cryptnox-logo
Cryptnox FIDO2 security key and MIFARE DESFire smart card 25-pack for enterprise deployment
Cryptnox FIDO2 security key contact chip detail for smart card authentication
Cryptnox FIDO2 security key NFC card for passwordless two-factor authentication
Cryptnox FIDO2 NFC security key card close-up showing contactless tap authentication
Cryptnox FIDO2 passwordless security key card with NFC tap-to-authenticate design

Cryptnox SA

Cryptnox FIDO2 + MIFARE 25-Pack — Enterprise Security Keys for 2FA, MFA & Building Access

The Cryptnox FIDO2 + MIFARE 25-pack is the bulk procurement option for our flagship dual-application security card — 25 White PVC FIDO2 + MIFARE DESFire EV2 cards in one SKU, sized for enterprise rollouts. FIDO Alliance Certified (FIDO2 v2.1 + CTAP Level 1). One card per employee for both 2FA / MFA web auth and building door access.

CHF 490.18

Tax included. Shipping calculated at checkout.

Pay with Debit or Credit Card

Description

The Cryptnox FIDO2 + MIFARE 25-pack is the bulk procurement option for our flagship dual-application security card — 25 White PVC FIDO2 + MIFARE DESFire EV2 cards in one SKU, sized for enterprise rollouts. FIDO Alliance Certified (FIDO2 v2.1 and CTAP Level 1), each card combines hardware 2FA / MFA for digital sign-in with MIFARE DESFire EV2 physical access control — one credential per employee for both web auth and building access.

Why deploy FIDO2 + MIFARE in bulk?

Most organizations issue each employee two separate credentials: a FIDO2 hardware key for computer login, plus a MIFARE badge for door access. The 25-pack consolidates both onto one card per employee:

  • One credential, half the loss rate — one card in a wallet is easier to keep track of than two items on a lanyard or keychain
  • Single onboarding / offboarding workflow — HR, IT, and Facilities revoke one card at departure instead of coordinating across three systems
  • Visible ID + invisible security — the printable White PVC face doubles as an employee ID badge; the FIDO2 + DESFire chips inside handle authentication silently
  • Cost per employee — one combined card is cheaper than two separate credentials once you factor in procurement, provisioning, inventory, and replacement overhead

Tap to authenticate — on phone or computer

Each card supports both NFC and contact (ISO 7816) interfaces. Employees tap on any NFC-capable phone for FIDO2 sign-in or MIFARE access; on a desktop, they use a contactless reader or a contact reader. For Windows desktop workflows on the contact interface, the Cryptnox dual-slot Smartcard Reader features a dedicated “tap” button that simulates card extraction and reinsertion (Windows only). See the click-to-tap tutorial for the full workflow.

Bulk pricing and procurement

  • 25-pack (this product): meaningful per-card discount vs. ordering 25 singles. Standard same-week shipping from our EU warehouse.
  • Larger volumes (500+ cards): tiered pricing — contact our sales team for a quote.
  • Personalization (1,000+ cards): we can pre-print your custom artwork or bulk-register cards to your Entra ID / Okta tenant before shipping.
  • Enterprise procurement: standard PO billing and net payment terms available for qualified accounts.

For enterprise quotes and custom procurement terms, reach out via our contact form.

How this pack differs from the rest of our FIDO2 lineup

Features

End-to-end deployment workflow

Each card has two independent functions, so deployment runs in two parallel tracks:

  • IT side (FIDO2): register each card to the employee’s Entra ID / Okta / Google Workspace account (kiosk, scripted API, or self-serve via Temporary Access Pass), set a PIN if your IdP requires user verification, log the card identifier in your IT inventory.
  • Facilities side (MIFARE DESFire): encode each card with your diversified AES keys via your existing card-encoding workstation, register the UID in your access control system.

Total time for a 25-card deployment: usually one afternoon for IT plus one afternoon for Facilities, assuming both teams are familiar with their respective workflows.

