Cryptnox FIDO2 and MIFARE white PVC smart card, customizable security key for 2FA and building access

Cryptnox FIDO2 smart card front view showing security key branding

Cryptnox FIDO2 passwordless security key card with NFC tap-to-authenticate design

Cryptnox FIDO2 security key NFC card for passwordless two-factor authentication

Cryptnox FIDO2 NFC security key card packaging and product details

Cryptnox FIDO2 security key contact chip detail for smart card authentication

Cryptnox FIDO2 NFC security key card close-up showing contactless tap authentication

Cryptnox SA

Cryptnox FIDO2 + PIV + MIFARE White PVC — Converged Security Key for 2FA, Smart-Card Logon & Building Access

EAN: 7649992538271

The Cryptnox FIDO2 + PIV + MIFARE White PVC card converges three credentials onto one printable Swiss-engineered NFC smart card: FIDO2 passwordless / 2FA web authentication, a PIV PKI applet with RSA-4096 for smart-card logon and document signing, and MIFARE DESFire EV2 for physical building access. FIDO Alliance Certified (FIDO2 v2.1 + CTAP Level 1), EAL6+ secure element, blank white PVC face ready for in-house ID printing.

CHF 42.02

Tax included. Shipping calculated at checkout.

Description

The Cryptnox FIDO2 + PIV + MIFARE White PVC card converges three independent credentials onto one printable, employee-personalizable card — a Swiss-engineered NFC smart card built on a single EAL6+ secure element (NXP JCOP 4 on P71D321). It combines FIDO2 web authentication, a PIV PKI applet with on-card RSA-4096, and MIFARE DESFire EV2 physical access control. One badge replaces a separate FIDO2 authenticator, a PIV smart card, and an RFID office badge.

Three converged credentials on one chip

FIDO2 / WebAuthn — phishing-resistant 2FA / MFA and, where the service supports it, passwordless sign-in, with 36 on-card resident-credential slots (discoverable passkeys) and ES256 / NIST P-256 attestation
PIV — a NIST SP 800-73-4 PKI applet with RSA-4096 (plus RSA-2048 and ECC P-256 / P-384) across the four PIV key slots, for Windows / Active Directory smart-card logon, S/MIME, document and code signing, and certificate-based VPN (EAP-TLS)
MIFARE DESFire EV2 — physical building access with open AES key programmability

The three applets are logically firewalled inside the secure element — each uses its own keys and memory space, so a compromise of one cannot reach the others.

Built for branded enterprise rollouts

The face of this card ships blank — ready for any standard PVC ID card printer (Zebra, Evolis, Fargo, Magicard, Matica). Print your company logo, employee photo, name, department, or QR code on each card, then issue one credential that covers web sign-in, PKI identity, and door access. Typical buyers are corporate IT and PKI teams converging logical and physical identity onto a single printable badge.

Tap or insert — on phone or computer

The card supports both NFC and contact (ISO 7816) interfaces. For FIDO2, tap on supported phones (iPhone 7+ on iOS 13.3+ supports FIDO2 over NFC; Android external NFC keys are mainly CTAP1 / U2F second-factor, not full FIDO2). PIV smart-card logon and signing use the contact interface through a standard USB CCID reader. For Windows desktop users, the Cryptnox dual-slot Smartcard Reader adds a dedicated “tap” button that electronically simulates card extraction and reinsertion (Windows only) — see our click-to-tap tutorial.

How this card differs from the rest of our lineup

This card (FIDO2 + PIV + MIFARE): adds a PIV PKI applet with RSA-4096 on top of FIDO2 and MIFARE — for smart-card logon and document signing.
FIDO2 + MIFARE White PVC: same FIDO2 + MIFARE functions without the PIV applet — a lower-cost option if you don’t need PKI.
FIDO2-only White PVC: printable FIDO2 card with no MIFARE and no PIV.

Features

Customize the card face for branded employee badges

The blank White PVC surface is dimensioned to standard CR80 ID card printer specs. You can:

Print employee photo, name and department on each card via dye-sublimation or thermal transfer
Add company logo and color branding
Add QR codes, visible serial numbers or asset tags — avoid additional NFC stickers or metallic overlays that could interfere with NFC performance
Apply an optional laminate overlay for added durability

PIV / PKI use cases

Windows Active Directory smart-card logon (Kerberos PKINIT)
S/MIME email signing and encryption; document, PDF and code signing
Certificate-based VPN and Wi-Fi (EAP-TLS)
Enterprise PIV-I (interoperable) and derived-credential deployments
High-assurance signatures using RSA-4096 keys generated on-card — private keys never leave the secure element

The PIV applet ships blank for customer personalization, with a decoupled PIV admin key so integrators can load keys, certificates and PINs without the issuer’s card-management key.

