Cryptnox FIDO2 white PVC smart card, customizable hardware security key for 2FA and passwordless

Cryptnox FIDO2 smart card front view showing security key branding

Cryptnox FIDO2 passwordless security key card with NFC tap-to-authenticate design

Cryptnox FIDO2 security key NFC card for passwordless two-factor authentication

Cryptnox FIDO2 NFC security key card packaging and product details

Cryptnox FIDO2 NFC security key card close-up showing contactless tap authentication

Cryptnox SA

Cryptnox FIDO2 + PIV Smart Card (RSA-4096) — White PVC, FIPS 140-3 Validated PIV Applet

Q: Which operating systems are supported?

Windows 10/11 has full FIDO2 / passkey support plus PIV smart-card logon via the native mini-driver (Base CSP). iOS supports FIDO2 over NFC natively (any iPhone 7+, iOS 13.3+). Android currently supports only CTAP1 / U2F (FIDO1) for external NFC keys — it works as a U2F second factor on most major services, but not for FIDO2 passwordless / passkey sign-in. macOS FIDO2-over-NFC support varies by version and browser; PIV is available via CryptoTokenKit or OpenSC. Linux browsers expect a HID interface — use the Cryptnox FIDO2 HID bridge for FIDO2, and OpenSC / PKCS#11 for PIV. Always test with your specific OS, browser and service before a production rollout.

EAN: 7649992538301

Swiss-engineered NFC smart card combining FIDO2 web authentication and a PIV PKI applet with on-card RSA-4096, on the FIPS 140-3 certified NXP P71D600 secure element. The OpenFIPS201 PIV applet holds a FIPS 140-3 validation on this P71D600 chip (CMVP #5280); FIPS 140-3 approved-mode operation requires SCP03 card management, and these cards ship with SCP02. FIDO Alliance Certified (FIDO2 v2.1 + CTAP Level 1). No MIFARE — logical identity only. Blank white PVC face for in-house ID printing.

CHF 45.75

Tax included. Shipping calculated at checkout.

Description

The Cryptnox FIDO2 + PIV White PVC card puts two credentials on one printable card — a Swiss-engineered NFC smart card built on the FIPS 140-3 certified NXP secure element (JCOP 4.5 on P71D600). It combines FIDO2 web authentication with a PIV PKI applet that generates RSA-4096 keys on-card. The OpenFIPS201 PIV applet carries a FIPS 140-3 validation on the NXP P71D600 (NIST CMVP #5280). FIPS 140-3 approved-mode operation requires SCP03 secure-channel card management; these cards are delivered with SCP02, so they are not operated in the FIPS 140-3 approved mode as shipped. This variant has no MIFARE applet — it is purpose-built for logical identity.

Two converged credentials on one certified chip

FIDO2 / WebAuthn — phishing-resistant 2FA / MFA and, where the service supports it, passwordless sign-in, with 64 on-card resident-credential slots (discoverable passkeys) and ES256 / NIST P-256 attestation
PIV — a NIST SP 800-73-4 PKI applet with RSA-4096 (plus RSA-2048 and ECC P-256 / P-384) across the four PIV key slots, for Windows / Active Directory smart-card logon, S/MIME, document and code signing, and certificate-based VPN (EAP-TLS)

The two applets are logically firewalled inside the secure element — each uses its own keys and memory space, so a compromise of one cannot reach the other.

When to choose this card

Choose this FIDO2 + PIV card when you need a FIPS 140-3 validated PIV applet on the certified chip and do not need physical door access. If you also need MIFARE building access on the same card, see the FIDO2 + PIV + MIFARE card; if you only need web authentication, see the FIDO2-only White PVC card.

Built for branded enterprise rollouts

The face of this card ships blank — ready for any standard PVC ID card printer (Zebra, Evolis, Fargo, Magicard, Matica). Print your company logo, employee photo, name, department or QR code on each card, then issue one credential that covers web sign-in and PKI identity. Typical buyers are corporate IT and PKI teams standardizing on FIPS-validated smart-card hardware.

Tap or insert — on phone or computer

The card supports both NFC and contact (ISO 7816) interfaces. For FIDO2, tap on supported phones (iPhone 7+ on iOS 13.3+ supports FIDO2 over NFC; Android external NFC keys are mainly CTAP1 / U2F second-factor, not full FIDO2). PIV smart-card logon and signing use the contact interface through a standard USB CCID reader. For Windows desktop users, the Cryptnox dual-slot Smartcard Reader adds a dedicated “tap” button that electronically simulates card extraction and reinsertion (Windows only) — see our click-to-tap tutorial.

