Ambimat GroupAmbimatAmbiSecureeSIM InitiativeEngineering BlogAhmedabad · India · Est. 1981
ASAmbiSecureHardware-rooted security
Contact
OnePass platform

OnePass — one identity, every form factor.

A unified hardware-backed identity platform. Smart card for desk and turnstile. USB key for laptops. NFC for everything else. One issuance pipeline, one validation server, one lifecycle. Built for organisations that need device-bound identity rather than syncable convenience.

The platform, end-to-end

HARDWARE

Authenticators

OnePass Card (smart card, FIDO2 + NFC + USB), OnePass USB Key, OnePass Bio Card. Secure-element rooted; AAGUID-anchored per certification.

PROVISIONING

Issuance line

Per-card key diversification, attestation roots installed at the personalisation line. Auditable issuance with HSM-backed key custody.

RP BACKEND

FIDO Validation Server

WebAuthn / CTAP2 RP, AAGUID allow-listing, MDS verification, attestation-policy enforcement.

LIFECYCLE

Device management

Enrolment, recovery, revocation, attestation-pinning policy. Integrates with workforce IdP (Okta, Entra ID, Ping).

Why a platform, not just a key

Most authenticator vendors ship a key and stop there. We ship the issuance pipeline, the validation server, and the lifecycle. That is the difference between "we bought security keys" and "we deployed phishing-resistant authentication across 12,000 employees".

The hard parts are not the keys. The hard parts are:

  • Provisioning a new credential when an employee starts — without sending them a PDF and hoping.
  • Recovering an employee who lost their key — without falling back to a password.
  • Revoking a key when an employee leaves — in real time, across every relying party.
  • Verifying that the key in your hand is the certified hardware your security policy says it is.

OnePass does all four out of the box.

Form factors

OnePass Card

Smart card (ISO 7810 ID-1), FIDO2, NFC + USB-C, brandable. Employee ID and authenticator in one card.

View →

OnePass USB Key

FIDO-certified hardware security key, USB-A or USB-C. No battery, no firmware updates required.

View →

OnePass Bio Card

Smart card with on-card fingerprint sensor for UV without typing a PIN. CTAP2.1 bio-enrolment.

View →

Posture — what makes OnePass different

BE = 0

Device-bound by construction

OnePass authenticators ship with BE=0. Compromise requires physical possession of the hardware.

L2+

Certified secure element

Authenticators built on certified secure elements (CC EAL5+). Side-channel and fault-injection considered, not just functional correctness.

Attestation-anchored

AAGUID-pinned

Each shipment has a signed manifest of AAGUIDs and serial numbers. Customer's RP only accepts devices in their manifest.

No vendor lock-in

Standards-only RPs

WebAuthn level 2. Works with any WebAuthn-compliant RP — ours, yours, or your IdP's.

Procurement-friendly comparison

What OnePass Platform includes vs. buying a security key.

CapabilityGeneric security keyOnePass Platform
FIDO2-certified hardware authenticatorYESYES
Smart-card form factor (badge-compatible)noYES — OnePass Card
Biometric on-card (PIN-less UV)rareYES — OnePass Bio Card
Attestation-anchored AAGUID per shipmentvendor defaultYES — signed manifest per batch
Issuance pipeline / personalisation linenoYES
FIDO Validation Server (RP backend)noYES
FIDO MDS sync & AAGUID allow-listingDIYYES
Lifecycle automation (HR-driven)DIYYES
In-country personalisation (sovereign)noYES — for government
CC EAL5+ secure elementvariesYES
Multi-applet (FIDO2 + PIV) co-existencerareYES
Direct engineering support (no BDR layer)noYES

Deployment scenarios

5,000 engineers

Tech company

OnePass USB-C key per engineer for laptops; OnePass Card for office turnstile + desk reader. BE=0 enforced for production access.

  • ~10,000 authenticators
  • Federation at IdP
  • 3-month rollout
50,000 clinicians

Healthcare

OnePass Bio Card per clinician (no-PIN UV at shared workstations). NFC tap-to-sign.

  • ~100,000 cards
  • UV required for prescriptions
  • 9-month rollout
100,000 employees

Government agency

PIV + FIDO2 multi-applet card per employee. USB key as secondary. Sovereign personalisation.

  • ~200,000 cards
  • FIPS 140-3 L3 secure element
  • 12–18 month rollout
100M citizens

National eID programme

Multi-applet eID card with FIDO2 added. Sovereign attestation roots. In-country personalisation line.

  • Annual issuance volumes
  • eIDAS qualified
  • Multi-year programme

FIDO + smart-card convergence

The historical split: FIDO keys for logical access, smart cards (PIV / CAC) for physical and legacy PKI. The convergence: one card, both jobs.

OnePass Card runs FIDO2 alongside PIV (or eID, or EMV) on the same secure element. The card body doubles as the badge. The same tap that opens the door signs in to the laptop. The same chip that holds the FIDO2 credential holds the PIV cert. Two budgets become one. Two procurement processes become one. Two help-desk ticket categories become one.

This convergence is the strategic value of the OnePass platform. Generic FIDO vendors do not ship the smart-card body; generic smart-card vendors do not ship the modern FIDO2 applet. We do both.

Where OnePass fits

Passwordless enterprise

Workforce IdP, SSO, VPN, privileged access.

Solution →

Workforce identity

End-to-end, day-zero through off-boarding.

Solution →

Government identity

NIST AAL3 / FIPS L3 / CC EAL5+ / eIDAS.

Solution →

Phishing-resistant MFA

Origin-bound credentials kill phishing.

Solution →

Smart-card personalisation

The line that issues your cards.

Solution →

Passwordless & MFA (general)

The product family across consumer and enterprise.

Solution →

Pricing a OnePass rollout?

Tell us your headcount, your IdP, your compliance posture, and your timeline. We will price the hardware, the personalisation, and the validation server.

Request a quote