Identity infrastructure for connected systems

AmbiSecure builds hardware-rooted identity, FIDO, PKI & smart-card systems.

Q: How do AmbiSecure engagements typically start?

Most engagements start as 'we need something like X but with Y'. Tell AmbiSecure about the Y. There is usually an applet, a tool, or a secure-element pairing that gets you most of the way there.

FIDO authenticators, PIV applets, PKI infrastructure, JavaCard platforms, Secure Elements, ePassport systems, and IoT trust anchors — engineered for governments, enterprises, telecoms, and connected-product OEMs.

Talk to engineering Explore products Browse resources

FIDO PIV PKI JavaCard Secure Elements ePassport IoT Security

Today’s focus · rotates daily Hardware-rooted identity

Keys live in tamper-resistant silicon — never in software, never on disk.

Trust chain

About AmbiSecure

Engineering-led identity infrastructure.

Who we are

Hardware-rooted security engineers.

The security business unit of Ambimat Electronics — an embedded engineering team shipping electronics since 1982 and identity systems since 2017.

What we build

FIDO, JavaCard, secure elements, PKI.

FIDO2 authenticators, JavaCard applets, ePassport platforms, IoT trust anchors, and validation servers — rooted in CC EAL6+ silicon.

Who we help

Governments, enterprises, OEMs, telecoms.

National identity programmes, enterprise IT, telecom operators, transit authorities, connected-product OEMs, and security integrators.

How we help

Turnkey, from wafer to validation.

Silicon selection, applet engineering, personalisation lines, form-factor delivery, and validation servers — scoped as review, pilot, or rollout.

Where to start

Four ways in.

AUTH

Authenticators

FIDO2 OnePass Card, USB Key, and the biometric BioKey — phishing-resistant, hardware-bound credentials.

Explore authenticators →

Secure-element engineering

The AmbiSEC module, in-house Java Card platforms, and custom applets on tamper-resistant secure-element silicon.

Explore secure elements →

PKI

Device identity & PKI

IoT device identity, attestation, and certificate lifecycle — keys generated and kept in hardware.

Explore solutions →

SVC

Services

Architecture, applet development, personalisation, and FIDO validation — from wafer to validation.

Explore services →

What we build

Six surfaces, one trust chain.

Every product and service plugs into the same architecture — identity that begins in silicon and travels intact to the application layer.

FIDO Authenticators

OnePass Card, Bio Card, USB Key, BioKey, Tappable — FIDO2 / U2F, hardware-bound credentials, no shared secrets.

View authenticators →

JavaCard Applets

FIDO, PIV, OpenPGP and custom applets — designed, written, loaded, and personalised on chips at scale.

JavaCard work →

IoT Security Co-Processor

Dual-domain co-processor — the MCU runs the application while the cryptographic domain holds keys, verifies OTA, and anti-replays. Identity below the firmware.

IoT security →

FIDO Validation Server

Multi-tenant FIDO2 / WebAuthn SaaS. Per-tenant policy, attestation verification, MDS lookup. Drop-in JS + tenant-scoped REST.

Validation server →

ePassport Platform Engineering

End-to-end ICAO 9303 platform — backend, frontend, CSCA / DSC / PKD PKI, enrolment, personalisation.

ePassport service →

eSIM & eUICC

Telecom-grade embedded identity, eSIM/eUICC architecture, profile lifecycle — explored on our dedicated SIMAuth site.

Visit SIMAuth →

Trust chain

A chain that begins below the operating system.

Software-only security inherits every weakness of the host. We anchor trust in a tamper-resistant Secure Element, then carry it up through firmware, OS, and application boundaries with verifiable transitions.

Silicon — Secure Element / eUICC ROOT OF TRUST

Boot ROM & signed bootloader VERIFY

Firmware — signed, anti-rollback, recoverable MEASURE

OS / Runtime — isolated, attestable ATTEST

Application — FIDO, PKI, payment, identity CONSUME

Explore by use case

Where AmbiSecure ships today.

IDENTPasswordless enterprise IDENTPhishing-resistant MFA EMBEDFIDO2 in a nano-card / MFF2 secure element GOVPIV in a nano-card / MFF2 secure element GOVePassport platform engineering PKIEmail + document signing PKIPKCS signature suite IoTIoT security applets TRANSITClosed-loop ticketing SILICONSecure-element integration SAASFIDO validation server

Featured resources

Go deeper.

AmbiSecure deck

A concise 17-slide overview of the hardware-rooted trust platform — authenticators, secure elements, Java Card services, PKI, and IoT identity.

View the deck →

BioKey on-device TOTP & HOTP

Hardware-sealed OATH one-time passwords on BioKey — seeds stay in the secure element, every code is fingerprint-gated, alongside FIDO2.

Read the concept →

FIDO2 & WebAuthn

Phishing-resistant authentication on public-key cryptography — the private key never leaves the device.

Explore FIDO2 →

Browse the full engineer’s toolbox — 39+ utilities & references →

Frequently asked

Questions evaluators ask first.

What does AmbiSecure build?

Hardware-rooted identity systems — FIDO2 authenticators, PIV smart cards, JavaCard applets, ePassport platforms, eSIM and secure-element authentication, PKI, and IoT trust anchors — for governments, enterprises, telecoms, and connected-product OEMs.

Is AmbiSecure a hardware vendor or a software vendor?

Both, by design. AmbiSecure ships JavaCard applets, FIDO Validation Server software, and tool-chains on top of certified secure-element silicon. The promise is wafer-to-validation in one engineering team rather than three vendor handoffs.

Which standards and certification regimes does AmbiSecure align with?

FIDO2 / WebAuthn / CTAP2, PIV / FIPS 201, JavaCard 3.x with GlobalPlatform and SCP03, IEEE 1609.2 for V2X PKI, GSMA SGP.22 / SGP.32 for eSIM, ICAO 9303 for ePassport, and CC EAL6+ secure-element silicon. Posture is documented on the trust center.

Who is AmbiSecure built for?

Engineering and procurement teams that need device-bound rather than syncable identity — connected-mobility OEMs, transit operators, government identity programmes, telecom eSIM rollouts, and security leads who evaluate against threat models rather than feature lists.

How do AmbiSecure engagements typically start?

Most start as “we need something like X but with Y.” Tell AmbiSecure about the Y — there is usually an applet, a tool, or a secure-element pairing that gets you most of the way there. See the engagement models for the usual shapes.

Have a security problem that lives in hardware?

Talk to engineers, not BDRs. Tell us what you are building and we will tell you what is realistic, standards-aware, and shipped before.

Start a conversation