Compatible services (FIDO2 side)

Personal accounts: Google, Microsoft, Apple ID, Facebook, X, Dropbox, Bitwarden, 1Password
Developer & cloud: GitHub, GitLab, AWS, Cloudflare, Vercel, Fastly
Enterprise SSO: Okta, Auth0, Microsoft Entra ID, Google Workspace, Duo, Ping Identity
Government identity: login.gov (US), AGOV (Switzerland), SwissID
Compliance support: can support phishing-resistant MFA programs aligned with OMB M-22-09, NIST SP 800-63B, PCI DSS v4, NIS2 and DORA. Final compliance depends on how the organization configures enrollment, recovery, policy enforcement, logging and access governance.

PIV standards & middleware

The PIV applet conforms to NIST FIPS 201-3 and SP 800-73-4, and works with the Windows native smart-card mini-driver (Base CSP), PKCS#11 middleware and OpenSC; it is suitable for PIV-I (interoperable) credentialing.

MIFARE DESFire EV2 — building access

The MIFARE side is designed for standard DESFire EV2 deployments with open AES key programmability. Compatibility with proprietary access-control ecosystems is not universal — test a sample card end-to-end with your readers, access-control software and key diversification before bulk rollout. Some proprietary systems only accept cards with vendor-specific overlays.

Easy to use, easy to deploy

Tap to authenticate on any NFC-capable phone (iOS for full FIDO2; Android for CTAP1 / U2F second-factor)
Contact mode for desktop: insert into any USB CCID-class smart card reader; for Windows, the Cryptnox dual-slot Smartcard Reader tap button streamlines FIDO2 sign-in
Driverless reader support — with a standard USB CCID reader, recognized by Windows, macOS and Linux without vendor drivers. The card itself is an NFC / contact smart card (not a USB security key). FIDO2 on Linux additionally requires the Cryptnox FIDO2 HID bridge; PIV on Linux / macOS uses OpenSC / PKCS#11
No charging — passive NFC, no battery
No app required for daily FIDO2 use

Bulk procurement

For volumes of 500+ or pre-printed batches (1,000+ cards), get in touch via our contact form.

For setup walkthroughs and service-specific tutorials, browse our FIDO2 tutorials hub.

Specifications

EAN: 7649992538271

Technical specifications

Form factor: ISO/IEC 7810 ID-1 (CR80, credit-card size)
Card face: blank White PVC, ready for ID card printers (dye-sublimation or thermal transfer)
Interface: NFC (ISO/IEC 14443 Type A) + contact (ISO 7816)
Secure element: NXP JCOP 4 (P71D321), Java Card platform, single chip, EAL6+
Applets: FIDO2 / CTAP2 · PIV · MIFARE DESFire EV2
FIDO2: FIDO Alliance Certified — FIDO2 v2.1 + CTAP Level 1; WebAuthn, CTAP2, legacy U2F; 36 resident-credential slots; ES256 / NIST P-256 attestation
PIV: four key slots (9A / 9C / 9D / 9E); RSA-4096, RSA-2048, ECC P-256 / P-384; on-card key generation
MIFARE applet: MIFARE DESFire EV2, open AES key programmability, ships with NXP factory-default keys (to be diversified by your access-control integrator)
Power: passive — no battery, energy harvested from the reader’s RF field
Operating systems: Windows 10/11 — full FIDO2 + PIV smart-card logon; iPhone 7+ / iOS 13.3+ — FIDO2 over NFC; Android — CTAP1 / U2F second-factor only (not full FIDO2); macOS — FIDO2 over NFC varies by version and browser, PIV via CryptoTokenKit / OpenSC; Linux — FIDO2 via the Cryptnox FIDO2 HID bridge, PIV via OpenSC / PKCS#11

Compliance

ISO/IEC 7810 (card form factor), ISO/IEC 7816 (contact interface), ISO/IEC 14443 (NFC interface)
NIST FIPS 201-3 (PIV); MIFARE DESFire EV2 standard
Supports deployments aligned with OMB M-22-09, NIST SP 800-63B, PCI DSS v4, NIS2, DORA and eIDAS

Certifications

Each part of the card is certified independently.