Compatible services (FIDO2 side)

  • Personal & enterprise accounts: Google Workspace, Microsoft 365 / Entra ID, Apple ID, GitHub, GitLab, Okta, Duo, Ping Identity
  • Government identity: login.gov (US), AGOV (Switzerland), SwissID
  • Financial: Bank of America, Coinbase, Kraken, EU/Swiss banks via PSD2 SCA
  • Compliance: required for OMB M-22-09; accepted under NIS2, DORA, NIST SP 800-63B AAL3, CMMC 2.0, PCI DSS v4

MIFARE DESFire EV2 — building access at scale

Each card ships with NXP factory default MIFARE DESFire keys. Your facilities team or access control integrator encodes each card with your organization’s diversified AES keys and DESFire application structure before deployment. The DESFire EV2 standard is compatible with most modern enterprise access control systems — always test a sample card with your specific reader and access control software before rolling out the full 25.

Compliance and audit trail

For SOC 2, NIS2, and DORA audits, document each card’s enrollment and revocation actions in the IdP and access control logs. Maintain a card-to-employee inventory log (per-card identifier, user email, enrollment date) — this becomes part of your audit evidence for the consolidated MFA + access posture.

Looking for a single card to pilot first?

Order one FIDO2 + MIFARE White PVC single card to test compatibility with your access control system and IdP before committing to the 25-pack.

For setup walkthroughs, integration guides, and service-specific tutorials (Google, Microsoft, Apple, GitHub, Bank of America, login.gov, AGOV, SwissID), browse our FIDO2 tutorials hub.

Specifications

Technical specifications (per card)

  • Form factor: ISO/IEC 7810 ID-1 (CR80, credit-card size)
  • Card face: blank White PVC, ready for ID card printers
  • Interface: NFC (ISO/IEC 14443 Type A) + contact (ISO 7816)
  • FIDO2 certification: FIDO Alliance Certified — FIDO2 v2.1 and CTAP Level 1
  • FIDO2 standards: WebAuthn, CTAP2, FIDO U2F (legacy)
  • MIFARE chip: MIFARE DESFire EV2 (4K), open AES key programmability, ships with NXP factory default keys
  • Secure element: EAL6+ certified chip, single-chip dual-applet architecture
  • Power: passive — no battery
  • Operating systems (FIDO2): iOS, Android (CTAP1 / U2F), Windows 10/11, macOS 11+, Linux (with Cryptnox FIDO2 HID bridge)

Pack contents

  • 25 × FIDO2 + MIFARE DESFire EV2 White PVC cards, factory-fresh
  • All from the same production batch — uniform firmware version, AAGUID, and visual finish
  • No printed branding (cards are blank for in-house customization)

Compliance

  • FIDO Alliance Certified (FIDO2 v2.1 + CTAP Level 1)
  • ISO/IEC 7810, 7816, 14443
  • MIFARE DESFire EV2 standard (NXP)

Frequently Asked Questions

Why replace separate 2FA keys and building badges with one combined card?

Most organizations with physical offices currently issue each employee two separate credentials: a FIDO2 hardware key for computer login, and a MIFARE badge for building access. The 25-pack consolidates both onto one smart card per employee, which solves a few operational problems:

  • Lost-credential rate halves: one card in a wallet is easier to keep track of than two separate items (2FA key plus access badge)
  • Single onboarding / offboarding workflow: HR, IT, and Facilities revoke one card at departure instead of coordinating across three systems
  • Visible card + invisible security: the printable white face can double as an employee ID badge; the FIDO2 + DESFire chips inside handle both authentication functions silently
  • Cost per employee: one combined card is cheaper than two separate credentials once you factor in procurement, provisioning, inventory, and replacement overhead

Typical buyers of the 25-pack: mid-sized offices with existing MIFARE DESFire-compatible access control; IT + Facilities consolidation projects; security-aware startups setting up office procedures from scratch.

Our access control system uses custom AES keys — can we pre-program the cards?

Cryptnox ships the 25-pack with NXP factory default MIFARE DESFire keys. Encoding them with your organization’s keys and application structure is something your Facilities team or access control integrator handles in-house, using your existing card-encoding workflow.

Compatibility caveat: always test a sample card end-to-end with your specific reader and access control system before rolling out the full pack. Our cards are plain-vanilla DESFire EV2, but some proprietary access systems are configured to only accept cards with vendor-specific overlays they’ve issued themselves.

