Practical, code-first writing on hardware-rooted security.
Current engineering content from the AmbiSecure team — FIDO, WebAuthn, JavaCard, DESFire, SAM-backed transit, passwordless rollouts, smart-card lifecycles. Each piece is written by someone who has shipped the thing they are writing about.
Browse by tag
Latest engineering
EU Cyber Resilience Act: What It Means for Connected Hardware and IoT Manufacturers
Products with digital elements, secure-by-design, lifecycle maintenance, vulnerability handling, and the 2026–2027 deadlines — in plain product-security language.
Secure by Design Under the CRA: Why Hardware-Backed Trust Matters
The threat model behind the CRA’s secure-by-design expectation — and where a hardware root of trust like AmbiSEC fits a CRA-aligned architecture.
CRA Vulnerability Handling and Product Lifecycle Security: What Manufacturers Need to Prepare
Reporting from 11 Sep 2026, support periods, coordinated disclosure, updates — and how secure elements support rotation, identity, and controlled updates.
Mapping AmbiSecure Products to CRA Readiness: AmbiSEC, ONE Pass, BioKey and Secure Identity
A product-mapping table from CRA-aligned needs to AmbiSecure building blocks — AmbiSEC for identity and key storage, FIDO and ONE Pass for access, and more.
Lava Lamps and Cryptographic Entropy: Inside the Wall of Entropy
How Cloudflare’s lava-lamp wall feeds an entropy pool — and why hardware TRNGs in secure-element silicon underpin TLS, FIDO, V2X, and eSIM.
How V2X PKI Works: EA, AA, Pseudonymous Certificates, Lifecycle
Root CA, EA, AA, EC, PC, HashedId8, Butterfly Key Expansion, CRL / CTL. IEEE 1609.2 + ETSI TS 102 941 in engineering depth.
Device Identity at Manufacturing Scale
Per-device keys on the personalisation line, HSM-backed SCP03 custody, OTA rotation, revocation across connectivity tiers. V2X / eSIM / IoT convergence.
Why Software-Only Device Trust Fails
Firmware extraction, key cloning, replay, fleet-scale compromise. Software vs TPM vs secure element against the four threat classes.
Secure Elements in Connected Vehicles
Key isolation, OBU / RSU integration, signed boot, anti-cloning, OTA trust anchors. SIM form factor vs telecom service. TPM / HSM / SE comparison.
Pseudonymous Certificates and Privacy in V2X
Unlinkability, rotation, Butterfly Key Expansion, linkage-based revocation, radio-layer hygiene. The privacy property of V2X PKI.
Embedded Secure-Element FIDO2 Authenticators for Enterprise Identity
FIDO2 inside a nano-card and MFF2 secure element. Roaming or embedded, enterprise identity, deployment economics for production rollouts.
PIV Smart Cards vs USB Tokens vs Embedded Secure Elements
Workforce identity credential matrix. Lifecycle, physical-logical convergence, certificate workflows.
Designing Secure Email and Document Signing Platforms
S/MIME, PDF/PKCS#7, hardware-backed credentials, Long-Term Validation, the trust-list problem.
Building Secure IoT Identity with Security Applets
Five JavaCard applets — provisioning, attestation, mTLS, signed update, key rotation — on a CC EAL5+ SE.
Engineering ePassport Issuance and Identity Platforms
ICAO 9303 architecture — CSCA/DSC PKI, LDS, enrolment, personalisation, inspection-system reference.
How to Choose Between Smart Cards, FIDO Tokens and Passkeys
Decision-grade comparison — threat model, lifecycle, recovery, and the choice that fits each deployment.
Secure Element vs TPM vs HSM — Where Each Fits
Three classes of hardware key-storage. What each is for, what each refuses to do, how to choose.
Designing Secure Credential Lifecycle Management
Issuance, rotation, recovery, revocation. The operations-grade view of every credential programme.
Why Transit Validators Need Offline Trust Architecture
What it takes to keep collecting fares when the backend is down — SAM-backed, validator-authoritative.
JavaCard Applet Development for Enterprise Identity
What it takes to ship an applet — AID design, lifecycle, secure messaging, personalisation, mistakes to avoid.
PKI Credential Issuance for Workforce and Government
RA, CA, key custody, attestation in the issuance flow, lifecycle, audit. Architecture you can defend.
How FIDO Authentication Works
An explanation of FIDO2 / WebAuthn that doesn’t need to keep apologising for the spec.
Where Your AmbiSecure FIDO Key Works
Practical overview of the services and platforms that accept FIDO2 / WebAuthn in 2026.
Cyber Security Threats — What Actually Matters in 2026
The threats that drive identity and hardware-credential decisions today — phishing, MFA bypass, SIM swap, more.
Implementing FIDO2 Authentication — A Complete Developer Guide
A practical, code-first walk through FIDO2 registration and authentication, attestation, and the bits people get wrong.
Designing Enterprise Passwordless Systems
What an end-to-end enterprise rollout looks like — IdP integration, recovery, mixed authenticator fleets, AAL3 architecture.
Passkeys vs Traditional MFA
Where passkeys actually replace MFA, where they don't, and how to think about device-bound vs synced credentials in enterprise.
Platform vs Roaming Authenticators
When to standardise on the Yubikey-style external authenticator vs the device-resident platform authenticator. Tradeoffs.
Understanding WebAuthn Attestation Objects
Walk a real attestation object byte by byte. AAGUID, COSE keys, attestation statement formats, and what to verify.
Why Hardware-Backed Identity Matters
What hardware-bound credentials buy you that software ones don't. Threat models, attestation, deployment realism.
APDU From First Principles
ISO 7816-4 APDUs explained: CLA, INS, P1/P2, Lc, data, Le, status words. With real DESFire/JavaCard examples.
DESFire EV1 vs EV2 vs EV3
How the DESFire family has evolved, what changed at each tier, and how to reason about legacy vs modern deployments.
Designing Low-Latency Secure Transit Validators
Why transit validators need offline trust, sub-300ms response, and SAM-backed attestation. With real numbers.
Why SAMs Matter in Closed-Loop Transit
Secure Access Modules in transit reader design, when to use them, and where they earn their cost.
Top 3 Benefits of MFA
A clear-eyed look at what MFA actually buys you in 2026 — and where it doesn't help.
Why Use Multi-Factor Authentication
An updated, technically-grounded answer to why MFA is still worth the friction.
Looking for something older?
The engineering archive preserves 24 AmbiSecure engineering posts from 2017–2025, clearly labelled and cross-linked to current coverage where it exists.