AmbiSecure FAQs — answers from engineering, not marketing
Questions that come up in pilot reviews and procurement: how AmbiSecure is more secure than SMS OTP or an authenticator app, what happens when a card is lost, what changes when an applet loads on chips you already source, where eSIM identity fits, and how an ePassport platform engagement is scoped.
FAQ list
Is an AmbiSecure FIDO security key really more secure than passwords or SMS OTP?
Yes. Passwords are shared secrets — anything stored on a server can be phished or leaked. SMS OTP is bound to a phone number, not a person, and is vulnerable to SIM-swap and SS7 attacks. AmbiSecure FIDO2 / WebAuthn keys carry a private key that never leaves a tamper-resistant CC EAL6+ secure element. The relying party only ever receives a per-origin signed challenge — phishing-resistant by construction.
Related: FIDO technology · smart cards vs FIDO tokens vs passkeys · why hardware-backed identity matters.
Where can I use an AmbiSecure security key or smart card?
Any service that supports FIDO2 / WebAuthn / U2F — Google, Microsoft, GitHub, AWS, Okta, Azure AD, Ping, Auth0, and most modern identity providers. PIV-capable variants additionally work with Windows smart-card logon, macOS smart-card login, government PKI workflows (US FIPS 201 / eIDAS-compatible), VPN and SSH key storage, and PKCS#11 / minidriver flows.
Related: FIDO-supported services · passkeys.
What happens if my AmbiSecure key or card is lost or stolen?
Register at least two authenticators per account so a lost device never locks you out. Revoke the lost credential at the identity provider; the private key on the lost device is useless without your account context, the per-origin binding, and (for Bio variants) your fingerprint. PIN-protected variants additionally lock out after a small number of failed attempts. The credential cannot be cloned or extracted from the secure element.
Related: credential lifecycle management.
How do I get started with AmbiSecure authenticators in my organisation?
Start with an architecture review — we map your current identity stack (IdP, AD/Entra, applications, PKI) against AmbiSecure form factors and applet combinations. Then a pilot batch of 50–500 cards / keys for a controlled rollout, followed by phased production.
Related: engagement models · anonymised case studies · contact.
How does AmbiSecure compare with authenticator apps (Google Authenticator, Authy, Microsoft Authenticator)?
Authenticator apps store TOTP seeds in software on a phone — recoverable via cloud backup, screen-recorded by malware, and phishable through fake-prompt fatigue attacks. AmbiSecure private keys never exist outside the secure element, are bound to the origin domain so phishing sites cannot trick them, and require physical possession plus (optionally) a PIN or fingerprint.
Related: passkeys vs traditional MFA · top 3 benefits of MFA.
Does AmbiSecure work with eSIM and secure-element authentication?
Yes. AmbiSecure ships FIDO2, PIV, and OpenID Connect applets on CC EAL6+ secure elements packaged as removable nano-cards (ISO/IEC 7810 4FF) and solderable MFF2 modules — for embedded identity, OEM device authentication, and enterprise rollouts. Telecom-grade eSIM / eUICC and SGP.22 / SGP.32 RSP lifecycle work is covered separately on the dedicated SIMAuth platform, where the same applet portfolio is integrated with operator profile management.
Related: SIMAuth platform · FIDO2 in a nano-card / MFF2 secure element · PIV in a nano-card / MFF2 secure element · eSIM identity solution.
Can AmbiSecure JavaCard applets be loaded onto chips we already source ourselves?
Yes, when the chip supports GlobalPlatform 2.3.1 SCP03 loading and runs JavaCard 3.x. AmbiSecure delivers CAP files; your provisioning line loads them under your issuer keys using your HSM custody. The applet runs entirely inside your chip with your AID, your branding, and your post-issuance update policy.
Related: JavaCard development service · JavaCard applet portfolio · JavaCard applet development for enterprise identity.
What does an AmbiSecure ePassport platform engagement cover?
End-to-end ICAO 9303 platform delivery — enrolment frontend, biometric capture, CSCA / Document Signer / PKD PKI, personalisation line for booklets and ID-1 cards, BAC / PACE / Active Authentication / Chip Authentication, and the LDS structure.
Related: ePassport platform engineering · engineering ePassport issuance platforms.
What about government backdoors or master keys in AmbiSecure devices?
There are none. AmbiSecure secure elements are sourced from CC EAL6+ certified silicon vendors. The applet code is signed by the issuer, not by AmbiSecure. There is no extractable per-device master key, no remote update channel that bypasses the issuer, and no escrow of user credentials. The hardware certification reports for the underlying silicon are publicly available from the chip vendor.
Related: trust center · certifications.
Is the AmbiSecure card waterproof and durable enough for daily use?
Yes. The card body is ISO/IEC 7810 ID-1 standard plastic and survives normal wallet conditions — rain, sweat, brief immersion. USB-key variants are ABS / metal-shell and survive keychain wear. The CC EAL6+ secure element inside has no battery, no firmware to die, and no moving parts.
How does AmbiSecure compare with hosted MFA SaaS (Duo, Microsoft Authenticator, Okta Verify)?
Hosted MFA is mostly TOTP or push-based — the second factor lives in software on a phone. AmbiSecure is the hardware layer below: phishing-resistant FIDO2 credentials in a CC EAL6+ secure element, issuable under your branding and your keys, deployable alongside Duo / Microsoft / Okta as the second factor those services prefer. The two are complementary, not competing.
Related: passwordless enterprise · phishing-resistant authentication.
Where is AmbiSecure based and who can buy?
AmbiSecure is the security business unit of Ambimat Electronics, based in Ahmedabad, India. We ship globally — India PSUs and private enterprises, US enterprise and government accounts, EU identity programmes, and OEM customers in telecom, transit, and connected products. India and US sales contacts are on the contact page.
Related: About AmbiSecure · partner programme.
Keep reading.
Technologies
FIDO2, WebAuthn, CTAP2, JavaCard, DESFire, secure elements, SAMs, attestation — the standards layer.
Engineering blog
Cornerstone reads on FIDO, JavaCard, PKI, transit, IoT — written by the engineers who shipped them.
Utility tools
Client-side parsers for APDU, TLV, AAGUID, X.509, COSE, CBOR, DESFire, EMV and more — in your browser.
Question we haven’t answered?
The engineers who would scope the project are the same people who answer the contact form.