Ambimat GroupAmbimatAmbiSecureeSIM InitiativeEngineering BlogAhmedabad · India · Est. 1981
ASAmbiSecureHardware-rooted security
Contact
FIDO2 Hardware Security Key

AmbiSecure OnePass USB Key

A FIDO-certified hardware security key in USB-A or USB-C form factor. No battery. No app. No firmware update over the network. Tap and you are authenticated.

FIDO2U2FUSB-A / USB-CPIV (optional)
Request datasheet Download brochure
AmbiSecure OnePass USB Key — hardware FIDO2 security key
Why a key

When the form factor needs to be a key, not a card.

Distributed workforces

Remote employees, contractors, BYOD-policy environments. A key on a lanyard is the simplest issuance path.

No card readers

Plug straight into the laptop. No NFC reader required, no contactless infrastructure.

Battery-free

USB-powered. No service interruptions, no end-of-life from a dead cell.

Phishing-resistant

FIDO2 binds the credential to the relying party origin. Phishing pages cannot use a harvested credential.

Resident credentials

Discoverable credentials for username-less, passwordless flows.

Optional PIV

Government / enterprise PIV applet available alongside FIDO — one device, two protocols.

Specifications

What is in the key.

Form factorUSB-A or USB-C; ~38 × 14 × 4 mm; aluminium body
InterfacesUSB 2.0 HID
ProtocolsFIDO2 (CTAP2.1); FIDO U2F (CTAP1); PIV-compatible applet (optional SKU)
CryptographyECC P-256 (FIDO2); ECC P-384 (optional); RSA 2048 / 3072 (PIV); SHA-256 / SHA-384
Resident credentialsUp to 25 discoverable credentials (depending on chip variant)
OS supportWindows, macOS, Linux, ChromeOS; iOS / Android via WebAuthn over USB-C
Operating systemJavaCard 3.x with GlobalPlatform 2.3.1
CertificationFIDO Certified L1 (target); Common Criteria EAL5+ chip
PersonalisationCompatible with our Multi-Card Applet Loading Tool, Security Key Manager, NDEF Personalisation Tool
MOQPilot batches from 100 units; production from 1,000 units

How customers deploy it

01

Issue

Hand a key to each user. Lanyard, label, or just a sticker.

02

Enroll

User registers via WebAuthn against the relying party (Azure AD / Okta / Google / Bitwarden).

03

Auth

Plug-tap to authenticate to apps that require MFA.

04

Recover

Lost key? Issue a backup; revoke the lost AAGUID at the IdP.

Connected reading

Solution: Passwordless & MFA

The full reference architecture and migration path.

View solution →

Technology: FIDO

How FIDO2 is built — CTAP2, WebAuthn, attestation.

View technology →

Blog: Implementing FIDO2

Complete developer walkthrough with code that compiles.

Read article →

Pilot a hundred USB keys.

Tell us USB-A or USB-C, target deployment, certification target. We can usually ship a pilot batch within 6–8 weeks.

Request a pilot