CardLab introduces QuardLock, a new era in cybersecurity that offers passwordless authentication with FIDO2 offline biometric fingerprint cards and a certified backend server.
State-of-the-art cybersecurity
CardLab has developed a biometric ‘authentication as a service’ solution based on biometric smartcards in different configurations for logical and physical access control, combined with a backend authentication system. These biometric smartcards are always offline and play a central role in our consolidated cybersecurity platform. Fingerprint templates are encrypted in the card’s secure element and never leave it. Private keys that are used for authentication and transaction signing are also encrypted in the card’s secure element and never leave it. Nothing in the cards’ secure element is accessible from outside, providing a new level of hacker-proof cybersecurity solution.
QuardLock is CardLab’s centralised identity platform, combining an open directory with a single layer that connects and governs access across all IT resources. Securely connect users to their devices, servers, networks, apps, and files, where the “QuardLock” solution can serve as an authoritative directory or defer to existing identity providers.
CardLab provides passwordless logical access to IT resources and secure physical access to buildings, restricted areas, gates, rooms, follow-me-print, etc. Through open integration capabilities, the QuardLock solution can provide a single identity for everything and connect users to thousands of resources with a single set of secure credentials.
Unlike a rigid, traditional directory, the cloud-based QuardLock solution provides an open directory platform that follows open protocols such as SAML, LDAP, RADIUS, and SCIM, enabling heterogeneous resources to be connected and managed from a single source.
Why cybersecurity matters
Imagine this: Your worst nightmare just came true – your company has been hacked. Your employees passwords and identities are now in the hands of a hacker. What do you do next? Changing passwords on all your accounts is a must, but can you remember them all? Can you act fast enough before the criminal wreaks havoc on your employees‘ identities and steals vital information from the company?
The reality
This isn’t just a scary story; it’s a very real threat affecting companies worldwide every day. Quantum computers and AI can crack encrypted passwords in minutes. Hackers attempt to steal passwords 4,000 times per second. To stay safe, you need complex passwords with at least 16 characters that mix numbers, letters, and symbols for each account, but even that will not make you secure.
The challenge
Remembering such complicated passwords is nearly impossible, and using the same password across multiple accounts is a big no-no. Do you regularly change your passwords? Can you trust that the applications you are accessing use strong encryption? Even major companies sometimes fail to encrypt their databases, leaving passwords exposed.
The old school solution
Some turn to password managers that create and store complex passwords encrypted in the cloud or on your device. With a master password, you can decrypt the passwords and use them to access all your accounts. This method isn’t foolproof, as hackers still can intercept master passwords through malware, phishing, man-in-the-middle attacks, social engineering, and keyloggers. Even SMS can easily be intercepted.
Many authentication systems today use time-based codes (TOTP) in a native app installed on your smartphone, but time-based codes can be intercepted remotely by hackers, either by capturing them in transit or through phishing attacks.
The new school solution: FIDO2/passkey
History has shown that passwords are the weakest link in cybersecurity. That’s why it’s time to go passwordless. The CardLab solution eliminates the need for passwords, providing a seamless and secure way to protect servers and employees’ digital identities.
These more secure methods used today for authentication (FIDO2/passkey) replace static passwords and time-based codes with strong public-key cryptography, making them resistant to phishing, man-in-the-middle, session hijacking, and other types of attacks.
The FIDO2/passkey requires physical access to the FIDO card/smartphone or device that holds the private key. Therefore, even if a hacker intercepts the communication remotely, they cannot use it to authenticate without having the physical device in their hands. Biometric fingerprint verification on the card or FaceID on a phone adds an extra layer of security, tying the approved user to the device.
These features make FIDO2/passkey a highly secure authentication method, significantly reducing the risk of remote attacks, which are the main method hackers use.
Using a CardLab biometric smartcard with a built-in FIDO2/passkey feature will make this authentication method very strong, since transaction signing occurs offline and is completely out of reach of hackers.
Never trust, always verify
To establish and verify identities is an important step in meeting the zero-trust principle, along with the need for an organisational policy for ‘who should have access to what, when and why.
With CardLab’s risk-based adaptive authentication process, every access request is validated before additional privileges or access are granted.
