Identity infrastructure for connected systems

AmbiSecure builds hardware-rooted identity, FIDO, PKI & smart-card systems.

FIDO authenticators, PIV applets, PKI infrastructure, JavaCard platforms, Secure Elements, ePassport systems, and IoT trust anchors — engineered for governments, enterprises, telecoms, and connected-product OEMs.

Talk to engineering Explore products Browse resources
FIDO PIV PKI JavaCard Secure Elements ePassport IoT Security
AmbiSecure — hardware-rooted security crest
Today’s focus · rotates daily Hardware-rooted identity

Keys live in tamper-resistant silicon — never in software, never on disk.

Trust chain
About AmbiSecure

Engineering-led identity infrastructure.

Who we are

Hardware-rooted security engineers.

The security business unit of Ambimat Electronics — an embedded engineering team shipping electronics since 1981 and identity systems since 2017.

What we build

FIDO, JavaCard, secure elements, PKI.

FIDO2 authenticators, JavaCard applets, ePassport platforms, IoT trust anchors, and validation servers — rooted in CC EAL5+ silicon.

Who we help

Governments, enterprises, OEMs, telecoms.

National identity programmes, enterprise IT, telecom operators, transit authorities, connected-product OEMs, and security integrators.

How we help

Turnkey, from wafer to validation.

Silicon selection, applet engineering, personalisation lines, form-factor delivery, and validation servers — scoped as review, pilot, or rollout.

FEATURED · OnePass platform

One identity card. Phishing-resistant. Procurement-ready.

Replace badges and security keys with a single FIDO2 smart card — shipped under your issuer keys, brand artwork, and audit hooks.

Explore OnePass Request a pilot
Integration flexibility · nano-card · MFF2 solderable

Same applets. Card or solderable. Your choice of integration.

FIDO2, PIV, OpenID Connect, and IoT-identity applets ship on the same CC EAL5+ secure-element silicon in two packages: a nano-card form factor for issuance and handling, and a solderable MFF2 module for embedding directly into connected-product boards. Same applet code, same certifications, same personalisation pipeline.

  • FIDO2 / PIV / OIDC applets on CC EAL5+ silicon
  • Nano-card package for removable handling
  • MFF2 solderable for embedded OEM integration
  • SGP.22 / SGP.32 RSP supported via the SIMAuth sister platform
IoT security co-processor JavaCard applet portfolio SIMAuth (sister site)
Core pillars

Eight domains, one engineering team.

V2X / Connected Mobility

Secure-element integration, V2X PKI architecture, and OBU/RSU hardware identity for ITS.

FIDO / WebAuthn

Authenticators, validation server, attestation, MDS — with a public utility-tool surface.

JavaCard

Custom applets, CAP file delivery, SCP03 loading, JCOP 3.1, JavaCard 3.x.

DESFire / Transit

EV1 / EV2 / EV3, SAM-backed offline trust, low-latency fare validators.

PKI / Certificates

Hardware-protected signing keys, PKCS#11, eIDAS-compatible flows, audit-grade issuance.

Secure Elements

CC EAL5+ silicon, attestation, key rotation, signed update — the foundation beneath every pillar.

eSIM Security

SGP.22 / SGP.32 eUICC platform, OpenID Connect applet, automotive + M2M variants.

OnePass Ecosystem

The flagship product family — Card, Bio Card, USB Key, BioKey, and Tappable.
What we build

Six surfaces, one trust chain.

Every product and service plugs into the same architecture — identity that begins in silicon and travels intact to the application layer.

01

FIDO Authenticators

OnePass Card, Bio Card, USB Key, BioKey, Tappable — FIDO2 / U2F, hardware-bound credentials, no shared secrets.

View authenticators →
02

JavaCard Applets

FIDO, PIV, OpenPGP and custom applets — designed, written, loaded, and personalised on chips at scale.

JavaCard work →
03

IoT Security Co-Processor

Dual-domain co-processor — the MCU runs the application while the cryptographic domain holds keys, verifies OTA, and anti-replays. Identity below the firmware.

IoT security →
04

FIDO Validation Server

Multi-tenant FIDO2 / WebAuthn SaaS. Per-tenant policy, attestation verification, MDS lookup. Drop-in JS + tenant-scoped REST.

Validation server →
05

ePassport Platform Engineering

End-to-end ICAO 9303 platform — backend, frontend, CSCA / DSC / PKD PKI, enrolment, personalisation.

ePassport service →
06

eSIM & eUICC

Telecom-grade embedded identity, eSIM/eUICC architecture, profile lifecycle — explored on our dedicated SIMAuth site.

