OFFPAD+ Security Keys Leveraging Fingerprint
“
Specifications
- Product Name: OFFPAD and OFFPAD+
- Authentication Method: FIDO2 with fingerprint biometrics
- Connectivity: NFC, Bluetooth Low Energy (BLE), USB
(OFFPAD+) - Display: E Ink display
- Battery: Li-ion rechargeable battery
- Charging: Wireless Qi standard, USB (OFFPAD+)
Product Description
The OFFPAD and OFFPAD+ are FIDO2 security keys that utilize
fingerprint biometrics to provide a secure and convenient
authentication process. FIDO2 is a globally recognized
authentication standard supported by major industry players,
offering enhanced security through public key cryptography.
Features
The OFFPAD supports features defined in the FIDO2 specification,
providing strong authentication capabilities developed by the FIDO
Alliance and W3C. It aims to enable secure, passwordless
authentication for both mobile and desktop environments.
Connectivity
The OFFPAD communicates with devices using NFC or Bluetooth Low
Energy, while the OFFPAD+ also offers USB connectivity through a
specially designed card holder. Detailed instructions on connecting
the devices can be found in the Usage Guide.
Biometrics
Your biometric data is encrypted and securely stored on the
FIDO2 security key, ensuring privacy and ownership of your
biometrics. The fingerprint biometrics allow for easy and secure
authentication to online services.
Display
The E Ink display on the OFFPAD and OFFPAD+ mimics ink on paper,
providing a clear and readable interface for authentication. This
display enhances the customer experience by enabling easy
navigation through fingerprint enrollment steps.
Battery
The embedded Li-ion rechargeable battery in the FIDO2 Security
keys offers high heat resistance, reliability, and long lifetime.
Charging is convenient using the wireless Qi standard, supported by
various electronic device manufacturers. The OFFPAD+ also supports
charging via USB cable.
Usage Guide
For detailed instructions on how to use the OFFPAD and OFFPAD+,
including connecting to devices and utilizing the fingerprint
biometrics for authentication, refer to the provided Usage
Guide.
FAQ
Q: Can I use the OFFPAD with multiple devices?
A: Yes, you can use the OFFPAD with multiple devices by
connecting via NFC, Bluetooth Low Energy, or USB (OFFPAD+).
Q: How do I recharge the battery of the OFFPAD?
A: The battery of the OFFPAD can be recharged using a wireless
charging pad that supports the Qi standard or through a USB cable
(OFFPAD+).
“`
Product Description
The OFFPAD and OFFPAD+ are FIDO2 security keys leveraging ngerprint biometrics to optimize the balance between security and convenience.
FIDO2 is a global and standardized authentication process supported by major industry players such as Google, Microsoft, Apple, and Samsung, offering the gold standard of authentication.
FIDO2 replaces password-based authentication and traditional Multi-Factor Authentication (MFA) with public key cryptography. FIDO2 enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments.
PONE Biometrics takes your privacy seriously. Your biometrics are encrypted and stored securely on the FIDO2 security key. Your biometrics are never shared outside the device. As a user, you own your biometrics.
The OFFPAD and OFFPAD+ embeds a long-lifetime battery. Your device is always ready to be used and can be quickly recharged with a simple wireless charger. Through the card holder the OFFPAD+ also enables charging through a USB cable.
Features
The features supported by the OFFPAD is de ned in the FIDO2 speci cation. The FIDO2 speci cation is a set of standards for strong authentication developed by the FIDO Alliance (Fast IDentity Online) and the World Wide Web Consortium (W3C). FIDO2 aims to enable secure, passwordless authentication and is a more advanced version of the original FIDO (Fast Identity Online) standards.
More details about the features supported by OFFPAD and OFFPAD+ can be found in the Feature Guide.
Connectivity
The OFFPAD communicates with devices by using Near Field Communication (NFC) or Bluetooth Low Energy (BLE). In addition the OFFPAD+ enables USB connectivity through the specially designed card holder. More information on how to connect the OFFPAD and OFFPAD+ to a device can be found in the Usage Guide.
