Ambimat GroupAmbimatAmbiSecureeSIM InitiativeEngineering BlogAhmedabad · India · Est. 1981
ASAmbiSecureHardware-rooted security
Contact
ASAmbiSecureHardware-rooted security
Brochure · OnePass platformPrint → PDF

OnePass — one identity, every form factor.

A unified hardware-backed identity platform — smart card, USB key, biometric card, validation server, lifecycle — engineered for organisations that need device-bound identity rather than syncable convenience.

Why a platform, not just a key

Authenticators are easy to ship. The hard parts are issuance, recovery, revocation, and attestation policy. OnePass ships all four out of the box. You get the keys plus the operational layer that makes them deployable at scale.

Form factors

Form factorWhat it’s for
OnePass CardSmart card + FIDO2 + NFC. Carries badge artwork, unlocks workstations, taps for physical access.
OnePass Bio CardSmart card with on-card fingerprint sensor. CTAP2.1 biometric enrolment. No typing a PIN.
OnePass USB KeyFIDO-certified hardware key. USB-A or USB-C. For shared workstations, travel, backup.
OnePass platform serverFIDO Validation Server, AAGUID allow-list, MDS verification, lifecycle integration.

Standards

FIDO2 · CTAP2.1 · WebAuthn Level 2 · ISO/IEC 7816 · ISO/IEC 14443 · X.509 · OpenID Connect.

Certified at the component level under the standards each component targets — see the certifications page for the active list.

Deployment shape

  1. Issuer keys generated under M-of-N inside an HSM.
  2. Cards / keys personalised under issuer keys at the AmbiSecure manufacturing line or a customer-operated personalisation rig.
  3. Validation Server deployed (cloud or on-prem).
  4. IdP integration: Okta, Microsoft Entra ID, Ping — FIDO2 factor enabled, AAGUID allow-list pinned to your AAGUIDs.
  5. Issuance line: in-person at IT desk for office estate; in-region for distributed workforce.
  6. Recovery flow: sealed backup credential, in-person re-issuance, M-of-N break-glass.

What it replaces

  • SMS / TOTP MFA — eliminated by origin-bound FIDO2.
  • Push-fatigue MFA — eliminated by explicit user verification on hardware.
  • Multiple credentials per user (badge + key + PIV card) — consolidated to one card.
  • Untrusted bring-your-own keys — eliminated by AAGUID + MDS attestation policy.

Engineering footprint

No agent on the user’s machine. Standard WebAuthn at the relying party. Standard CTAP2.1 at the authenticator. The platform server speaks standard FIDO Metadata Service. Your IT team integrates through their existing IdP admin API, not through a custom AmbiSecure protocol.

Related on the AmbiSecure site

Sizing OnePass for your estate?

We’ll bring a one-page deployment sketch to the first call — AAGUID policy, issuance line, recovery flow, validation-server footprint.

Start a conversation Engagement models