Visit SIMAuth →
Trust chain

A chain that begins below the operating system.

Software-only security inherits every weakness of the host. We anchor trust in a tamper-resistant Secure Element, then carry it up through firmware, OS, and application boundaries with verifiable transitions.

Silicon — Secure Element / eUICC ROOT OF TRUST
Boot ROM & signed bootloader VERIFY
Firmware — signed, anti-rollback, recoverable MEASURE
OS / Runtime — isolated, attestable ATTEST
Application — FIDO, PKI, payment, identity CONSUME
Solutions

Problems we are good at.

Passwordless & MFA

Replace shared-secret passwords with hardware-bound FIDO2 credentials. Phishing-resistant by construction.

View solution →

Secure-element integration

Adding a secure element to a connected-device BOM — from silicon selection to SMT-line personalisation.

View solution →

Smart-card personalisation

Personalisation lines for cards and devices — key splits, HSM-backed custody, audit trails, batch APDUs.

View solution →

Government identity

PIV, OpenPGP, and eID applets on smart cards and tokens — issuance and revocation that holds up to audit.

View solution →

Closed-loop ticketing

SAM-backed transit and access systems with offline trust and audit-grade tap journals.

View solution →

Secure validator platforms

Reader-and-SAM platforms for fare collection and access — built to keep working when the backend doesn’t.

View solution →
Ecosystem map

Explore the platform.

Four ways into the same trust chain — by product, by audience, by standard, or by stack layer.

PROD

By product

Cards, USB keys, biometric tokens, secure-element applets, IoT applets, signature suites — all the hardware AmbiSecure ships.

12 products →
SVC

By service

JavaCard development, FIDO validation server, tool-chain engineering, ePassport platform — engineering work AmbiSecure does directly.

4 services →
SOL

By solution

Passwordless workforce, closed-loop transit, government identity, IoT trust, phishing-resistant MFA — problem-shaped views.

14 solutions →
TECH

By technology

FIDO2, WebAuthn, CTAP2, passkeys, JavaCard, DESFire, secure elements, SAMs, attestation — the standards layer.

12 technologies →
IND

By industry

Government, enterprise IT, transit, IoT/industrial, telecom — vertical-specific deployment shapes and constraints.

5 industries →
REF

By reference

AAGUIDs, APDU status, ASN.1, ISO 7816, COSE, X.509, GlobalPlatform, EMV, NFC, CAP files, DESFire — searchable databases.

12 references →
TOOL

By tool

54 client-side utilities for parsing, decoding, building, and signing — the engineer’s toolbox.

54 tools →
READ

By article

21 modern engineering deep-dives plus 24 archived posts — cornerstone reading on FIDO, JavaCard, PKI, transit, IoT.

45 articles →
CASESAnonymised case studies → PDFSPlatform brochures → SCOPEEngagement models → VIDEOWalkthroughs → TRUSTCertifications →
Resources

A toolbox for the engineers building this stack.

Free, client-side utilities for parsing the hex you stare at every day. Nothing leaves your browser. No accounts, no ads.

ATR

ATR Parser

Decode Answer-To-Reset bytes — TS, T0, interface bytes, historical bytes, TCK.
APDU

APDU Parser

Decode CLA / INS / P1 / P2 / Lc / Le for Case 1–4, short and extended.
TLV

TLV Parser

Walk BER-TLV, EMV TLV, and DGI-TLV trees with tag dictionary lookup.
39

Browse all 39+ tools

Utilities for ASN.1, CBOR, COSE, AAGUID, X.509, SCP03, NDEF, DESFire, EMV, and more.
REFSSearchable reference databases → TIMELINEStandards evolution timelines → DOCSWebAuthn engineering reference → BLOGEngineering blog →
Explore by use case

Where AmbiSecure ships today.

IDENTPasswordless enterprise IDENTPhishing-resistant MFA EMBEDFIDO2 in a nano-card / MFF2 secure element GOVPIV in a nano-card / MFF2 secure element GOVePassport platform engineering PKIEmail + document signing PKIPKCS signature suite IoTIoT security applets TRANSITClosed-loop ticketing SILICONSecure-element integration SAASFIDO validation server
Why AmbiSecure

An embedded team, not a security boutique.

Forty years of shipping hardware that survives the field.

AmbiSecure is the security business unit of Ambimat Electronics — established 1981. We have shipped firmware, contactless modules, and GSM/Bluetooth platforms for medical devices, wearables, and utilities. Security is engineered into that DNA, not layered over someone else’s reference design.

  • One point of contact from spec to shipment.
  • In-house JavaCard, FIDO, and personalisation expertise.
  • Real vendor relationships across silicon, contactless, and biometrics.
From the engineering blog · rotates daily

Featured technical reads.

