Ambimat GroupAmbimatAmbiSecureeSIM InitiativeEngineering BlogAhmedabad · India · Est. 1981
ASAmbiSecureHardware-rooted security
Contact
Product · PIV USB key

AmbiSecure PIV USB Key.

PIV-compatible JavaCard applet in a USB-A or USB-C keychain form factor. Dual-interface device: CCID-class smart-card reader for PKI workflows plus WebAuthn / FIDO2 for browser authentication. Drop-in for SSH agent forwarding, certificate-based VPN, S/MIME signing, and Windows / macOS smart-card login — without a separate card reader.

PIV (FIPS 201 functional) USB-A or USB-C CCID + WebAuthn dual interface SSH / OpenSC compatible RSA 2048 / 3072 / ECC P-256 CC EAL5+ silicon
What it does

PKI token + FIDO2 key, one device.

Smart-card workflows without a reader

The device enumerates as a CCID smart-card reader at the OS level. Windows / macOS smart-card login, PKCS#11, BaseCSP minidriver, OpenSC, PuTTY-CAC, and certificate-based VPN flows all see it as a PIV card — without a separate reader on the desk.

FIDO2 / WebAuthn dual interface

Same device also exposes a FIDO2 / WebAuthn interface for browser-based authentication. Use it as a passkey on Google, Microsoft, GitHub, AWS — or use the PIV side for PKI logins. Two trust models, one keychain.

SSH agent forwarding

Compatible with OpenSC / PIVKEY workflows for SSH agent forwarding. The private key lives in the CC EAL5+ secure element; SSH operations use the key without it ever crossing the host process.

Optional PIN gate

Configurable PIN policy per issuer — always require PIN, require on first use per session, or session-bound. Lockout after a small number of failed attempts is enforced inside the applet.

Specifications

Where the PIV USB key fits.

Form factor

USB-A or USB-C variants, both with a metal-shell keychain body. No battery, no firmware to die, no driver to install on Windows 10/11, macOS 12+, or modern Linux (CCID is in-kernel).

Audience

Developers and SRE teams using SSH + certificate auth, government and contractor users needing PIV-compatible workforce keys, regulated industries needing a PKI token without a desk reader, and dual-role users wanting both FIDO2 and PIV on one device.

Personalisation

Same SCP03 + HSM personalisation pipeline as the smart-card variants. Issue under your AID, your branding, your post-issuance update policy.

Durability

Metal shell, IP54 splash resistance. No battery means no end-of-life clock. Plug-in operation across the device lifetime.

Related

PIV Smart Card

Same applet, ID-1 contact + contactless card.

View product →

PIV Bio Card

Same applet plus on-card fingerprint match.

View product →

PIV in a nano-card / MFF2 secure element

Same applet, 4FF nano-card form factor.

View product →

OnePass USB Key

The FIDO2-only counterpart — same form factor, FIDO2 + U2F focus.

View product →

PIV vs USB tokens vs embedded

Choosing between card, USB key, and embedded SE for PIV.

Read article →

Workforce identity

Where PIV USB keys fit in an enterprise identity rollout.

View solution →

SSH + smart-card login on one keychain?

The engineers who load the applet are the same people who help with the rollout.

Start a conversation