For the FIDO2 side, the cards are ready to register out of the box — no encoding or personalization required for web authentication.

What’s the end-to-end deployment workflow for the combined FIDO2 + MIFARE card?

Each card has two independent functions, so deployment runs in two parallel tracks — IT handles FIDO2 enrollment, Facilities handles MIFARE encoding:

IT side (FIDO2): 1. Register each card to the employee’s Entra ID / Okta / Google Workspace account (via kiosk, API-driven batch, or self-serve with a Temporary Access Pass) 2. Set a PIN if your identity provider requires user verification 3. Record the card’s per-card identifier against the employee in your IT inventory

Facilities side (MIFARE DESFire): 1. Encode each card with your organization’s diversified AES keys using your existing card-encoding workstation 2. Program the DESFire application with your access control system’s AID, file layout, and UID format 3. Register the card’s UID in your access control system against the employee’s profile

Distribution: once both tracks complete, the card is ready to hand over. Label or print the white PVC face with the employee’s identifier if needed. The employee sets their own FIDO2 PIN on first login (when a PIN is used).

Typical time for a full 25-card deployment: one afternoon for IT plus one afternoon for Facilities, assuming both teams are familiar with their respective workflows.

OS and browser compatibility (for the FIDO2 side): iOS supports FIDO2 over NFC natively (any iPhone 7+). Android currently supports only CTAP1 / U2F (FIDO1) for external NFC keys — not FIDO2 / CTAP2. Most major services maintain CTAP1 backward compatibility, so the card works as a U2F second-factor authenticator on Android, but the feature set is reduced and CTAP1 implementations vary. macOS FIDO2-over-NFC support varies by version and browser. Linux browsers expect FIDO2 authenticators on a HID interface — use the Cryptnox FIDO2 HID bridge to present the card to the browser as an HID-FIDO device. Windows 10/11 has full FIDO2 support across all major browsers. The MIFARE DESFire side is independent of OS — it speaks directly to access control readers.

How do we migrate from our existing separate FIDO2 keys and access badges?

The cleanest path is a phased swap, not a big-bang cutover. A typical 2–3 month migration:

Phase 1 — Pilot (week 1–2): – Roll out the 25-pack to a single team — IT, executive, or Facilities — running both old credentials in parallel – Catches any reader / IdP / access control compatibility issue early – Sets the on-site enrollment kiosk and process for the rest of the org

Phase 2 — Department-by-department (month 1–2): – Issue combined cards to each department in turn – Register each card to the user’s accounts, encode the MIFARE side, and add the new UID to access control – Old FIDO2 key and old MIFARE badge stay valid until end-of-phase as a safety net – Mark old credentials as revoked at the close of each department’s rollout

Phase 3 — Decommission (month 2–3): – Disable old FIDO2 keys at the identity provider – Remove old MIFARE UIDs from access control – Collect and physically destroy retired cards (shred or PIN-grind to break the chip) – Update IT inventory to reflect the unified hardware fleet

For SOC 2 / NIS2 / DORA audit trails, document each phase’s enrollment and revocation actions in the IdP and access control logs — this becomes evidence for the consolidated MFA + access posture.

What happens if an employee loses or has their combined card stolen?

A combined card needs revocation on both functions — each has its own clean path:

FIDO2 side (digital identity): – IT removes the card registration from the user’s accounts in the identity provider (Entra ID, Okta, Google Workspace, etc.) – Once removed at the IdP, the card cannot authenticate to any service even if found — the user’s PIN (if set) adds another barrier – Re-issue a replacement card from spare stock and re-register

MIFARE side (physical access): – Facilities removes the card’s UID from the access control system – Door readers reject the lost card within seconds to minutes – The lost card holds no decrypted credentials at rest — without your AES key set, the DESFire data is unreadable – Encode and issue a replacement from spare stock

Replacement timing: keeping 10–15% of the 25-pack as spare stock (recommended in Q1) lets IT issue a same-day replacement. For after-hours emergencies, IT can register a single FIDO2-only card (regular SKU) as a temporary digital stopgap while the permanent combined replacement is encoded.

Select your currency
EUR Euro
CHF Swiss franc
0
    0
    Shopping cart
    Your cart is emptyReturn to Shop
    Continue shopping