FIDO2

Implementing FIDO2 Authentication: A Complete Developer Guide

A walkthrough of the FIDO2 stack — CTAP2, WebAuthn, attestation — with code that compiles.

Read → MFA

Why use Multi-factor Authentication?

Cybercriminals have billions of leaked records. Why a second factor — especially a hardware-bound one — cuts off the long tail.

Read → MFA

Top 3 Benefits of Multi-factor Authentication

The three reasons MFA isn’t optional any more — and what changes when the second factor is hardware.

Read →

Browse all posts   By topic   Engineering archive

Videos

See it in action.

FIDO setup walkthroughs, multi-application card use cases, and product loops — under 90 seconds each.

AmbiSecure card — all use cases
1:27Product overview

AmbiSecure card — all use cases

FIDO, PIV, door access, NDEF, and OpenPGP roles on a single multi-application card.

View page →
Set up the AmbiSecure card on Gmail
1:21FIDO setup

Set up the AmbiSecure card on Gmail

Adding the card as a FIDO security key on a Google account, on desktop.

View page →
0:05Product demo

AmbiSecure BioKey — product loop

Short hero loop showing the biometric USB security key.

View page →

All AmbiSecure videos →

Where AmbiSecure fits

From wafer to user, in one stack.

AmbiSecure sits between the silicon vendor and the application developer — picking the chip, writing the applet, running personalisation, shipping the authenticator, and standing up the validation server. Steps that are usually each their own RFP.

01

Silicon

CC EAL5+ secure element from a partner vendor.

02

Applet

FIDO, PIV, OpenPGP, NDEF, OIDC, IoT — AID-selectable on one chip.

03

Personalise

SCP03 loading, per-card key derivation, AAGUID + attestation cert injection.

04

Form factor

Card, USB key, biometric variant, NFC fob — brandable.

05

Validate

FIDO Validation Server with REST + JS API — or your own RP.

Trust center

Certification posture, standards conformance, security model, and vulnerability disclosure.

Open trust center →

Certifications

What we are certified for, the standards we build to, and what we are targeting — with explicit disclaimers.

View certifications →

Partners

Resellers, OEMs, system integrators, MSSPs, and consultancies — the partner programme front door.

Become a partner →
How engagements work

Three places to go next.

Evaluating whether AmbiSecure fits your deployment? These three surfaces are the most useful next step — architecture studies, platform overviews, and engagement-model shapes.

Case studies

Three anonymised deployments — passwordless workforce, closed-loop transit ticketing, IoT device identity. Architecture-led.

Read case studies →

Brochures

Six platform overviews — OnePass, FIDO, transit, JavaCard, PKI, device identity. Printable, no lead-capture wall.

Browse brochures →

Engagement models

How engagements are scoped — architecture review, pilot, rollout, integration, secure manufacturing, custom JavaCard.

See engagement shapes →
Frequently asked

Questions evaluators ask first.

What does AmbiSecure build?

Hardware-rooted identity systems — FIDO2 authenticators, PIV smart cards, JavaCard applets, ePassport platforms, eSIM and secure-element authentication, PKI, and IoT trust anchors — for governments, enterprises, telecoms, and connected-product OEMs.

Is AmbiSecure a hardware vendor or a software vendor?

Both, by design. AmbiSecure ships JavaCard applets, FIDO Validation Server software, and tool-chains on top of certified secure-element silicon. The promise is wafer-to-validation in one engineering team rather than three vendor handoffs.

Which standards and certification regimes does AmbiSecure align with?

FIDO2 / WebAuthn / CTAP2, PIV / FIPS 201, JavaCard 3.x with GlobalPlatform and SCP03, IEEE 1609.2 for V2X PKI, GSMA SGP.22 / SGP.32 for eSIM, ICAO 9303 for ePassport, and CC EAL5+ secure-element silicon. Posture is documented on the trust center.

Who is AmbiSecure built for?

Engineering and procurement teams that need device-bound rather than syncable identity — connected-mobility OEMs, transit operators, government identity programmes, telecom eSIM rollouts, and security leads who evaluate against threat models rather than feature lists.

How do AmbiSecure engagements typically start?

Most start as “we need something like X but with Y.” Tell AmbiSecure about the Y — there is usually an applet, a tool, or a secure-element pairing that gets you most of the way there. See the engagement models for the usual shapes.

Have a security problem that lives in hardware?

Talk to engineers, not BDRs. Tell us what you are building and we will tell you what is realistic, standards-aware, and shipped before.

Start a conversation