Defense-Grade Architecture

The 3 Pillars of Verification

We secure the critical moment at the doorstep by answering three fundamental questions with mathematical certainty.

Unbroken Chain of Custody

For sensitive deliveries like opioids, oxygen, or evidence, knowing "someone" received it isn't enough. VerifiedKnock creates a cryptographic link between the sender, the courier, and the verified recipient.

1. Origin

Pharmacy or Agency initiates delivery. Package ID is cryptographically bound to the specific recipient's profile.

2. Courier Handoff

Courier scans badge at door. VerifiedKnock confirms identity and authorizes the specific package release.

3. Verified Receipt

Recipient confirms via app. Digital signature proves exactly WHO received the item and WHEN.

Verified Identity

"We know WHO is at the door."

  • Biometric Liveness Checks
  • Cryptographic Credential Binding
  • Anti-Spoofing Protection

Verified Location

"We confirm they are AT THE DOOR."

The VerifiedKnock proximity geofence is registered to the homeowner's address. Every time an authorized professional enters the geofence, the homeowner receives a cryptographic notification through their app — showing the agency, dispatch reference, and verified timestamp. Physical presence within the registered geofence is the only way to trigger a verification. An optional NFC door tag is available for properties that prefer physical tap confirmation.

  • Geofence registered to homeowner's address
  • Every arrival sends cryptographic notification to resident app
  • Optional NFC door tag for physical tap confirmation

Verified Intent

"We know WHO AUTHORIZED them to be there."

  • Agency-issued credential — not self-claimed
  • Authorization is cryptographically bound to the credential
  • No external system lookup required
Jurisdiction Control

Credentials That Know Their Borders

Every credential issued by VerifiedKnock is cryptographically bound to the issuing agency's jurisdiction. A Canadian agency's card cannot verify in the United States — and vice versa.

Offline Enforcement

Jurisdiction validation happens on-card during the NFC tap — no internet connection required. Even in a fully offline environment, a cross-border credential is rejected at the hardware level.

Connectivity Modes

Online vs. Fully Offline — Your Choice

VerifiedKnock supports two deployment modes. The cryptographic verification is always offline. What changes is how the verified result is delivered to the resident.

Phone Mode

Requires data connection for notification

The officer's FIDO2 credential performs biometric authentication entirely on the hardware chip — no internet needed for the cryptographic verification step. Smart home proximity detection triggers the challenge automatically when the officer arrives. However, delivering the verified result to the resident's phone as a push notification requires a data connection on the officer's device.

Verification itself: fully offline
No cloud database queried during tap
Push notification to resident: requires internet (officer's phone data)
Works on any NFC-enabled Android or iPhone
No Hardware

ATKey.Card + VerifiedAmbient™ API

No proprietary hardware at the address

The resident's smart doorbell or home hub detects the officer approaching and sends a proximity event to the VerifiedKnock API. A cryptographic challenge is pushed to the officer's smartphone. The officer authenticates with ATKey.Card (NFC), ATKey.Pro (USB-C), or BLE K33 (phone-free) — private key never leaves the card. The VerifiedKnock API then signals any connected smart display in the home — showing VERIFIED in green instantly. No proprietary hardware at the door. No phone required by the resident.

Verification: fully offline (on-card biometric)
Result display: any connected smart display
No proprietary hardware installed at the address
Ideal for seniors, elder care, and no-phone households
StepSmart Home ProximityVerifiedAmbient™ API
Proximity triggerSmart doorbell / home hubSmart doorbell / home hub
Officer auth methodATKey.Card (NFC) / ATKey.Pro (USB-C)ATKey.Card / ATKey.Pro / BLE K33
Biometric matchOn-card — offline ✓On-card — offline ✓
Result deliverySmart doorbell / home hub / appSmart display signal (API)
Resident phone requiredYesNo
Hardware at addressNoneNone
Live Geofence Demo

See the Proximity Trigger in Action

Enter any address and adjust the geofence radius to match your property. Click Dispatch Officer to watch the full automated verification flow — no homeowner action required.

Live Geofence Demo

See how VerifiedKnock triggers verification on arrival

Backend Monitoring Active
50 ft
10 ft (tight)150 ft (wide)

Awaiting dispatch

Officer status

📍

Officer Dispatched

Assignment pushed to device

🔵

Approaching Property

Backend monitoring active

Geofence Entered

Challenge auto-generated

🔑

FIDO2 Key Tapped

Cryptographic signature verified

Resident Notified

Identity confirmed — timer started

The geofence radius is configurable per property — from 10 ft (apartment door) to 150 ft (large estate). No homeowner action required.
Security Architecture

Can the API Be Hacked?

The API is a delivery pipe. The trust anchor is hardware. Here is exactly what an attacker can and cannot do — and why the cryptographic core cannot be compromised through the network.

The Fundamental Guarantee

VerifiedKnock separates two things most systems conflate: the notification channel (the API) and the identity proof (the FIDO2 assertion). An attacker who compromises the API gains access to the delivery pipe — not the proof.

Private key never leaves hardware

The FIDO2 private key is generated on the card's secure element (Common Criteria EAL6+) and cannot be extracted — not by software, not by the server, not by the officer themselves.

One-time nonce per event

Every verification uses a fresh cryptographic nonce generated by the backend. A captured or replayed assertion is mathematically invalid — it is bound to a single challenge that expires immediately.

Biometric match on card, not server

The fingerprint is matched entirely inside the card's secure element. No biometric data is transmitted, stored, or accessible to any party outside the hardware device.

Signed audit log is tamper-evident

Every verification event produces a cryptographically signed log entry stored server-side. Retroactive forgery requires breaking the signing key — computationally infeasible.

Attack Surface Analysis

Replay attack

Blocked

Stale nonce rejected by backend. Each assertion is cryptographically bound to a single challenge.

API key theft

Insufficient alone

A stolen API key cannot produce a valid FIDO2 assertion. No assertion = no resident notification sent.

Man-in-the-middle

Blocked

TLS 1.3 in transit. The assertion itself is bound to the specific challenge — intercepting and replaying against a new session is infeasible.

Denial of Service (flood API)

Notification suppressed only

Attacker can prevent a notification from reaching the resident. Resident does not open the door without a verified signal — attacker gains nothing.

Compromised resident device

Display only — proof is server-side

The notification is informational. The cryptographic proof lives in the server-side audit log, not on the device.

Rogue VerifiedAmbient™ integration

Blocked

The API requires a signed JWT scoped to a specific address and event ID. A rogue integration cannot generate a valid JWT without the backend signing key.

What an attacker CAN do

  • Suppress a notification (DoS) — resident does not open the door
  • Flood the API with noise — resident ignores unverified signals
  • Attempt to steal an API key (mitigated by scoped JWTs)

What an attacker CANNOT do

  • Produce a valid FIDO2 assertion without the physical card
  • Forge a biometric match without the officer's live fingerprint
  • Create a signed audit log entry that passes backend verification
  • Replay a captured assertion against a new session
  • Extract the private key from the card's secure element (EAL6+)

Same Threat Model as FIDO2 Banking & Government Identity

VerifiedKnock uses the same cryptographic foundation trusted by US federal employees, financial institutions, and NIST-certified systems. The API is a delivery pipe — the trust anchor is hardware. Compromising the pipe does not compromise the proof.

Ready to secure your perimeter?

VerifiedKnock provides the only access control system designed specifically for the high-stakes requirements of law enforcement and critical infrastructure.

Contact Sales