Workforce identity — from day-one to off-boarding.
A workforce identity programme is not "we deployed a security key". It is the operational chain from HR onboarding through credential issuance, daily authentication, recovery, role transitions, and clean off-boarding. AmbiSecure ships the platform that makes every link of that chain work.
The buyer's problem
Workforce identity teams in 2026 typically inherit a layered, brittle stack: passwords for some systems, TOTP for others, push for SaaS, badges for the building, smart cards for legacy on-prem, hardware tokens for engineers and execs, recovery mailboxes that no one tested. Audit costs scale; help-desk costs scale faster; the security posture is a patchwork.
The strategic objective is consolidation: one credential family that covers logical access (laptops, SSO, VPN, prod consoles) and physical access (turnstiles, doors), with a single issuance pipeline, an auditable lifecycle, and recovery flows that don't collapse back to a password.
Architecture overview
Issuance
HR onboarding triggers IT desk visit. New hire identity-verified in-person. Both authenticators (card + USB) registered against the IdP.
Authentication
Tap card or insert USB. Browser passes WebAuthn assertion to IdP. SSO mints session for downstream apps.
Lost-key flow
Sign in with the second authenticator; IT issues a replacement; old AAGUID + serial revoked across the IdP.
Revocation
HR off-boarding triggers credential revocation in the IdP, sessions terminated within minutes, hardware collected.
Security model
Origin-bound credentials
WebAuthn binds every credential to the registered origin. Phishing attacks against workforce identity become structurally impossible.
Device-bound by construction
OnePass authenticators ship with BE=0. Compromise requires physical possession of the hardware.
AAGUID allow-listing
RP enforces an explicit allow-list of certified AAGUIDs, sourced from the FIDO MDS BLOB.
Per-ceremony logging
AAGUID + serial + signCount logged on every registration / assertion. Anomalies feed SOC.
Integration points
| Surface | Integration |
|---|---|
| Identity Provider | WebAuthn at the IdP layer (Okta, Entra ID, Ping, Auth0, ForgeRock). Downstream apps inherit via SAML / OIDC. |
| VPN | OIDC client federated to IdP; FIDO assertion satisfies AAL3. |
| Privileged Access (PAM) | Session approval gated by fresh WebAuthn assertion via the IdP. |
| SSH | FIDO2 SSH (ssh-keygen -t ed25519-sk) directly with the OnePass authenticator. |
| Code-signing / artefact attestation | Sigstore / GitHub artifact attestation backed by the same authenticator. |
| Physical access | Smart card body doubles as the badge; NFC + USB-C for desk and door readers alike. |
| HRIS | Event-driven: HR onboarding/offboarding fires events that drive credential lifecycle in the IdP. |
Ready to scope a workforce identity rollout?
Talk to engineers, not BDRs. We will tell you what is realistic for your headcount, your compliance posture, and your existing IdP.