Not just a device. The hardware your security runs on.
Toughkey™ is Lokblok's secure execution environment for Phantom Secrets™, a certified hardware root of trust where keys can be reconstructed, used, and destroyed. It is the anchor hardware for FIDO2 passwordless authentication, and supports standard public/private key generation, Multi-Signature, and Threshold Signature Schemes. Or, more accurately: it's one way to deploy the Lokblok cryptographic runtime.
What It Is
A certified HSM built to run the Lokblok runtime.
Toughkey™ is a hardware security module (HSM) built to run Phantom Secrets, MPC/TSS, hardware attestation, and secure identity binding, inside a tamper-resistant secure element.
It provides a guaranteed environment where keys can exist briefly, operations can be trusted, and nothing persists after execution.
Keys exist briefly
Reconstructed on demand, never stored
Operations can be trusted
Cryptographically attested execution
Nothing persists
Memory cleared immediately after use
The Important Part
Toughkey™ is not the system. It's the reference hardware.
The Lokblok cryptographic engine
- Is implemented as secure firmware / applet logic
- Runs inside trusted execution environments
- Is hardware-agnostic at the protocol level
- Executes identically regardless of the hardware it runs on
Toughkey™ is simply
The highest-assurance, purpose-built environment to run it.
Beyond the Device
One runtime. Multiple deployment boundaries.
The same Lokblok runtime deploys across hardware form factors. The protocol stays identical; only the execution boundary changes.
Secure Elements (SIM / eUICC)
Applet runs directly inside carrier-grade secure elements. No external hardware required. Mass-scale deployment possible. Indistinguishable from Toughkey™ at the protocol level.
Mobile Secure Enclaves
Embedded secure enclaves. Device-bound execution. Consumer-friendly form factors. Hardware-backed security without dedicated hardware.
Enterprise & Cloud HSMs
Hardware-backed execution layers. Integrations with secure infrastructure. Scalable deployment across enterprise systems.
One Protocol. Multiple Hardware Roots.
The cryptography stays identical. Only the execution boundary changes.
| Environment | What changes | What doesn't |
|---|---|---|
| Toughkey™ device | Physical form factor | Protocol |
| SIM / eUICC | Embedded deployment | Protocol |
| Mobile secure enclave | Device integration | Protocol |
| Cloud / enterprise HSM | Infrastructure layer | Protocol |
Why Toughkey™ Exists
Because some environments require maximum assurance.
Toughkey™ is the most controlled, auditable, and trusted way to run Phantom Secrets.
What Happens Inside
The host system never sees the key.
Key Capabilities
Built for execution, not just storage.
Secure Execution
Keys are never exposed to the OS, memory, or network. Operations happen entirely inside the enclave.
Multi-Applet Architecture
Supports Phantom Secrets, FIDO2, standard key generation, Multi-Signature, and Threshold Signature Schemes simultaneously in a single device.
Hardware Attestation
Every operation is tied to a verified, genuine device. Integrity is cryptographically provable.
FIDO2 Passwordless Authentication
Toughkey™ is the anchor hardware for FIDO2. Passwordless authentication backed by a certified secure element. No stored credentials, no phishable secrets.
Multi-Signature Support
Multiple independent signers required before an operation completes. Enforced in hardware. No single party can act unilaterally.
Threshold Signature Schemes
TSS operations execute inside the secure element. A configurable k-of-n quorum must be satisfied before any signature is produced.
Maximum Assurance
FIPS 140-3 Level 3 and Common Criteria EAL6+ certified. The highest-assurance deployment available.
Where Toughkey™ Wins
The right environment for maximum assurance.
High-Assurance Enterprise Environments
Regulated industries, financial systems, and critical infrastructure requiring the strongest possible hardware root of trust.
Step-Up Authentication
Physical presence required for high-value actions. The device enforces what policy alone cannot.
Institutional Custody
Hardware-bound governance for digital assets. Multi-party approval flows enforced in the secure element.
Air-Gapped Environments
Maximum isolation, minimum attack surface. Toughkey™ operates where network-connected infrastructure cannot go.
How It Fits
Toughkey™ is the execution layer of the Zero Trust Ecosystem.
The Real Takeaway
Software first, hardware optional. That's everyone else.
Most security products
Software first, hardware optional.
Lokblok
Cryptography first, hardware enforced.
And Toughkey™ is where that enforcement is strongest.