Chip / platform certifications (NXP JCOP 4 on P71D321, Java Card platform):

Common Criteria EAL 6+ augmented — NSCIB-CC-180212
FIPS 140-2 Overall Level 3 with Physical Security at Level 4 — NIST CMVP certificate #3746
AIS-31 compliant True Random Number Generator (chip-level)

Applet certifications (each certified separately):

FIDO2 applet: FIDO Alliance Certified — FIDO2 v2.1 + CTAP Level 1
MIFARE DESFire EV2 applet: Common Criteria EAL5+
PIV applet (OpenFIPS201 v2.0): NIST SP 800-73-4 / SP 800-78-4 conformant. The OpenFIPS201 v2.0 PIV applet carries a FIPS 140-3 validation (NIST CMVP certificate #5280), shown here for information — note that this validation was issued on the NXP P71D600 secure element, which is not the P71D321 chip used in this card, so the FIPS 140-3 certificate does not directly cover this product’s exact chip.

Cryptography: FIDO2 attestation uses NIST P-256 (secp256r1) only; the PIV applet generates RSA-4096 / RSA-2048 / ECC P-256 / P-384 keys on-card, and private keys never leave the secure element.

Frequently Asked Questions

What can the PIV applet on this card do?

The PIV applet turns the card into a government-grade PKI smart card. Built on the NIST SP 800-73-4 PIV standard, it provides the four standard PIV key slots (9A authentication, 9C digital signature, 9D key management, 9E card authentication) and supports RSA-4096 as well as RSA-2048 and ECC P-256 / P-384. Keys are generated on-card, so the private key never leaves the secure element. That lets one card handle Windows / Active Directory smart-card logon (Kerberos PKINIT), S/MIME email signing and encryption, document and code signing, and certificate-based VPN or Wi-Fi (EAP-TLS). The card ships with the PIV applet installed but blank — your team personalizes the keys, certificates and PINs.

How is this different from the Cryptnox FIDO2 + MIFARE card?

Both cards share the same FIDO2 web-authentication applet and MIFARE DESFire EV2 access-control applet on the same EAL6+ secure element. This version adds a third applet — PIV PKI with RSA-4096 — for smart-card logon, document signing and certificate-based VPN. If you only need passwordless / 2FA web sign-in plus building access, the FIDO2 + MIFARE White PVC card covers that. Choose this card when you also need a PKI identity — for example Windows domain logon or signing certificates — converged onto the same printable badge.

How does it compare to a YubiKey 5 series key?

A YubiKey 5 also combines FIDO2 and PIV, so both can do passwordless sign-in and smart-card logon. The differences are form factor and scope: the Cryptnox card is a wallet-sized ISO 7810 ID-1 card with a blank white PVC face you can print on standard ID card printers (employee photo, logo, department, QR code), whereas the YubiKey is a fixed-branding keychain fob. The Cryptnox card also carries a MIFARE DESFire EV2 applet for physical door access on the same credential, which the YubiKey does not offer. If you need a single printable badge that unifies web 2FA, PKI identity and building access, this card converges all three.

Does the card ship ready to use, or does it need provisioning?

The FIDO2 applet is personalized at the factory (attestation certificate and key, plus 36 blank resident-credential slots), so FIDO2 / passkey enrollment works out of the box. The PIV applet ships blank — no PINs or certificates until your PKI team personalizes it. To make integration easier, the PIV admin channel uses a dedicated, decoupled key (a separate GP Security Domain) rather than the issuer’s card-management key, so an integrator can load PIV keys, certificates and PINs without the master key; re-key it to a secret if you want gated PIV administration. The MIFARE applet ships with NXP factory-default AES keys to be diversified by your access-control integrator. For volume provisioning or pre-printed cards, use the Cryptnox contact form.

Which services, standards and operating systems does it support?

The FIDO2 applet works with any service supporting FIDO2, WebAuthn or legacy U2F — Google, Microsoft, Apple ID, GitHub, GitLab, AWS, Okta, Microsoft Entra ID, Google Workspace, login.gov, AGOV and SwissID, plus major banks and exchanges — as a phishing-resistant second factor, and for passwordless sign-in where the service supports it. The PIV applet conforms to NIST FIPS 201-3 / SP 800-73-4 and works with the Windows native smart-card mini-driver (Base CSP), PKCS#11 middleware and OpenSC, and is suitable for PIV-I (interoperable) credentialing.

OS and browser compatibility: Windows 10/11 has full FIDO2 / passkey support plus PIV smart-card logon via the native mini-driver. iOS supports FIDO2 over NFC natively (any iPhone 7+, iOS 13.3+). Android currently supports only CTAP1 / U2F (FIDO1) for external NFC keys — it works as a U2F second factor on most major services, but not for FIDO2 passwordless / passkey sign-in. macOS FIDO2-over-NFC support varies by version and browser; PIV is available via CryptoTokenKit or OpenSC. Linux browsers expect a HID interface — use the Cryptnox FIDO2 HID bridge for FIDO2, and OpenSC / PKCS#11 for PIV. Always test with your specific OS + browser + service before a production rollout.