Cryptnox FIDO2 White PVC — Customizable Hardware Security Key for 2FA, MFA & Passwordless

Frequently Asked Questions

Who is the FIDO2 White PVC security key designed for?

This is a blank-surface version of our FIDO2 smart card, intended for organizations that want to customize or brand their hardware:

• Corporate IT rolling out 2FA company-wide — print each employee’s photo and name before handing the card over
• Resellers and MSPs — apply your own branding on a FIDO Certified FIDO2 key for white-label deployment
• Industry events — produce conference-branded FIDO2 keys as functional giveaways
• Compliance-driven projects — tie a visible card identifier to a documented FIDO2 hardware inventory for audit

The white face is PVC, compatible with standard ID card printers that handle dye-sublimation or thermal transfer printing. The FIDO2 chip and antenna sit inside fixed zones, so printing in the designated card face area doesn’t affect electrical performance.

How do I customize or print the white PVC face?

The card is standard CR80 credit-card dimensions and works with any PVC ID card printer supporting dye-sublimation or direct-to-card thermal transfer. You can design in any card-printing software (CardFive, CardExchange, Badge Designer, or your printer’s native tool), then print text, logo, or employee photo on the printable area — keep clear of the chip module and antenna zones (visible as a raised square near one corner of the card). A thin laminate overlay is optional but extends card life. Before bulk production, run a test card through your printer pipeline and avoid embossing, hole-punching, aggressive heat lamination, or any printing process not approved for ISO 7816 contact smart cards.

For small volumes, a single-card-input desktop ID printer is sufficient. For larger batches, dual-side auto-feed printers save time. If your organization doesn’t own card-printing equipment, most local ID badge services or promotional-merchandise vendors can run a batch for a per-unit fee.

Can I pre-enroll these FIDO2 cards for employees before distribution?

Yes — IT can register each card to the target user’s accounts before handing it over. Typical onboarding-at-scale workflow:

1. Admin opens the target identity provider (Google Workspace, Microsoft Entra ID, Okta, Duo, etc.) in delegated-admin mode
2. Sets a temporary PIN on the card and registers it to the user’s account by tapping it on an NFC reader
3. Labels the card with the user’s name on the printable white face or a removable sleeve
4. Hands the card to the employee along with the temporary PIN

The employee changes the PIN to their own on first use — either from Windows (Settings → Accounts → Sign-in options → Security Key → Manage) or via the Cryptnox FIDO2 app on a mobile device. The Cryptnox FIDO2 app is for advanced management only (PIN changes, factory reset, resident-key credentials) and is not required for day-to-day sign-in. After PIN setup, only the employee can use the card. Each card stores its FIDO2 keys on-chip, so enrollment is a one-time cryptographic binding and the employee doesn’t need to be present during the initial registration step. Depending on the identity provider, IT may be able to use delegated admin workflows, Temporary Access Pass, or supervised onboarding to assist with registration. Requirements vary by service, and many deployments still require user presence or a user-authenticated session — test the exact IdP workflow before bulk rollout.

OS and browser compatibility: iOS supports FIDO2 over NFC on iPhone 7 and later running iOS 13.3 or newer. Android currently supports only CTAP1 / U2F (FIDO1) for external NFC keys — not FIDO2 / CTAP2. Most major services maintain CTAP1 backward compatibility, so the card works as a U2F second-factor authenticator on Android, but the feature set is reduced and CTAP1 implementations vary. macOS FIDO2-over-NFC support varies by version and browser. Linux browsers expect FIDO2 authenticators on a HID interface — use the Cryptnox FIDO2 HID bridge to present the card to the browser as an HID-FIDO device. Windows 10/11 has full FIDO2 support across all major browsers. Always test with your specific OS + browser + service before rolling out to employees.

FIDO2 hardware security key vs passkey — which do we actually need?

Passkeys and FIDO2 hardware security keys use the same underlying cryptographic protocol (WebAuthn), but they differ in where the private key lives:

• Passkeys (software) sync through a cloud account — Apple iCloud Keychain, Google Password Manager, Microsoft account. Convenient, but if that cloud account is compromised, every passkey it holds is exposed.
• FIDO2 hardware security key (this card) stores the private key inside a tamper-resistant secure-element chip that never touches any cloud. A phished attacker cannot clone it remotely — they’d need physical possession of the card and your PIN.

For consumer use (shopping, social media), passkeys are fine. For accounts that absolutely cannot be compromised — admin accounts, crypto exchanges, banking, government portals (login.gov, AGOV, SwissID), NIS2- and DORA-regulated logins — a hardware key is the industry-recommended approach. Many organizations deploy both: passkeys for low-risk logins, this FIDO2 card for privileged accounts.

Does this work for Windows Hello for Business workforce deployments?

Yes — the card is supported by Windows Hello for Business as a passwordless FIDO2 security key since Windows 10 version 1903 (fully in Windows 11), via Microsoft Entra ID (formerly Azure AD).

Standard enterprise deployment:

1. IT enables the FIDO2 security key policy in Entra ID (Admin center → Protection → Authentication methods → FIDO2 security key)
2. Optionally allow-lists the card’s AAGUID, or permits all FIDO2 keys
3. Employees register the card via the Microsoft My Account portal, or IT pre-enrolls on their behalf
4. At the Windows login screen, employees pick “Sign-in options → Security Key” and tap the card on an NFC reader (or place it on a contactless reader)

This delivers passwordless sign-in for Windows desktops, Microsoft 365, and every Entra ID-federated application. For shift-based and shared-workstation environments (call centers, healthcare, retail), passwordless FIDO2 cuts sign-in to a few seconds per shift change.

Is the Cryptnox FIDO2 card FIPS 140-3 certified?

The Cryptnox FIDO2 applet itself is FIDO Alliance Certified (FIDO2 v2.1 + CTAP Level 1). The underlying secure-element platform on this single-application FIDO2 product (NXP JCOP 4.5 on P71D600) is FIPS 140-3 Overall Level 3 validated with Physical Security at Level 4 — NIST CMVP certificate #4679, validated in 2025. FIPS 140-3 is the latest NIST cryptographic-module standard (it superseded FIPS 140-2 in 2026). The FIDO2 applet does not carry a separate FIPS certification.

What Common Criteria certification does this card carry?

The underlying NXP secure-element platform (JCOP 4.5 on P71D600) is Common Criteria EAL 5+ augmented certified, with AVA_VAN.5 (the highest vulnerability-analysis tier in CC) — Netherlands scheme NSCIB-CC-0313985. AVA_VAN.5 is the same vulnerability-analysis level required for EAL 6+ certifications. The Cryptnox FIDO2 applet runs on top of this certified platform.

Which elliptic curve does the Cryptnox FIDO2 applet use?

The Cryptnox FIDO2 applet performs all cryptographic signing on NIST P-256 (P-256 r1), the curve mandated by the FIDO2 / WebAuthn specification. The underlying chip platform supports additional curves (Brainpool 224/256/320/384/512, NIST P-224 / P-384 / P-521, and Secp256k1) on its ECC coprocessor, but the FIDO2 applet exposes only NIST P-256 to remain spec-compliant.