Frequently Asked Questions
Where are Crayonic products being manufactured?
Due to the sensitive nature of our solutions, we keep the production within the European Union.
What is the advantage of an external authenticator like KeyVault compared to an app on my mobile phone?
Crayonic is actually testing most of its algorithms on a mobile device so we could technically release a software version too, however:
a) Even using a phone with a secure enclave or special SIM, the big problem is the continuous online connection and the phone’s ability to run malware. Research shows that smartphones come with hundreds of vulnerabilities right out of the production line which multiplies with downloaded apps. This dangerous combination of insecure devices and online connectivity gives hackers many remote possibilities to exploit phone vulnerabilities should the target be valuable enough. (Just remember how keys stored in the secure element of a premium manufacturer’s phones were readable by websites for a decade. Or remember the no-click malware executable just by receiving an email, also available to hackers for almost a decade.)
That’s why it is better to rely on a trusted and certified device that works offline and provides zero-knowledge-proof of identity to requesting systems without disclosing any sensitive or biometric data of the user via the internet. Unlike the mobile, your personal and sensitive data such as biometrics are untouchable by bad actors even if you would just hand them your KeyVault.
b) People change phones too often and transferring cryptographic keys and secrets from one device to another is not an easy task, if not impossible for a regular user.
That’s why having a dedicated device personalized to the user, and supported by an optional and simple yet highly secure key recovery possibility relying on multiparty computing scheme, is more secure and convenient for everyone.
c) The wide variety of available smartphones work with extremely fragmented underlying technologies -- operating systems, HW components, drivers, etc. That makes it impossible to always guarantee smooth and flawless operation in all authentication use cases while relying on strict communication and connectivity protocols (NFC, Bluetooth, USB) defined for secure authentication by standard bodies such as the FIDO Alliance.
That’s why having a device with a fine-tuned and certified hardware and firmware, and built on global standards for connectivity and integration, provides for a more reliable, frictionless, and secure user experience.
d) A smartphone is not certifiable to strict cybersecurity standards such as Common Criteria or FIDO L3 which are needed for high-value assets and for electronic IDs that can guarantee one's identity. Crayonic KeyVault has the ambition to pass these audits and certify as a device capable to carry the government-trusted certificate, known in the European Union as the eID. For the Crayonic KeyVault owner, this will solve the KYC and AML procedures in online transactions.
What differentiates KeyVault from any other external authenticator?
Crayonic KeyVault balances security and usability. A security solution that ignores user experience is very probably going to be rejected or at least disliked by users.
KeyVault relies on intuitive methods of authentication (fingerprint scan, voice, handwriting) that can be combined depending on the value of the transaction or other configurable parameters.
Crayonic KeyVault requires no installation of any application or software on the user’s device. Relying on multiple standard communication protocols the KeyVault is compatible with a variety of systems out-of-the-box.
Crayonic KeyVault uses on-device behavioral biometrics to provide the Proof-Of-Free-Will™.
What exactly do you mean by the Proof-Of-Free-Will™?
Crayonic KeyVault confirms the user’s identity AND their explicit intent to authenticate or authorize a transaction. This rules out any unintentional, unwilling, accidental authorizations (i.e. pointing one’s phone to their face to unlock it) as well as those potentially made under duress.
Thus, even if someone takes another person’s KeyVault and knows their PIN code they will not be able to proceed because of required behavioral biometrics that are unique to the KeyVault owner.
What are the most requested use cases for the KeyVault?
1. The most requested use case is a secure Windows domain authentication without passwords in enterprise environments with a simple tap on the KeyVault fingerprint sensor. For most laptops, this will work over Bluetooth, but the USB port can also be used. This effectively provides for a very strong multi-factor authentication without the need to rely on annoying and insecure passwords.
2. Approving and e-signing of electronic documents with strong proof of identity and non-repudiation is easily achievable by integrating KeyVault with existing e-signing solutions with minimum effort using the FIDO2 standard.
3. Any user verification and authentication use cases using FIDO2 / WebAuthn protocol on the level of the operating system and/or a compatible web browser. See also: https://github.com/webauthn-open-source/fido2-webauthn-status
4. Other non-FIDO and legacy use cases supported by KeyVault include:
PIV or smart card over USB/NFC for VPN authentication, or other apps.
Secure personal storage – a small mass storage device for your most sensitive docs or legacy password managers over USB & BTLE.
OTP support – legacy one-time password generator for a smooth transition from existing MFA technology.
HW password manager – legacy support for password storage/generation on a secure device.
Physical access via NFC – door opening.
Follow-me printing over NFC.
How can I get a sample of Crayonic KeyVault and test it in my organization’s use cases?
Please contact us to select the nearest value-added reseller or integration partner in your geography. During Q2 and Q3 2020 KeyVault in the beta testing and certification phase. We are open to discussing partnerships with system integrators or institutional beta testers.
We encourage organizations to first embrace the FIDO2 standard and build the infrastructure possibly parallel to an existing one. Crayonic is ready to provide consultancy in this first step that provides significant value without vendor-locking.
Does Crayonic hold any patents?
There is a pending international patent for Crayonic’s technology of creating a Qualified Electronic Signature using a stylus.
There is also a pending patent related to the product design of Crayonic KeyVault.
Multiple other patents are in works.
Where is Crayonic incorporated?
Crayonic is incorporated in the Netherlands with a sales office in New York and the development and manufacturing center in Slovakia.
I would like to learn more technical details about the KeyVault.
Please contact us and we will provide you with the available documentation and security model.