | USB |
| Mass storage for password DB | ||
| AES128 encrypted (30MB) FAT16/32 | Windows 7+, Linux, Mac OS 10.12+ | USB, CBLE* |
| Digital signing | ||
| Using internall X.509 certificate over PIV | Windows 7+, Linux, Mac OS | USB, CBLE* |
| Physical Access | ||
| ISO 14443 standard | N/A | NFC |
| Password Manager support | ||
| Bitwarden, LastPass, KeePass, 1Password integration* | Windows 7+, Linux, Mac OS | |
| Blockchain support | ||
| Signing ETH transaction* | Windows 7+, Linux, Mac OS |
* Inquire about availability date and version
Core Specifications - Crayonic KeyVault™ model K1
| Authentication protocols | FIDO2 over USB, BLE, NFC | U2F over USB, BLE, NFC | PIV over USB, NFC |
| Optional alternative authentication protocols* | OATH-TOTP, OATH-HOTP, custom OTP schemes - over USB or out-of-band (available only per request) |
| Biometric verification factors | Fingerprint (up to 5 templates), FAR < 1:50 000 , FRR < 1:20 |
| Optional alternative biometric verification factors* | Handwriting, Voice (available only per request) |
| Protection mechanisms | Secure Element for cryptographic operations; Key storage; Trust root and certified TRNG. Certified against Common Criteria EAL5+ profile. |
| Key management features | FIDO2 resident key management with master entropy secure backup; PIV key and X.509 certificate management; Key/value storage; RTC triggers |
| Cryptographic algorithms | ECDSA P-256, SHA-1, SHA-2, AES-256, HMAC, RSA 2048, additional per request |
| Secure display | 128x32 px OLED (for transaction confirmation, OTP and on-device management) |
| Mechanical protection | splashproof, shock-proof |
| Temperature ranges | Operation: 0 °C to 45 °C, Storage: -10 °C to 55 °C |
| Battery | Rechargeable LiPo 70 mAh - Required for BLE, NFC, and on-device management operations, Min. 1-month standby; charging over USB |
| Communication standards | NFC - ISO 14443; USB - ISO 7816/CCID |
| Physical port | USB-micro B (magnetic or USB-C per request) |
| Mass Storage | AES encrypted (30MB - 64MB FAT16/32) |
| Manufacturing standards | Auditable secure manufacturing in the European Union (Slovakia); RoHS |
| Certifications | FIDO2 Level 1, Microsoft Azure AD, Secure Element Common Criteria EAL5+, CE |
| Dimensions | 74 mm x 24 mm x 13 mm (20g) |