Identity infrastructure for connected systems

AmbiSecure builds hardware-rooted identity, FIDO, PKI & smart-card systems.

FIDO authenticators, PIV applets, PKI infrastructure, JavaCard platforms, Secure Elements, ePassport systems, and IoT trust anchors — engineered for governments, enterprises, telecom operators, and connected-product OEMs. Forty years of shipping embedded systems.

Talk to engineering Explore products Browse resources
FIDO PIV PKI JavaCard Secure Elements ePassport IoT Security
AmbiSecure — hardware-rooted security crest
Today’s focus · rotates daily Hardware-rooted identity

Keys live in tamper-resistant silicon — never in software, never on disk.

Trust chain
About AmbiSecure

Engineering-led identity infrastructure.

Who we are

Hardware-rooted security engineers.

The security business unit of Ambimat Electronics — an embedded engineering team in Ahmedabad shipping electronics since 1981 and identity systems since 2017.

What we build

FIDO, JavaCard, secure elements, PKI.

FIDO2 authenticators, JavaCard applets, ePassport platforms, IoT trust anchors, validation servers, and personalisation systems — rooted in CC EAL5+ silicon.

Who we help

Governments, enterprises, OEMs, telecoms.

National identity programmes, enterprise IT, telecom operators, transit authorities, connected-product OEMs, identity providers, and security integrators.

How we help

Turnkey, from wafer to validation.

Silicon selection, applet engineering, personalisation lines, form-factor delivery, validation servers — scoped as architecture review, pilot, or production rollout.

FEATURED · OnePass platform

One identity card. Phishing-resistant. Procurement-ready.

Replace badges and security keys with a single FIDO2 smart card that ships under your issuer keys, brand artwork, and audit hooks.

Explore OnePass Request a pilot
Integration flexibility · nano-card · MFF2 solderable

Same applets. Card or solderable. Your choice of integration.

FIDO2, PIV, OpenID Connect, and IoT-identity applets ship on the same CC EAL5+ secure-element silicon in two integration-convenient packages: a nano-card form factor for issuance and handling, and a solderable MFF2 module for embedding directly into connected-product boards. Same applet code, same certifications, same personalisation pipeline — pick the package that fits your manufacturing flow.

  • FIDO2 / PIV / OIDC applets on CC EAL5+ silicon
  • Nano-card package for removable handling
  • MFF2 solderable for embedded OEM integration
  • SGP.22 / SGP.32 RSP supported via the eSIM Initiative sister platform
IoT secure-element chipset JavaCard applet portfolio eSIM Initiative (sister site)
Core pillars

Seven domains, one engineering team.

FIDO / WebAuthn

Authenticators, validation server, attestation, MDS — with a public utility-tool surface.

JavaCard

Custom applets, CAP file delivery, SCP03 loading, JCOP 3.1, JavaCard 3.x.

DESFire / Transit

EV1 / EV2 / EV3, SAM-backed offline trust, low-latency fare validators.

PKI / Certificates

Hardware-protected signing keys, PKCS#11, eIDAS-compatible flows, audit-grade issuance.

Secure Elements

CC EAL5+ silicon, attestation, key rotation, signed update — the foundation of every other pillar.

eSIM Security

SGP.22 / SGP.32 eUICC platform, OpenID Connect applet, automotive + M2M variants.

OnePass Ecosystem

The flagship product family — Card, Bio Card, USB Key, BioKey, Tappable, Digital Signature Token.
What we build

Six surfaces, one trust chain.

Every AmbiSecure product or service plugs into the same architecture: identity that begins in silicon and travels intact to the application layer.

01

FIDO Authenticators

OnePass Card, OnePass Bio Card, OnePass USB Key, BioKey, Tappable. FIDO2 / U2F, hardware-bound credentials, no shared secrets.

View authenticators →
02

JavaCard Applets

FIDO, PIV, OpenPGP and custom applets — designed, written, loaded, and personalised on chips that ship at scale.

JavaCard work →
03

IoT Root of Trust

Secure Element integration, key provisioning, signed firmware update, attestation. Identity that lives below the OS.

IoT security →
04

FIDO Validation Server

Multi-tenant FIDO2 / WebAuthn SaaS. Per-tenant policy, attestation verification, MDS lookup. Drop-in JS + tenant-scoped REST.