This is a step to prevent phishing, as cybercriminals with phished credentials are likely to try to register a new device, work from a new location, or attempt access outside of the real user’s typical working hours.
The system can detect those signals and challenge access attempts accordingly to prevent bad actors from gaining access to critical information.
Security and GDPR compliance
With GDPR legislation, it is more important than ever to secure user privacy and ensure the right to be forgotten. It is also very important to implement the highest level of security for user authentication to protect your IT system against unauthorised access, and to document who is accessing what, why, and when for compliance purposes.
Strong authentication with FIDO2/passkey prevents the most common causes of password-related breaches, such as those that led to the SolarWinds breach.1 The FIDO2 protocols were given the highest level of authentication assurance from NIST and are considered stronger than what the U.S. Department of Defense currently uses.
Single sign-on
Biometric smartcards with FIDO2/passkey and built-in biometric verification are well-suited for convenient and secure passwordless login to a corporate Windows domain and the QuardLock single sign-on portal.
When logged in with your biometric verification, the QuardLock single sign-on portal grants seamless, passwordless access to all company-approved applications, including mobile apps, cloud-based, hybrid, and on-premise applications.
This greatly increases productivity while keeping data secure. For the user, there is no password to remember and/or lose. Just use your biometric smartcard, verify your identity by fingerprint, and the authentication request will be encrypted and transferred to the backend server for verification and authorisation.
Quantum computing security
As cyber threats evolve, cybersecurity must stay ahead. Quantum computing promises incredible breakthroughs—but also threatens to break today’s encryption. CardLab with QuardLock backend authentication is leading the way with a smarter approach: offline fingerprint verification on the card combined with identity tokenisation. By removing reliance on vulnerable network-based authentication and static credentials, CardLab dramatically reduces attack surfaces and strengthens protection against phishing and credential theft. While true quantum resistance requires specialised cryptography, this solution delivers robust security today and a future-ready foundation for integrating quantum-safe technologies tomorrow.
Offline trust and eIDAS 2.0: The role of biometric smartcards in the EU Digital Identity Wallet
The EU Digital Identity Wallet (EUDIW) under eIDAS 2.0 is intended to provide all EU citizens and businesses with a secure, interoperable, and privacy-preserving digital identity. A central unresolved challenge is how to reconcile offline usability with online compliance requirements, particularly regarding assurance levels, revocation, legal accountability, and privacy.
Most current wallet designs rely heavily on online, cloud-based trust models, which simplify compliance but introduce systemic security risks, connectivity dependencies, and privacy concerns. At the same time, fully offline solutions face difficulties meeting eIDAS requirements for revocation, freshness, and auditability.
However, CardLab has developed a solution to address this challenge.
Architecture
CardLab provides an alternative approach in which a biometric smartcard acts as the master cryptographic authority for the EU Digital Identity Wallet.
In this model:
- All private keys are stored inside a certified secure element on the smartcard
- Biometric verification and all cryptographic operations occur inside the card
- Smartphones and PCs act only as user interfaces and transport layers, connected via NFC/BLE
- Private keys and biometric data never leave the protected hardware
- The card supports FIDO2, OTP/TOTP, X.509 certificates, PIV, and electronic signatures
Key implications for eIDAS compliance
The biometric smartcard model:
- Strongly supports eIDAS requirements for sole control of the signatory and non-repudiation
- Enables high-assurance authentication and transaction signing, including offline use
- Reduces exposure to malware, cloud compromise, and platform-specific trust models
- Strengthens legal defensibility of electronic signatures
- Improves privacy through data minimisation and decentralised trust
This architecture aligns closely with QSCD2 principles and provides a credible path to High Assurance Level (LoA High) use cases.
Policy relevance
From a policy perspective, biometric smartcards:
- Reduce systemic risk from centralised identity infrastructures
- Enhance resilience in offline or crisis scenarios
- Support EU digital sovereignty and GDPR principles
- Enable long-term, cross-border interoperability
A biometric smartcard serving as the master key for the EU Digital Identity Wallet provides a robust, privacy-preserving, and legally sound foundation for digital identity in Europe. While hybrid online mechanisms remain necessary for lifecycle management, this approach decisively strengthens offline trust and merits serious consideration within the eIDAS 2.0 framework.
