As written in the previous post, I received two ATKey.Pro FIDO2 security keys from vendor AuthenTrend for testing. I short mentioned, the key has two unique features compared to FIDO2 keys from other vendors; standalone enrollment and it can be used as a hardware password manager. This article describes the second feature in more detail.
This hardware password manager solution is a development from the American vendor Broadcom, called Bio-Safe. As they describe their solution best, I quote them here for what Bio-Safe is:
Bio-Safe is a hardware-based password manager built for Broadcom’s FIPS 140-2 Level 3 certified CredentialVault™ (“CV”) security chip. Unlike most existing password management solutions where user credentials such as username and password are stored either in the web browser cache or on a remote server, Bio-Safe securely stores credentials within the local client computer’s CV security chip. Credentials stored in CV are encrypted and accessible only after a user successfully verifies their fingerprint through the authentication process. Bio-Safe enables users to log in to websites much more securely and conveniently with the simple touch of a fingerprint.
Bio-Safe is currently only supported on (some) Dell hardware and it`s supported on the ATKey.Pro security keys.
Security features
- Credentials are accessible by the user only after a successful Fingerprint Match-in-CV authentication
- Stores credentials in tamper resistant FIPS 140-2 Level 3 certified CV security chip
- Damaging malware attacks cannot access CV since it operates in a host-isolated environment with its own operating system and memory
Software pre-requisites
We cannot just use this feature by connecting the security key to your laptop, a small piece of software and a Chrome browser extension are required.
The latest version of this software can be downloaded from the website of Broadcom. Installation is straight forward, start the installer, click next and it`s installed.
The Chrome browser extension can be downloaded from the Chrome web store.
How does it work!?
As soon as the application and Chrome extension are installed we`re ready to use the security key as a password manager.
Plugin the key in the laptop and when you have the Chrome browser open, you`re asked to provide your fingerprint for authentication.
When you sign-in to a website, like GitHub, and the credentials for the site are not yet saved to the key, you`re asked to store the credentials.
When you click in the right corner of the browser on the Bio-Safe icon you have the option to Open the Bio-Safe Vault and Pull Credentials.
In the Bio-Safe Vault you can see the current stored credentials. You can view, edit and delete the credentials. It`s also possible to wipe out (reset) the key which will remove all stored credentials from the key.
When you visit a website from which the credentials are stored on the key and you haven`t authenticated, you`re asked for a finger print.
And your credentials are released.
Below a short video to show how easy it is to use the key as password manager.
Conclusion
After writing these two blog posts related to the ATKey.Pro FIDO2 security key it`s time for a short conclusion.
The key can be called very all-round. They are both small robust keys and the LED status light is a nice and convenient addition. Of course, it fulfills all the standard options you might expect from a FIDO2 key. But in addition, standalone enrollment is a convenient addition to these standard options. A unique option I have not seen with any other FIDO key is to securely store credentials on the key. If you don’t want to store your credentials in the cloud and replace your Keepass, for example, Bio-Safe is a handy replacement. There will have to be support for multiple browsers and manually adding credentials in my opinion, something that is missing compared to other password managers. But there are plans to support Edge and Safari in 2021.
A unique and well-functioning FIDO2 security key.