Biometrics
Page 1 of 6
The OFFPAD and OFFPAD+ is built with a ngerprint biometrics sensor to deliver an optimal user experience. The off-chip capacitive sensor separates the ngerprint sensing elements from the chip that acquires the image and processes the biometric data. This ingenious design ensures excellent security, signi cantly higher image delity, superb noise immunity, and market-leading usability under real-world conditions. This sensor is bendable and durable facilitating a long life of the device. Thanks to ultra-low power consumption, battery life is optimized. The superior level of security and excellent image delity provides outstanding biometrics and user performance.
Display
The OFFPAD and OFFPAD+ has an E Ink display, short for electronic ink, a type of screen technology designed to mimic the appearance of ink on paper. Unlike traditional LCD or OLED screens, E Ink displays don’t emit light directly. Instead, they use tiny capsules lled with charged black and white particles that move when an electric eld is applied, creating text and images on the screen.
The E Ink display has been added to improve the customer experience. You always know what you are authenticating to and you can follow the ngerprint enrolment steps in a convenient way.
Battery
To provide you with the best autonomy possible, there is a battery embedded in our FIDO2 Security keys. The Li-ion rechargeable battery specially designed to offer high heat resistance, safety (high reliability), high output, and long lifetime.
The battery is charged using the open interface standard de ning wireless power transfer via inductive charging: Qi. This standard has been developed by the Wireless Power Consortium and is supported by all electronic device manufacturers such as Apple, Asus, Google, Huawei, Samsung, Xiaomi, and Sony. Any charging pad supporting Qi can be used.
The OFFPAD+ also supports charging through a USB cable.
Feature Guide
FIDO2 comprises two main components: WebAuthn (Web Authentication) and CTAP (Client To Authenticator Protocol).
WebAuthn is a web standard developed by W3C, which provides a way for web applications to integrate strong, passwordless authentication using public key cryptography. WebAuthn allows browsers and servers to interact with external authenticators (like the OFFPAD or OFFPAD+) to verify the user’s identity.
Page 2 of 6
CTAP is a protocol developed by the FIDO Alliance that enables communication between a device (e.g., a phone or computer) and an external authenticator (e.g., a FIDO2 security key, a biometric sensor, or a smartphone app). CTAP allows devices to work together to authenticate users, such as using a phone as an authenticator or a hardware token (like the OFFPAD or OFFPAD+) to perform the authentication process.
FIDO2 Make Credential
FIDO2 Make credential is used to create a new credential (also known as passkey) that is bound to:
The relying party (website or service). The user’s security key (e.g. OFFPAD or OFFPAD+). The user veri cation method (if required, like PIN or biometrics). The steps for FIDO2 Make Credential are:
. Client Sends a Registration Request
The website or service (Relying Party, RP) asks the user to register a security key. The browser (or OS) forwards this request to the security key.
. Authenticator Generates a Key Pair The security key generates a new public-private key pair. The private key stays on the security key, while the public key is sent back to the RP.
. Attestation & User Veri cation (if required) The authenticator may require user veri cation (UV) via PIN or biometrics before completing the process. The security key signs the public key with an attestation certi cate, proving it was generated securely on a valid device.
. Client Sends Credential to the Relying Party The browser/OS sends the new credential (public key + attestation) back to the website. The RP stores the public key and associates it with the user’s account.
Credential is Now Ready for Authentication!
Next time the user logs in, their FIDO2 key can use this credential to prove their identity via FIDO2 Get Assertion.
FIDO2 Get Assertion
Page 3 of 6
FIDO2 Get Assertion is used during the authentication phase of a FIDO2-based login. It enables a user to authenticate themselves securely to a relying party (website or service) using a previously registered credential (see FIDO2 Make Credential), without relying on passwords.
Steps for FIDO2 Get Assertion (Authentication Process) are:
. Client Sends an Authentication Request
The website or service (Relying Party, RP) asks the user to log in with their FIDO2 security key. The browser (or OS) forwards this authentication request to the security key.
. Authenticator Finds a Matching Credential
The security key checks if it has a credential linked to the RP ID. If multiple credentials exist, the user may need to select one. If no credentials match, authentication fails.
. User Veri cation & Assertion Signing
If required, the authenticator asks for user veri cation (UV) (e.g., ngerprint, PIN, or touch). The security key then:
Uses the private key to sign the challenge. Includes additional security data, such as a counter to prevent replay attacks.
. Client Sends Assertion to the Relying Party
The browser/OS sends the signed assertion back to the website. The RP veri es the signature using the stored public key. If the signature is valid, the user is authenticated successfully.