Validation server →
05

ePassport Platform Engineering

End-to-end ICAO 9303 platform — backend, frontend, CSCA / DSC / PKD PKI, enrolment, personalisation. Architecture-led.

ePassport service →
06

eSIM & eUICC

Telecom-grade embedded identity, eSIM/eUICC architecture, profile lifecycle — explored on our dedicated eSIM Initiative site.

Visit eSIM Initiative →
Trust chain

A chain that begins below the operating system.

Software-only security inherits every weakness of the host. We push the trust anchor into a tamper-resistant Secure Element, then carry it up through firmware, OS, and application boundaries with verifiable transitions.

Silicon — Secure Element / eUICC ROOT OF TRUST
Boot ROM & signed bootloader VERIFY
Firmware — signed, anti-rollback, recoverable MEASURE
OS / Runtime — isolated, attestable ATTEST
Application — FIDO, PKI, payment, identity CONSUME
Solutions

Problems we are good at.

Passwordless & MFA

Replace shared-secret passwords with hardware-bound FIDO2 credentials. Phishing-resistant by construction.

View solution →

Secure-element integration

Putting a secure element on a connected-device BOM — from silicon selection to SMT-line personalisation.

View solution →

Smart-card personalisation

Personalisation lines for cards and devices — key splits, HSM-backed custody, audit trails, batch APDUs.

View solution →

Government identity

PIV, OpenPGP, eID applets on smart cards and tokens. Issuance and revocation that holds up to audit.

View solution →

Closed-loop ticketing

SAM-backed transit and access systems with offline trust and audit-grade tap journals.

View solution →

Secure validator platforms

Reader-and-SAM platforms for fare collection and access — designed to keep working when the backend doesn’t.

View solution →
Ecosystem map

Explore the platform.

Four ways into the same trust chain — by what you ship, by who you protect, by which standard you target, by where in the stack you operate.

PROD

By product

Cards, USB keys, biometric tokens, secure-element applets, IoT applets, signature suites — all the hardware AmbiSecure ships.

12 products →
SVC

By service

JavaCard development, FIDO validation server, tool-chain engineering, ePassport platform — engineering work AmbiSecure does directly.

4 services →
SOL

By solution

Passwordless workforce, closed-loop transit, government identity, IoT trust, phishing-resistant MFA — problem-shaped views.

14 solutions →
TECH

By technology

FIDO2, WebAuthn, CTAP2, passkeys, JavaCard, DESFire, secure elements, SAMs, attestation — the standards layer.

12 technologies →
IND

By industry

Government, enterprise IT, transit, IoT/industrial, telecom — vertical-specific deployment shapes and constraints.

5 industries →
REF

By reference

AAGUIDs, APDU status, ASN.1, ISO 7816, COSE, X.509, GlobalPlatform, EMV, NFC, CAP files, DESFire — searchable databases.

12 references →
TOOL

By tool

54 client-side utilities for parsing, decoding, building, and signing — the engineer’s toolbox.

54 tools →
READ

By article

21 modern engineering deep-dives plus 24 archived posts — cornerstone reading on FIDO, JavaCard, PKI, transit, IoT.

45 articles →
CASESAnonymised case studies → PDFSPlatform brochures → SCOPEEngagement models → VIDEOWalkthroughs → TRUSTCertifications →
Resources

A toolbox for the engineers building this stack.

Free, client-side utilities for parsing the hex you stare at every day. Nothing leaves your browser. No accounts, no ads.

ATR

ATR Parser

Decode Answer-To-Reset bytes — TS, T0, interface bytes, historical bytes, TCK.
APDU

APDU Parser

Decode CLA / INS / P1 / P2 / Lc / Le for Case 1–4, short and extended.
TLV

TLV Parser

Walk BER-TLV, EMV TLV, and DGI-TLV trees with tag dictionary lookup.
39

Browse all 39+ tools

Utilities for ASN.1, CBOR, COSE, AAGUID, X.509, SCP03, NDEF, DESFire, EMV, and more.
REFSSearchable reference databases → TIMELINEStandards evolution timelines → DOCSWebAuthn engineering reference → BLOGEngineering blog →
Explore by use case

Where AmbiSecure ships today.