Features

Customize the card face for branded employee badges

The blank White PVC surface is dimensioned to standard CR80 ID card printer specs. You can:

Print employee photo, name and department on each card via dye-sublimation or thermal transfer
Add company logo and color branding
Add QR codes, visible serial numbers or asset tags — avoid additional NFC stickers or metallic overlays that could interfere with NFC performance
Apply an optional laminate overlay for added durability

PIV / PKI use cases

Windows Active Directory smart-card logon (Kerberos PKINIT)
S/MIME email signing and encryption; document, PDF and code signing
Certificate-based VPN and Wi-Fi (EAP-TLS)
Enterprise PIV-I (interoperable) and derived-credential deployments
High-assurance signatures using RSA-4096 keys generated on-card — private keys never leave the secure element

The PIV applet ships blank for customer personalization, with a decoupled PIV admin key so integrators can load keys, certificates and PINs without the issuer’s card-management key.

Compatible services (FIDO2 side)

Personal accounts: Google, Microsoft, Apple ID, Facebook, X, Dropbox, Bitwarden, 1Password
Developer & cloud: GitHub, GitLab, AWS, Cloudflare, Vercel, Fastly
Enterprise SSO: Okta, Auth0, Microsoft Entra ID, Google Workspace, Duo, Ping Identity
Government identity: login.gov (US), AGOV (Switzerland), SwissID
Compliance support: can support phishing-resistant MFA programs aligned with OMB M-22-09, NIST SP 800-63B, PCI DSS v4, NIS2 and DORA. Final compliance depends on how the organization configures enrollment, recovery, policy enforcement, logging and access governance.

PIV standards & middleware

The PIV applet conforms to NIST FIPS 201-3 and SP 800-73-4, and works with the Windows native smart-card mini-driver (Base CSP), PKCS#11 middleware and OpenSC; it is suitable for PIV-I (interoperable) credentialing.

Easy to use, easy to deploy

Tap to authenticate on any NFC-capable phone (iOS for full FIDO2; Android for CTAP1 / U2F second-factor)
Contact mode for desktop: insert into any USB CCID-class smart card reader; for Windows, the Cryptnox dual-slot Smartcard Reader tap button streamlines FIDO2 sign-in
Driverless reader support — with a standard USB CCID reader, recognized by Windows, macOS and Linux without vendor drivers. The card itself is an NFC / contact smart card (not a USB security key). FIDO2 on Linux additionally requires the Cryptnox FIDO2 HID bridge; PIV on Linux / macOS uses OpenSC / PKCS#11
No charging — passive NFC, no battery
No app required for daily FIDO2 use

Bulk procurement

For volumes of 500+ or pre-printed batches (1,000+ cards), get in touch via our contact form.

For setup walkthroughs and service-specific tutorials, browse our FIDO2 tutorials hub.

Specifications

Technical specifications

Form factor: ISO/IEC 7810 ID-1 (CR80, credit-card size)
Card face: blank White PVC, ready for ID card printers (dye-sublimation or thermal transfer)
Interface: NFC (ISO/IEC 14443 Type A) + contact (ISO 7816)
Secure element: NXP JCOP 4.5 (P71D600), Java Card platform, single chip, FIPS 140-3 certified, EAL6+
Applets: FIDO2 / CTAP2 · PIV — no MIFARE
FIDO2: FIDO Alliance Certified — FIDO2 v2.1 + CTAP Level 1; WebAuthn, CTAP2, legacy U2F; 64 resident-credential slots; ES256 / NIST P-256 attestation
PIV: four key slots (9A / 9C / 9D / 9E); RSA-4096, RSA-2048, ECC P-256 / P-384; on-card key generation
Power: passive — no battery, energy harvested from the reader’s RF field
Operating systems: Windows 10/11 — full FIDO2 + PIV smart-card logon; iPhone 7+ / iOS 13.3+ — FIDO2 over NFC; Android — CTAP1 / U2F second-factor only (not full FIDO2); macOS — FIDO2 over NFC varies by version and browser, PIV via CryptoTokenKit / OpenSC; Linux — FIDO2 via the Cryptnox FIDO2 HID bridge, PIV via OpenSC / PKCS#11

Compliance

ISO/IEC 7810 (card form factor), ISO/IEC 7816 (contact interface), ISO/IEC 14443 (NFC interface)
NIST FIPS 201-3 (PIV)
Supports deployments aligned with OMB M-22-09, NIST SP 800-63B, PCI DSS v4, NIS2, DORA and eIDAS

Certifications

Each part of the card is certified independently.

