Most mobile based MFA solutions offer only phishable credentials (one time codes), and even those that offer strong authentication based on asymmetric cryptography with biometrics are often only as secure as the mobile device which has many vulnerabilities due to high complexity and continuous online connectivity. Ability to securely authenticate using biometrics in offline or out-of-band scenarios is also a weak spot since mobiles were not designed to connect reliably to other devices easily.

Crayonic KeyVault confirms the user’s identity AND their explicit intent to authenticate or authorize a transaction. This rules out any unintentional, unwilling, accidental authorizations (i.e. pointing one’s phone to their face to unlock it) as well as those potentially made under duress. Thus, even if someone takes another person’s KeyVault and knows their PIN code they will not be able to proceed because of required behavioral biometrics that are unique to the KeyVault owner.

Just use your credit card to purchase a sample from our online store. For bigger orders, please contact us to select the nearest value-added reseller or integration partner in your geography.

Crayonic KeyVault relies on intuitive methods of authentication using biometrics protected by secure certified hardware. Relying on multiple standard communication protocols the Crayonic KeyVault is compatible with a variety of systems out-of-the-box. There is no need to install any software or drivers on client PCs or mobile devices. Crayonic KeyVault is the only security key that can be fully managed using enterprise cloud or on-prem service.

1. The most requested use case is a secure Windows domain authentication without passwords in enterprise environments with a simple tap on the KeyVault fingerprint sensor. For most laptops, this will work over Bluetooth, but the USB port can also be used. This effectively provides for a very strong multi-factor authentication without the need to rely on annoying and insecure passwords. ​ 2. Approving and e-signing of electronic documents with strong proof of identity and non-repudiation is easily achievable by integrating KeyVault with existing e-signing solutions with minimum effort using the FIDO2 standard. ​ 3. Any user verification and authentication use cases using FIDO2 / WebAuthn protocol on the level of the operating system and/or a compatible web browser. See also: https://github.com/webauthn-open-source/fido2-webauthn-status 4. Other non-FIDO and legacy use cases supported by KeyVault include: PIV or smart card over USB/NFC for VPN authentication, or other apps. Secure personal storage – a small mass storage device for your most sensitive docs or legacy password managers over USB & BTLE. OTP support – legacy one-time password generator for a smooth transition from existing MFA technology. HW password manager – legacy support for password storage/generation on a secure device. Physical access via NFC – door opening. Follow-me printing over NFC.

Crayonic is actually testing most of its algorithms on a mobile device so we could technically release a software version too, however: a) Even using a phone with a secure enclave or special SIM, the big problem is the continuous online connection and the phone’s ability to run malware. Research shows that smartphones come with hundreds of vulnerabilities right out of the production line which multiplies with downloaded apps. This dangerous combination of insecure devices and online connectivity gives hackers many remote possibilities to exploit phone vulnerabilities should the target be valuable enough. (Just remember how keys stored in the secure element of a premium manufacturer’s phones were readable by websites for a decade. Or remember the no-click malware executable just by receiving an email, also available to hackers for almost a decade.) That’s why it is better to rely on a trusted and certified device that works offline and provides zero-knowledge-proof of identity to requesting systems without disclosing any sensitive or biometric data of the user via the internet. Unlike the mobile, your personal and sensitive data such as biometrics are untouchable by bad actors even if you would just hand them your KeyVault. ​ b) People change phones too often and transferring cryptographic keys and secrets from one device to another is not an easy task, if not impossible for a regular user. That’s why having a dedicated device personalized to the user, and supported by an optional and simple yet highly secure key recovery possibility relying on multiparty computing scheme, is more secure and convenient for everyone. ​ c) The wide variety of available smartphones work with extremely fragmented underlying technologies -- operating systems, HW components, drivers, etc. That makes it impossible to always guarantee smooth and flawless operation in all authentication use cases while relying on strict communication and connectivity protocols (NFC, Bluetooth, USB) defined for secure authentication by standard bodies such as the FIDO Alliance. That’s why having a device with a fine-tuned and certified hardware and firmware, and built on global standards for connectivity and integration, provides for a more reliable, frictionless, and secure user experience. ​ d) A smartphone is not certifiable to strict cybersecurity standards such as Common Criteria or FIDO L3 which are needed for high-value assets and for electronic IDs that can guarantee one's identity. Crayonic KeyVault has the ambition to pass these audits and certify as a device capable to carry the government-trusted certificate, known in the European Union as the eID. For the Crayonic KeyVault owner, this will solve the KYC and AML procedures in online transactions. ​

Crayonic KeyVault balances security and usability. A security solution that ignores user experience is very probably going to be rejected or at least disliked by users. KeyVault relies on intuitive methods of authentication (fingerprint scan, voice, handwriting) that can be combined depending on the value of the transaction or other configurable parameters. ​ Crayonic KeyVault requires no installation of any application or software on the user’s device. Relying on multiple standard communication protocols the KeyVault is compatible with a variety of systems out-of-the-box. ​ Crayonic KeyVault uses on-device behavioral biometrics to provide the Proof-Of-Free-Will™.

Crayonic is incorporated in the Netherlands with a sales office in New York and the development and manufacturing center in Slovakia. ​ I would like to learn more technical details about the KeyVault. Please contact us and we will provide you with the available documentation and security model.

Due to the sensitive nature of our solutions, we keep the production within the European Union. All key components of our products are EU-made and certified.