IDENTPasswordless enterprise IDENTPhishing-resistant MFA EMBEDFIDO2 in a nano-card / MFF2 secure element GOVPIV in a nano-card / MFF2 secure element GOVePassport platform engineering PKIEmail + document signing PKIPKCS signature suite IoTIoT security applets TRANSITClosed-loop ticketing SILICONSecure-element integration SAASFIDO validation server
Why AmbiSecure

An embedded team, not a security boutique.

Forty years of shipping hardware that survives the field.

AmbiSecure is the security business unit of Ambimat Electronics — established 1981. We have shipped PCB designs, firmware, contactless modules, GSM and Bluetooth platforms for medical devices, smart watches, smart homes, and utilities. Security is what we add to that DNA, not a marketing layer over someone else’s reference design.

  • One point of contact from spec to shipment.
  • In-house JavaCard, FIDO, and personalisation expertise.
  • Real vendor relationships across silicon, contactless, and biometrics.
  • Cost-effective for both pilot batches and production runs.
From the engineering blog · rotates daily

Featured technical reads.

FIDO2

Implementing FIDO2 Authentication: A Complete Developer Guide

A walkthrough of the FIDO2 stack — CTAP2, WebAuthn, attestation — with code that compiles.

Read → MFA

Why use Multi-factor Authentication?

Cybercriminals have billions of leaked records. Why a second factor — especially a hardware-bound one — cuts off the long tail.

Read → MFA

Top 3 Benefits of Multi-factor Authentication

The three reasons MFA isn’t optional any more — and what changes when the second factor is hardware.

Read →

Browse all posts   By topic   Engineering archive

Videos

See it in action.

FIDO setup walkthroughs, multi-application card use cases, and product loops — under 90 seconds each.

AmbiSecure card — all use cases
1:27Product overview

AmbiSecure card — all use cases

FIDO, PIV, door access, NDEF, and OpenPGP roles on a single multi-application card.

View page →
Set up the AmbiSecure card on Gmail
1:21FIDO setup

Set up the AmbiSecure card on Gmail

Adding the card as a FIDO security key on a Google account, on desktop.

View page →
0:05Product demo

AmbiSecure BioKey — product loop

Short hero loop showing the biometric USB security key.

View page →

All AmbiSecure videos →

Where AmbiSecure fits

From wafer to user, in one stack.

AmbiSecure is the layer between the silicon vendor and the application developer. We pick the chip, write the applet, run the personalisation line, ship the authenticator, and stand up the validation server — the steps that are usually each their own RFP.

01

Silicon

CC EAL5+ secure element from a partner vendor.

02

Applet

FIDO, PIV, OpenPGP, NDEF, OIDC, IoT — AID-selectable on one chip.

03

Personalise

SCP03 loading, per-card key derivation, AAGUID + attestation cert injection.

04

Form factor

Card, USB key, biometric variant, NFC fob — brandable.

05

Validate

FIDO Validation Server with REST + JS API; or your own RP, your own way.

Trust center

Certification posture, standards conformance, security model, and a published vulnerability-disclosure channel.

Open trust center →

Certifications

What we are actively certified for, the standards we build to, certifications we are targeting — with explicit disclaimers.

View certifications →

Partners

Resellers, OEMs, system integrators, MSSPs, and consultancies — the partner programme front door.

Become a partner →
How engagements work

Three places to go next.

If you’re evaluating whether AmbiSecure fits your deployment, these three surfaces give the most useful next step — anonymised architecture studies, downloadable platform overviews, and the engagement-model shapes we work in.

Case studies

Three anonymised deployments — passwordless workforce, closed-loop transit ticketing, IoT device identity. Architecture-led, no fabricated metrics.

Read case studies →

Brochures

Six platform overviews — OnePass, FIDO deployment, transit security, JavaCard, PKI, device identity. Printable, no lead-capture wall.

Browse brochures →

Engagement models

How AmbiSecure engagements are scoped — architecture review, pilot, rollout, integration, secure manufacturing, custom JavaCard.

See engagement shapes →

Have a security problem that lives in hardware?

Talk to engineers, not BDRs. Tell us what you are building and we will tell you what is realistic, what is standards-aware, and what we have shipped before.

Start a conversation