Chip / platform certifications (NXP JCOP 4.5 on P71D600, Java Card platform):

Common Criteria EAL 6+ augmented — NSCIB-CC-0313985-CR
FIPS 140-3 Overall Level 3 with Physical Security at Level 4 — NIST CMVP certificate #4679
AIS-31 compliant True Random Number Generator (chip-level)

Applet certifications (each certified separately):

FIDO2 applet: FIDO Alliance Certified — FIDO2 v2.1 + CTAP Level 1
PIV applet (OpenFIPS201 v2.0): FIPS 140-3 validated (NIST CMVP certificate #5280, Overall Level 2, Physical Security Level 4), NIST SP 800-73-4 / SP 800-78-4 conformant. This validation was issued on the NXP P71D600 secure element — the chip used in this card. Note: FIPS 140-3 approved-mode operation requires SCP03 secure-channel card management; these cards are delivered configured with SCP02, so they do not operate in the FIPS 140-3 approved mode as shipped.

Cryptography: FIDO2 attestation uses NIST P-256 (secp256r1) only; the PIV applet generates RSA-4096 / RSA-2048 / ECC P-256 / P-384 keys on-card, and private keys never leave the secure element.

Frequently Asked Questions

Is the PIV applet on this card FIPS certified?

Yes. The OpenFIPS201 v2.0 PIV applet on this card holds a NIST FIPS 140-3 validation (CMVP certificate #5280, Overall Level 2 with Physical Security Level 4). What matters is the platform: that validation was performed on the NXP P71D600 secure element, which is the exact chip this card uses — so the FIPS 140-3 PIV validation references this exact chip. Note: FIPS 140-3 approved-mode operation requires SCP03 card management, and these cards ship with SCP02 — so they are not operated in the FIPS 140-3 approved mode as delivered. The underlying P71D600 secure element is itself certified to Common Criteria EAL6+ (NSCIB-CC-0313985) and FIPS 140-3 Level 3 with Physical Security Level 4 (CMVP #4679). Each layer — chip, FIDO2 applet and PIV applet — is certified independently.

How is this different from the FIDO2 + PIV + MIFARE card?

Two differences. First, this card has no MIFARE applet — it is built only for logical identity (FIDO2 web authentication and PIV PKI), not physical door access. Second, it is built on the NXP P71D600 secure element, the exact chip on which the OpenFIPS201 PIV applet was FIPS 140-3 validated, so its FIPS validation references this exact chip (note: FIPS 140-3 approved-mode operation requires SCP03; these cards ship with SCP02). The FIDO2 + PIV + MIFARE card adds MIFARE DESFire EV2 building access on a different chip (P71D321), where the PIV applet’s FIPS validation is referenced for information only. Choose this card when you need a FIPS-validated PIV applet and no door access; choose the MIFARE card when you also need physical access control on the same badge.

What can I do with the PIV applet?

The PIV applet turns the card into a government-grade PKI smart card. It implements the NIST SP 800-73-4 PIV standard with the four standard key slots (9A authentication, 9C digital signature, 9D key management, 9E card authentication) and supports RSA-4096 as well as RSA-2048 and ECC P-256 / P-384. Keys are generated on-card, so the private key never leaves the secure element. That lets one card handle Windows / Active Directory smart-card logon (Kerberos PKINIT), S/MIME email signing and encryption, document and code signing, and certificate-based VPN or Wi-Fi (EAP-TLS). The applet ships blank — your team personalizes the keys, certificates and PINs, using a decoupled admin key so an integrator can provision the card without the issuer’s master key.

Which online services does the FIDO2 side work with?

Any service that supports FIDO2, WebAuthn or legacy U2F — Google, Microsoft, Apple ID, GitHub, GitLab, AWS, Okta, Microsoft Entra ID, Google Workspace, login.gov, AGOV, SwissID, and major banks and exchanges — as a phishing-resistant second factor, and for passwordless sign-in where the service supports it. The card provides 64 on-card resident-credential (passkey) slots. If a service’s security settings offer a “security key” or “passkey” option, this card will work.

Which operating systems are supported?

Windows 10/11 has full FIDO2 / passkey support plus PIV smart-card logon via the native mini-driver (Base CSP). iOS supports FIDO2 over NFC natively (any iPhone 7+, iOS 13.3+). Android currently supports only CTAP1 / U2F (FIDO1) for external NFC keys — it works as a U2F second factor on most major services, but not for FIDO2 passwordless / passkey sign-in. macOS FIDO2-over-NFC support varies by version and browser; PIV is available via CryptoTokenKit or OpenSC. Linux browsers expect a HID interface — use the Cryptnox FIDO2 HID bridge for FIDO2, and OpenSC / PKCS#11 for PIV. Always test with your specific OS, browser and service before a production rollout.