AmbiSecure FIDO2 Nano-Card Applet
A FIDO2/CTAP2 applet that runs inside a nano-card (4FF) secure element or a solderable MFF2 module. The same trust boundary used in a phone or smart card, repurposed as a phishing-resistant authenticator — for OEM device identity, embedded systems, and identity programmes where adding a separate token is not an option.
The trust boundary already lives in the device. Re-use it.
Hardware boundary, no extra chip
FIDO2 keys stay inside the SIM's secure element — the same boundary that already protects telecom credentials. No new physical part, no new BOM line.
Roaming or embedded
Removable in a SIM tray for cross-device roaming, or soldered (eUICC variant) as an always-present platform authenticator. Same applet, two operating models.
Origin-bound by protocol
FIDO2 binds every credential to the relying-party origin at the protocol layer. Phishing pages on look-alike domains cannot trigger a valid signature.
Telecom + identity convergence
Operators and OEMs can ship a single piece of silicon that handles network access AND phishing-resistant authentication for the workforce or subscriber base.
Resident credentials
Up to a dozen discoverable credentials per applet instance, depending on chip variant. Username-less FIDO2 flows work out of the box.
Standards-aligned
Implements FIDO2 over CTAP2.1 with ECC P-256, signed authenticator data, and a per-instance AAGUID. Attestation runs through the FIDO Metadata Service path.
What is in the applet.
| Form factor | ISO/IEC 7810 4FF nano SIM, 12.3 × 8.8 × 0.67 mm. Optional eUICC variant for embedded deployments. |
|---|---|
| Interfaces | ISO/IEC 7816 contact (T=0 / T=1). NFC (ISO/IEC 14443 Type A) when paired with an NFC-equipped host device. |
| Protocols | FIDO2 (CTAP2.1); FIDO U2F (CTAP1) fallback. |
| Cryptography | ECC P-256 (FIDO2); SHA-256; on-applet key generation; signed attestation. |
| Resident credentials | Up to 12 discoverable credentials per applet (chip-variant dependent). |
| Operating system | JavaCard 3.x on a Common Criteria EAL5+ secure element from a partner vendor. |
| Personalisation | Loaded via GlobalPlatform SCP03. AAGUID injected at personalisation. Compatible with our Multi-Card Applet Loading Tool. |
| Attestation | Per-batch attestation certificate chain signed by an AmbiSecure issuance CA; ready for the FIDO Metadata Service entry. |
| Volumes | Engineering samples on request. Production volumes by the reel for telecom/OEM. |
From silicon to credential.
A embedded secure-element FIDO2 authenticator is only as trustworthy as the line that personalised it. Here is the canonical flow.
Chip
Common Criteria EAL5+ secure element from a partner vendor.
Applet load
FIDO2 applet loaded over GlobalPlatform SCP03 in a controlled facility.
Personalise
AAGUID injected, attestation certificate provisioned, secure-domain locked.
Provision
Telecom profile or OEM device-identity profile written alongside, sharing the same SE.
Issue
Shipped to the operator / OEM line as a finished SIM.
Where this fits in the bigger picture.
Technology: FIDO2
How FIDO2 / CTAP2 makes credentials origin-bound and how the nano-card authenticator plugs in.
Service: FIDO Validation Server
The relying-party side — verify embedded secure-element FIDO2 credentials in production.
Solution: Phishing-resistant authentication
Where a nano-card authenticator fits in an enterprise rollout.
Blog: embedded secure-element FIDO2
End-to-end cornerstone read — roaming vs embedded, threat model, enterprise rollout economics.
Blog: Platform vs roaming
The categorical distinction the nano-card authenticator straddles.
Solution: Workforce identity
Issuance, recovery, off-boarding on secure-element credentials.
Pilot a embedded secure-element FIDO2 authenticator.
Tell us your target form factor (removable nano SIM, soldered eUICC), expected volume, and target host platforms. We can ship engineering samples in 6–8 weeks.