Ambimat GroupAmbimatAmbiSecureeSIM InitiativeEngineering BlogAhmedabad · India · Est. 1981
ASAmbiSecureHardware-rooted security
Contact
Solution

Passwordless — for the enterprise that means it.

Most "passwordless" deployments still have a password sitting in the recovery flow. Real passwordless is when the password is not just hidden — it doesn't exist on the user's account. Hard to reach, but reachable. This is the deployment guide.

What you actually need

An end-to-end enterprise passwordless deployment has six load-bearing pieces:

  1. Hardware authenticators — certified, attestation-anchored. OnePass Card (turnstile + desktop), OnePass USB Key (laptops), platform passkeys (mobile fallback only).
  2. Provisioning pipeline — first-day enrolment without a password as a fallback.
  3. Recovery flow — what happens when an employee loses their key. Hint: not "answer security questions" or "wait for an email link".
  4. Federation — passkeys at the IdP (Okta / Entra ID / Ping) so every downstream app benefits without per-app integration.
  5. Attestation policy — AAGUID allow-list anchored against the FIDO MDS BLOB, with explicit BE=0 enforcement for high-assurance sessions.
  6. Lifecycle automation — revoke at offboarding, rotate at policy boundary, audit everywhere.

The recovery problem — honestly

Recovery is where most passwordless rollouts collapse. The user lost their key. What now? If the answer is "reset password to a temp value and email it" you have not removed passwords; you have hidden them.

The right answers, in priority order:

  1. Two enrolled authenticators per user. Card + USB key. Lose one, the other stands in. Re-issue the lost one through the normal pipeline.
  2. Just-in-time IT-mediated re-issuance. Short-lived TOTP codes printed at the IT desk after in-person identity verification. Time-boxed; one-shot.
  3. Last-resort: identity-vouching with an enrolled colleague. Two co-workers approve, IT issues. Audit trail.

What the answer should never be: a recoverable password sitting on a recovery email.

Architecture diagram

EMPLOYEE CORPORATE PERIMETER DOWNSTREAM APPS OnePass card / USB Browser / device IdP Okta / Entra ID / Ping + FIDO Validation Server SSO Lifecycle / Audit enrol · revoke · attest Email · CRM · ticketing VPN · privileged access Build / cloud / Git / kube
One IdP holds the federation; one validation server enforces attestation policy; downstream apps consume SSO. The hardware authenticator never leaves the employee's person.

Operating model

Day 0Issue and enrol

HR onboarding kicks off issuance. New hire receives card + key on day 1, enrols both at the IT desk in person.

Day-to-dayTap to sign on

Tap card on reader / insert USB key. Browser passes signed assertion to IdP. SSO mints session for downstream apps.

Lost keyRe-issue from spare

Use the still-enrolled second authenticator to sign in; IT issues a replacement; old AAGUID/serial revoked across IdP.

OffboardingRevoke immediately

HR offboarding triggers revocation in IdP; sessions terminated; cards collected.

The product mapping

OnePass Platform

The full deployment, end-to-end.

Platform →

FIDO Validation Server

WebAuthn RP backend with attestation policy enforcement.

Service →

Phishing-resistant MFA

The threat-model angle on the same deployment.

Solution →