FIDO2 Client PIN
FIDO2 Client PIN is used to manage PIN-based user veri cation for security keys or authenticators. It allows users to:
Set a new PIN (for devices that support PIN authentication). Change an existing PIN (if the user knows the current one). Verify a PIN before performing sensitive operations.
When you rst register a FIDO2 authenticator (e.g., OFFPAD or OFFPAD+), the service you’re using may require you to set a PIN for the authenticator. This PIN is used as a second factor of authentication, ensuring that even if someone physically steals your device authenticator, they cannot use it without the PIN. The authenticators from PONE Biometrics also support the use of ngerprints as a second
Page 4 of 6
factor. How to set the PIN and add ngerprints is described in the getting started guide.
The PIN and ngerprints are stored securely on the authenticator. They are used to unlock the device and prove your identity, but the PIN or ngerprints are never shared with the service or application you’re logging into. Instead, the authenticator uses the PIN or ngerprints to unlock itself and generate a secure cryptographic key, which is then used to authenticate you.
FIDO2 Bio Enrollment
FIDO2 Bio Enrollment manages biometric enrollment on authenticators that support built-in biometrics (e.g., ngerprint scanners on security keys or biometric-enabled devices).
It allows users to:
Enroll new biometric templates (e.g., add a ngerprint). Remove biometric templates (e.g., delete a ngerprint). List enrolled biometrics (e.g., check registered ngerprints).
How to do FIDO2 Bio Enrollment on OFFPAD and OFFPAD+ is described in the getting started guide.
FIDO2 Large Blob
FIDO2 Large Blob allows FIDO2 authenticators (such as security keys) to store and retrieve arbitrary data securely. This is useful for applications that need to persist small pieces of data directly on the authenticator.
Key features:
Secure Storage Data is encrypted and stored on the authenticator. Per-Relying Party Access Each website (Relying Parties) can store and retrieve its own data. Read/Write Support Relying Parties can write, update, or read the stored data. Persistent Across Sessions Unlike credential IDs, this data remains available even after multiple authentications.
The steps for FIDO2 Large Blob are:
. Client Requests to Write or Read Large Blob Data A website (Relying Party, RP) asks the browser (client) to interact with a FIDO2 authenticator to store or retrieve data. The client forwards the request using the CTAP2.1 command.
. Authenticator Processes the Large Blob Request If writing data: The authenticator encrypts and stores the large blob securely.
Page 5 of 6
If reading data: The authenticator decrypts and returns the stored large blob. . Client Sends Data to the Relying Party
The browser sends back the retrieved data (if reading). If writing, the browser con rms the operation was successful.
FIDO2 Credential Blob
FIDO2 Credential Blob (Cred Blob) allows a FIDO2 authenticator (e.g., security key or built-in biometric authenticator) to store a small piece of data (up to 32 bytes) attached to a speci c credential. The Cred Blob is an optional data eld stored inside a credential when it is created using FIDO2 Make Credential. It can be retrieved later when authenticating with FIDO2 Get Assertion. Key features:
Credential-Speci c Storage Each cred blob is tied to a single passkey (credential). Up to 32 Bytes Enough for small metadata like ags, IDs, or labels. Can Be Written and Read Later Helps with credential management. RP-Controlled Data The Relying Party (RP) de nes the data contents. The steps for FIDO2 Credential Blob are: . Credential Creation (Writing the Cred Blob)
A website (Relying Party, RP) asks the authenticator to create a new credential (authenticatorMakeCredential). The RP provides a small data payload (up to 32 bytes) in the credBlob extension. The authenticator securely stores this data alongside the newly created credential. . Credential Authentication (Reading the Cred Blob) When a user authenticates (authenticatorGetAssertion), the RP can request the stored credBlob. If the authenticator supports credBlob retrieval, it sends the stored blob back to the RP. The RP can then use the data for credential management or additional veri cation.
Page 6 of 6
Documents / Resources
 |
PONE OFFPAD+ Security Keys Leveraging Fingerprint [pdf] User Manual 0202, 2BLGV-0202, 2BLGV0202, OFFPAD Security Keys Leveraging Fingerprint, OFFPAD, Security Keys Leveraging Fingerprint, Leveraging Fingerprint, Fingerprint |