What is WioKey ?

WioKey is a strong multi-factor authenticator providing highly secure, biometric verified, non-phishable access to online services. It consists of 2 components: a WioKey mobile application and a WioKey companion browser extension.

The mobile app is the core WioKey authenticator: a hardware-backed secure storage environment for credentials protected by encryption and user biometrics replacing expensive and inconvenient USB and hardware security keys.

The browser extension represents the gateway to the online services consumed on PCs, laptops, tablets and other devices.

Why would I use WioKey ?

WioKey provides a simpler, safer, non-phishable login experience to online services.

It is more secure than traditional one-time passwords (OTP) authenticators as a multi-factor token, providing strong authentication guarantees comparable to dedicated hardware security keys, but with the convenience of a modern smartphone, available anywhere and anytime. 

WioKey is compliant with latest two-factor authentication (2FA) and multi-factor authentication (MFA) online access standards and provides hardware-backed secure storage for login credentials and access control. WioKey also embeds a higher level of security than the latter by means of modern embedded biometric and physical authorization checks for each credential stored and utilized in the login process.

What websites does WioKey support ?

WioKey supports any websites and online services that provide native support for U2F / FIDO2 security keys. For a quick look and setup, get started here.

Interested in enabling U2F/FIDO2 support for your online product ? Looking for a commercial deployment and integration with WioKey? Please contact us at contact@wiosense.de.

How does WioKey work ?

The WioKey browser extension receives the authentication requests from the visited websites that have U2F / FIDO 2 enabled and communicates with the mobile application in real-time to poll for a 2FA / MFA user-authorized credential generation and login.

The mobile application notifies the user about the login request and asks for biometric confirmation to proceed with the login and fully protect against phishing and man-in-the-middle attacks. Upon successful authorization the phone replies to the extension with the credential and login information. Additional time and physical challenges assure an increased level of security beyond the biometric checks.

The browser extension injects the credential into the visited website awaiting for authentication, proceeding with finalizing the login process.

NOTE: All communications between the WioKey mobile application and the WioKey browser extension (the WioKey Companion) are encrypted with state-of-the-art AES-256 symmetric encryption to provide highest data confidentiality and integrity guarantees according to Zero-Trust principles.

What phones does the WioKey mobile app support ?

The WioKey mobile app currently supports Android (9.0+). Support for iOS (10.0+) is underway.

What browsers does the WioKey companion web extension support ?

The WioKey companion web extension supports Chrome, Edge browsers currently.

Support for Firefox and Safari is planned. Stay tuned for more updates!

Why do you make use of my biometrics to authorize credentials and access ?

Because of the sensitive nature of the information being handled, we leverage the native embedded biometric security of your phone to ensure that only you alone are able to use and manage your credentials. Your biometric data never leaves your device, nor do we have any type of access to it as it is handled in isolation by your phone’s operation system.

Simpler put, your biometrics provide another isolated zero-trust driven security layer to the WioKey authenticator credential storage system and credential management. This makes WioKey a true biometric-backed strong authenticator.

Can I use the app without biometrics ?

You can always make use of pattern / PIN / passwords to verify against, but at least one type of screen lock verification must be set and enabled.

How are my credentials stored ?

We store all your credentials locally on your phone in the native Keystore (Android) or Secure Enclave (iOS) system. The usage of your keys is conditioned to verified biometric / screen unlock authentication.

On Android this means that your credentials are stored either in a Trusted Execution Environment isolated from the main OS or in a dedicated isolated Secure Hardware Element for the phones equipped with such security modules (e.g. Pixel 2+). This isolated Keystore credentials storage system provides yet another zero-trust defense mechanism protecting against potential OS malware.

Similarly, on iOS the credentials are stored and backed by isolated hardware providing highest level of security for the credentials storage.

Does WioKey / WIOsense have access to my private credential information ?

Definitely NO!

The private information pertaining to your credentials, i.e. the private key, is generated in an isolated environment / secure co-processor of your mobile phone and never leaves your device.

Access to your private credential information is hardware-backed and subject to strong biometric authentication preventing against remote key extraction attacks. By design, WioKey furthermore does not assume any single trusted-third party or component. Please feel free to go over the open source, publicly available code at https://github.com/wiosense.

Can I delete my credentials ?

You can easily manage your credentials by navigating to the Credentials section to see all of your registered credentials alongside relevant audit information, like user name, online service/website, creation date, last usage date. There you can either manage your credentials individually or simply reset the authenticator credential storage and remove all the credentials at once. Both operations require authentication!

NOTE: Be sure that before deleting a credential you have set up at least one back-up option for that website. That means either you have an alternative OTP code setup or a list of recovery codes provided by the website itself. We recommend backed recovery codes.

Can I back-up / transfer / restore my credentials ?

Backing up and restoring your credentials is at this point in time not possible. This is why we encourage everyone to follow the general U2F / FIDO2 authenticaton recommendations and have a fallback secondary login solution that is not tied to the phone to avoid account lock-out.

You can at any time register new credentials for the same account using the U2F / security key management pane of the online service you wish to do so for.

We are working for back-up / transfer / restore solutions but definitive release date is not yet fixed. Stay in touch to find out more as we role out new features!

What happens if I lose my phone ?

You do not need to be afraid about misuse of your credentials since your biometrics are required in order to use the app and / or credentials! Restoring your credentials is at this point in time not possible, but feel free to install the app on a new device and register new keys for your preferred services. Your old credentials will expire automatically or can be invalidated online for each website as you re-register your keys.

NOTE: Be sure to set up at least one back-up option for each website you use WioKey for. That means either set an alternative OTP code or save a list of recovery codes provided by the website. We recommend backed recovery codes!

What if a hacker gets access to my phone / computer ?

In case your computer is physically compromised you can always unlink the WioKey mobile app from your web extension which guarantees no attack vectors for your credentials. Simply re-link the WioKey mobile app with a new computer and you are good to go!

In case your phone is physically compromised, the attacker could try and access your private credentials information and extract the private keys associated with your U2F / FIDO2 accounts. Since the credentials are hardware-backed and protected via biometric authentication, this means hardware attack vectors and vulnerabilities must be exploited requiring highly skilled hacking. You can always, unlink your key individually from your websites to prevent access in the unlikely event the hacker actually gains access to your private credentials info. This can be done by using the back-up second-factor credentials as setup for each website.

In the very unlikely event that both your computer and phone are physically compromised, the hacker would still have to go through the hardware exploits necessary to unlock your phone and get access to your hardware-backed credentials!

Unfortunately, there is not absolutely perfect defense in the light of such hacks, but WioKey already provides strengthen security by storing your credentials in hardware-backed isolation and adding a biometric / screen lock layer of additional competitive security.

How do I install WioKey ?

Looking for a commercial deployment?

Our integration platform makes it possible to embed an extra layer of security to both specialized applications and internal services.

Contact us for a demo implementation of the wiokey APIs, and how to implement them in your ecosystem.

 

About WIOsense

We are a German start-up passionate about wireless connectivity on a mission to seamlessly and securely connect our users to the digital world. Join us to find out more!