Alignment with eIDAS 2.0, EU digital sovereignty, and offline trust
Our solution is designed to replace direct exposure of personal identifiers with cryptographically controlled surrogate values, where: direct exposure of personal identifiers with cryptographically controlled surrogate values, where:
- Only EU-regulated entities can issue, resolve, or revoke identity bindings
- Identity is disclosed only when legally and contextually required
- Control remains with the EU citizen and EU legal framework
This aligns the solution with eIDAS, GDPR, and EU constitutional law.
Tokenisation as a trust service
Our system effectively proposes an EU-level identity abstraction layer:
- Personal identifiers (SSN equivalents, card numbers, account IDs, emails)
- Are replaced by surrogate identity tokens
- Tokens are meaningless outside EU trust infrastructure
- Resolution (de-tokenisation) requires:
– User consent
– Strong authentication
– Legal basis under EU law
This is best described as a regulated identity mediation and attribute resolution service – not anonymisation, not evasion.
Role of the biometric smartcard
In your architecture, the biometric smartcard with fingerprint verification:
- Holds root private keys
- Enforces user presence (fingerprint)
Signs:
- Authentication
- Attribute disclosure
- De-tokenisation requests
- Works offline and online via NFC or BLE
Critically, the card does not store raw identifiers for routine use – it stores:
- Cryptographic bindings
- Token references
- Attribute release policies
This makes the card a personal trust anchor rather than a data container.
The Microsoft Jurisdiction example: How to frame it safely
Reducing systemic dependence on non-EU identity and communication providers for core civil functions is a big step towards sovereignty and cyber resilience.
The CardLab system:
- Prevents automatic identity linkage by foreign platforms
- Requires EU-law-governed resolution
- Preserves lawful cooperation via treaties and courts
This avoids political and legal red flags.
Offline vs online: Tokenisation impacts
Offline
- Identity verification
- Token creation
- Attribute proofs
- Transaction signing
Online
- Token resolution
- Revocation checks
- Lifecycle updates
The CardLab biometric smartcard model significantly strengthens offline trust, while still allowing compliance.
Risks and open issues
These must be acknowledged:
- Governance complexity
- Cost of smartcard issuance
- Revocation at EU scale
- Member State sovereignty concerns
- International interoperability
None are blockers — but all are policy challenges.
Strategic assessment
What this solution is:
- Privacy-preserving
- eIDAS-aligned
- Technically mature
- Sovereignty-supporting
- Offline-capable
What it is not:
- Identity evasion
- Law-avoidance
- Anti-government
- Anonymity system
The bottom line
A tokenisation-based identity model anchored in a biometric smartcard aligns with eIDAS 2.0, strengthens offline trust, enhances privacy, and supports EU digital sovereignty – provided it is framed as regulated pseudonymisation with lawful de-tokenisation. This is the cornerstone of cybersecurity, with verifiable identification of the actors trying to enter physical and digital systems, and paired with tokenization the tool that will block a significant amount of Cyber incidents
Handled correctly, this is not radical. It is a logical next step in European Cyber resilience work and a strong tool to address existing cybersecurity issues associated with ongoing digitalisation.
CardLab is expanding its cybersecurity solution to include a token service provider module and a de-tokenisation module, with biometric smartcard and fingerprint verification as the axis of rotation, fully aligned with all its backend services and ensuring the unbreakable link between the physical and digital identities.
In a world where a large portion of social media visual (pictures/video) content, and pictures/voices in general, are AI-generated, modified, or manipulated, verifying users’ identities is key to a convenient and safer digital life for enterprises and individuals, with minimal risk of losing data and identity.
References
- https://en.wikipedia.org/wiki/2020_United_States_federal_government_data_breach
- https://www.qscd.eu/?srsltid=AfmBOop80i8JD7t7J9qHxkxYk7goStXdyMGrzmILrLA2l-5mel-Y1HyZ, https://certification.enisa.europa.eu/publications/security-evaluation-and-certification-qualified-electronic-signatureseal-creation-devices_en#security-evaluation-and-certification-of-qualified-electronic-signatureseal-creation-devices
