Cryptnox FIDO2 White PVC — Customizable Hardware Security Key for 2FA, MFA & Passwordless

Frequently Asked Questions

Who is the FIDO2 White PVC security key designed for?

This is a blank-surface version of our FIDO2 smart card, intended for organizations that want to customize or brand their hardware:

• Corporate IT rolling out 2FA company-wide — print each employee’s photo and name before handing the card over
• Resellers and MSPs — apply your own branding on a FIDO Certified FIDO2 key for white-label deployment
• Industry events — produce conference-branded FIDO2 keys as functional giveaways
• Compliance-driven projects — tie a visible card identifier to a documented FIDO2 hardware inventory for audit

The white face is PVC, compatible with standard ID card printers that handle dye-sublimation or thermal transfer printing. The FIDO2 chip and antenna sit inside fixed zones, so printing in the designated card face area doesn’t affect electrical performance.

How do I customize or print the white PVC face?

The card is standard CR80 credit-card dimensions and works with any PVC ID card printer supporting dye-sublimation or direct-to-card thermal transfer. You can design in any card-printing software (CardFive, CardExchange, Badge Designer, or your printer’s native tool), then print text, logo, or employee photo on the printable area — keep clear of the chip module zone. A thin laminate overlay is optional but extends card life.

For small volumes, a single-card-input desktop ID printer is sufficient. For larger batches, dual-side auto-feed printers save time. If your organization doesn’t own card-printing equipment, most local ID badge services or promotional-merchandise vendors can run a batch for a per-unit fee.

Can I pre-enroll these FIDO2 cards for employees before distribution?

Yes — IT can register each card to the target user’s accounts before handing it over. Typical onboarding-at-scale workflow:

1. Admin opens the target identity provider (Google Workspace, Microsoft Entra ID, Okta, Duo, etc.) in delegated-admin mode
2. Sets a temporary PIN on the card and registers it to the user’s account by tapping it on an NFC reader
3. Labels the card with the user’s name on the printable white face or a removable sleeve
4. Hands the card to the employee along with the temporary PIN

The employee changes the PIN to their own on first use — either from Windows (Settings → Accounts → Sign-in options → Security Key → Manage) or via the Cryptnox FIDO2 app on a mobile device. The Cryptnox FIDO2 app is for advanced management only (PIN changes, factory reset, resident-key credentials) and is not required for day-to-day sign-in. After PIN setup, only the employee can use the card. Each card stores its FIDO2 keys on-chip, so enrollment is a one-time cryptographic binding and the employee doesn’t need to be present during the initial registration step. For enterprise-scale rollouts, some IdPs (Entra ID, Okta) support bulk passkey registration via API — useful for hundreds or thousands of cards.

OS and browser compatibility: iOS supports FIDO2 over NFC natively (any iPhone 7+). Android currently supports only CTAP1 / U2F (FIDO1) for external NFC keys — not FIDO2 / CTAP2. Most major services maintain CTAP1 backward compatibility, so the card works as a U2F second-factor authenticator on Android, but the feature set is reduced and CTAP1 implementations vary. macOS FIDO2-over-NFC support varies by version and browser. Linux browsers expect FIDO2 authenticators on a HID interface — use the Cryptnox FIDO2 HID bridge to present the card to the browser as an HID-FIDO device. Windows 10/11 has full FIDO2 support across all major browsers. Always test with your specific OS + browser + service before rolling out to employees.

FIDO2 hardware security key vs passkey — which do we actually need?

Passkeys and FIDO2 hardware security keys use the same underlying cryptographic protocol (WebAuthn), but they differ in where the private key lives:

• Passkeys (software) sync through a cloud account — Apple iCloud Keychain, Google Password Manager, Microsoft account. Convenient, but if that cloud account is compromised, every passkey it holds is exposed.
• FIDO2 hardware security key (this card) stores the private key inside a tamper-resistant secure-element chip that never touches any cloud. A phished attacker cannot clone it remotely — they’d need physical possession of the card and your PIN.

For consumer use (shopping, social media), passkeys are fine. For accounts that absolutely cannot be compromised — admin accounts, crypto exchanges, banking, government portals (login.gov, AGOV, SwissID), NIS2- and DORA-regulated logins — a hardware key is the industry-recommended approach. Many organizations deploy both: passkeys for low-risk logins, this FIDO2 card for privileged accounts.

Does this work for Windows Hello for Business workforce deployments?

Yes — the card is supported by Windows Hello for Business as a passwordless FIDO2 security key since Windows 10 version 1903 (fully in Windows 11), via Microsoft Entra ID (formerly Azure AD).

Standard enterprise deployment:

1. IT enables the FIDO2 security key policy in Entra ID (Admin center → Protection → Authentication methods → FIDO2 security key)
2. Optionally allow-lists the card’s AAGUID, or permits all FIDO2 keys
3. Employees register the card via the Microsoft My Account portal, or IT pre-enrolls on their behalf
4. At the Windows login screen, employees pick “Sign-in options → Security Key” and tap the card on an NFC reader (or place it on a contactless reader)

This delivers passwordless sign-in for Windows desktops, Microsoft 365, and every Entra ID-federated application. For shift-based and shared-workstation environments (call centers, healthcare, retail), passwordless FIDO2 cuts sign-in to a few seconds per shift change.