SafeKey FIDO2 is a premier U2F hardware device providing secure logins to websites (e.g. Google, Facebook) and personal systems. Simply configure your SafeKey FIDO2 once with all account(s) information, and login confirmation is done by a simple push on a button. In the event of compromised data (logins and/or passwords), SafeKey continues to secure the account(s) through its authentication standards. SafeKey enabling strong two-factor, multi-factor and password less authentication in conjunction with secure data share cold storage.
What makes SafeKey special?¶
SafeKey has been originally developed, alongside including the standard FIDO2 functionalities, to be compatible with SafeHaven's Digital Inheritance platform, Inheriti. (see https://inheriti.com)
The uniqueness of our Security Key, SafeKey is that we use U2F as a Transport Layer for our Secure Storage features and to integrate with our Secure Share Distribution Protocol (SSDP)
FIDO fundamentals (how FIDO works)¶
The FIDO protocols use standard public key cryptography techniques to provide stronger authentication. During registration with an online service, the user’s client device creates a new key pair. It retains the private key and registers the public key with the online service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge. The client’s private keys can be used only after they are unlocked locally on the device by the user. The local unlock is accomplished by a user–friendly and secure action such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second–factor device or pressing a button.
The FIDO protocols are designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services. Biometric information, if used, never leaves the user’s device.
- User is prompted to choose an available FIDO authenticator that matches the online service’s acceptance policy.
- User unlocks the FIDO authenticator using a fingerprint reader, a button on a second–factor device, securely–entered PIN or other method.
- User’s device creates a new public/private key pair unique for the local device, online service and user’s account.
- Public key is sent to the online service and associated with the user’s account. The private key and any information about the local authentication method (such as biometric measurements or templates) never leave the local device.
- Online service challenges the user to login with a previously registered device that matches the service’s acceptance policy.
- User unlocks the FIDO authenticator using the same method as at Registration time.
- Device uses the user’s account identifier provided by the service to select the correct key and sign the service’s challenge.
- Client device sends the signed challenge back to the service, which verifies it with the stored public key and logs in the user.
FIDO2 is the overarching term for FIDO Alliance’s newest set of specifications. FIDO2 enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments. The FIDO2 specifications are the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP).
FIDO2 reflects the industry’s answer to the global password problem and addresses all of the issues of traditional authentication:
FIDO2 cryptographic login credentials are unique across every website, never leave the user’s device and are never stored on a server. This security model eliminates the risks of phishing, all forms of password theft and replay attacks.
SafeKey is based on the STM32L432 microcontroller. It offers the following security features.
- True random number generation to guarantee random keys.
- Security isolation so only simple & secure parts of code can handle keys.
- Flash protection from both external use and untrusted code segments.
- 256 KB of memory to support hardened crypto implementations and, later, additional features such as OpenPGP or SSH.
Users unlock cryptographic login credentials with simple built-in methods such as fingerprint readers or cameras on their devices, or by leveraging easy-to-use FIDO security keys. Consumers can select the device that best fits their needs.
Because FIDO cryptographic keys are unique for each internet site, they cannot be used to track users across sites. Plus, biometric data, when used, never leaves the user’s device.
Web Authentication (WebAuthn)¶
WebAuthn enables online services to use FIDO Authentication through a standard web API that can be built into browsers and related web platform infrastructure. It is a collaborative effort based on specifications initially submitted by FIDO Alliance to the W3C and then iterated and finalized by the broader FIDO and W3C communities. WebAuthn was designated an official web standard in March 2019. It is currently supported in Windows 10 and Android platforms, and Google Chrome, Mozilla Firefox, Microsoft Edge and Apple Safari (preview) web browsers.
WebAuthn allows users to log into internet accounts using their preferred device. Web services and apps can – and should – turn on this functionality to give their users an easier login experience via biometrics, mobile devices and/or FIDO security keys — and with much higher security over passwords alone.
for further technical details please visit: https://www.w3.org/TR/webauthn-1/
SafeKey’s Multiple Use-Cases¶
- FIDO Universal 2nd Factor (UF2)
- Passwordless authentication
- Secure Website Logins
- Social Media Logins
- Personal Platforms
- Cryptocurrency Exchanges
- Additional Layer of Security
- Option to Onboard Safe Haven Inheritance Solution
Open Source: SafeKey invites 3rd-party security audits - the result is higher security standards European-based company. The most trusted provider of secure hardware solutions. Hardware - Software and Firmware developed and manufactured In Belgium and Germany.
Safe Key provides a standard-compliant USB plug, offering USB port reliability and longevity
- B2B Solutions Offering a full open-source server along with client integration libraries and support
- Third-party integration without the hassle
- Upgrade licenses will be available to prior versions of SafeKey
- Custom hardware based multi-signature solutions
- Backup solutions available
- Client-to-browser handled device-to-device backup solution
- Cloud storage backup solution
- Finally, SafeKey is the only secure FIDO dongle compatible with a completely decentralized digital inheritance platform!
High acceptance through easy usage. Using SafeKey FIDO2 is very easy. You configure your SafeKey FIDO2 once to pair it with your online accounts. From now on, you confirm your login by a simple tap on the touch button (optional: by a PIN). In addition to a common web browser, you don‘t need any additional client software or driver installation.
Good compatibility through future-proof standard. All common web browsers already support the FIDO2 resp. WebAuthentication (WebAuthn). More and more websites (e.g. Google, Facebook), on-premise online services (e.g. Nextcloud) and Windows 10 Pro (with Azure Active Directory) support WebAuthn for authentication.
Trust through open source hardware made in Belgium/Germany. SafeKey FIDO2 is published as open source hardware for transparency reasons and is Co-Developed with Nitrokey.
Phishing protection included. During login, SafeKey FIDO2 validates the domain and therefore protects you reliably against phishing attacks.
Two-factor authentication (2FA) becomes normal
Most of the big websites and about half of all companies make use of two-factor authentication. But beware: Numerous publicly known cases show that even SMS as two-factor authentication method is easy to hack. Thanks to strong cryptography, SafeKey FIDO2 supports secure two-factor authentication. Your online accounts remain protected even if your password gets stolen.
Passwordless login convinces
With SafeKey FIDO2, you can stop using tedious and insecure passwords. No password policies, no sticky notes with passwords and no forgotten passwords anymore. From now on, you log in easily and securely to your Windows 10 Pro, Microsoft Office 365 or your own enterprise systems with the help of SafeKey FIDO2. Passwordless Login is two-factor authentication with device PIN. Optionally, if it is supported by the website, entering a username can be omitted. In this case the user identifies himself by means of a key on the SafeKey FIDO2.