How to use a Cryptnox Fido2 SmartCard

Crytpnox, a Fido Alliance member, is developing and producing a range of smart cards for various applications.
All Fido2 devices have exactly the same functionalities . In this article, we will present you some basic manipulation and use cases for the Cryptnox Fido2 SmartCard.
You can purchase a Cryptnox Fido2 SmartCard on
Amazon or on the Cryptnox Shop.

Introduction — What is FIDO2 ?

FIDO2 enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments.
The FIDO2 specifications are the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP).

More info on FIDO2 on the Fido Alliance website here.

The Cryptnox Fido2 SmartCard supports the FIDO2 protocol as well as its predecessor, U2F (FIDO Universal 2nd Factor). It is Level1 Certified.

Compatibility

The Cryptnox Fido2 SmartCard supports NFC communication with NFC enabled Iphone and Android devices.

For desktop/laptop, it is only compatible Microsoft Windows for now. MacOS is not yet supported (but soon).

Desktop/Laptop connection requires a USB NFC reader (ISO 14443 Compliant/13.56Mhz) or a USB Contact Smartcard Reader (ISO 7816 compliant).

FIDO2 is currently supported with most browser such as Google Chrome, Mozilla Firefox, Microsoft Edge. Apple Safari is only supported on Iphone with NFC communication enabled.

General Usage

The Cryptnox Fido2 SmartCard supports two-factor authentication (2FA) and passwordless authentication:

  • With passwordless authentication, entering a password is replaced by logging in with the Cryptnox Fido2 SmartCard and a PIN
  • With two-factor authentication (2FA), the Cryptnox Fido2 SmartCard is checked in addition to the password

These possibilities depend of the website Fido2 implementation

If “tap your security key on the reader” is required such as any of these pop-up notification:

With an NFC reader: simply remove and replace the Cryptnox Fido2 SmartCard from the reader

With Contact reader: while keeping the reader connected to the desktop/laptop via USB, remove and replace the Cryptnox Fido2 SmartCard from the reader

AAGUID

In some cases, you are required to provide the AAGUID of the Cryptnox Fido2 SmartCard is:

9c835346–796b-4c27–8898-d6032f515cc5

It might be required in some cases, such as the Windows Hello login description below.

Testing

For testing, you can try registering and logging into the official FIDO2 Webauth website on:

Webauthn.io

Make sure your Cryptnox Fido2 SmartCard is connected to the desktop with an NFC or contact reader

In the box “Authenticator Type” choose “Cross Platform” (If you choose “TPM” it will use your computer TPM chip to store the credentials)

Click Register and follow instructions. If asked to “tap your security key on the reader” with a contact reader, extract and reinsert the card in the reader while keeping the reader connected to the desktop

Other demo sites:

Webauthn.me

Sites accepting FIDO2 and U2F

Best is to check your usual websites if they already support Fido2 Security Protocol. More and more sites support such protocol every day. If they do, they generally have specific instructions.

A non exhaustive list of sites accepting Fido2 and/or U2F can be found on Hideez site.

In Security Protocol, choose either U2F or Fido2/Webauthn.

Setting Pin and Card Reset with Windows

Go to Settings -> Accounts -> Sign In Options -> Security Key -> Manage

Follow instructions and choose to manage pin or reset card.

Resetting the card will return it to factory setting and delete all credentials.

Google Account 2FA login

Go to Manage Your Google Account and enable two steps verification following the instructions on:

Enable 2-step verification for added account security

Then go to Manage Your Google Account -> Security -> 2-Step verification -> Security Keys

Then click on “Add security key” and follow the instructions on the screen.

Windows Login with Microsoft 365 Business Premium

Note: a Microsoft 365 Business Premium subscription is required. These steps are slightely more complex than with usual Fido2 use cases, but not “that” complex either.

First you need to configure the FIDO2 security key restriction.

The configuration steps are pretty straightforward and can be achieved by enabling FIDO2 Security Keys authentication method, and adjusting the KEY RESTRICTION POLICY.

First go into your https://portal.azure.com/ and click on Azure Active Directory

Got to Security -> Authentication Methods -> Policies -> Fido2 Security Key

In Fido2 Security Key Settings -> ENABLE, select YES. Adjust the Target setting to All user or Selected Users as required.

Then go into Configure and you can either select NO for Enforce Key Restriction, such as:

Or Enforce Key restriction and add the required AAGUID:
9c835346–796b-4c27–8898-d6032f515cc5

Now that the card is authorized in your corresponding active directory settings, you need to register your Cryptnox Fido2 Smartcard in your account.

Go to https://myaccount.microsoft.com, Security Info -> Add sign-in method.
Choose Security Key and follow the instructions

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cryptnox Cards

Cryptnox is a swiss based company developing smart cards (hardware wallet) for blockchain