cryptnox-logo
Cryptnox FIDO2 and MIFARE white PVC smart card, customizable security key for 2FA and building access
Cryptnox FIDO2 smart card front view showing security key branding
Cryptnox FIDO2 passwordless security key card with NFC tap-to-authenticate design
Cryptnox FIDO2 security key NFC card for passwordless two-factor authentication
Cryptnox FIDO2 NFC security key card packaging and product details
Cryptnox FIDO2 security key contact chip detail for smart card authentication
Cryptnox FIDO2 NFC security key card close-up showing contactless tap authentication

Cryptnox SA

Cryptnox FIDO2 + MIFARE White PVC — Customizable Security Key for 2FA & Building Access

EAN: 7649992538141

The Cryptnox FIDO2 + MIFARE White PVC card is the customizable variant of our flagship dual-application security card — a Swiss-engineered NFC smart card combining FIDO2 authentication and MIFARE DESFire EV2 physical access control on a blank PVC face ready for in-house printing. FIDO Alliance Certified (FIDO2 v2.1 + CTAP Level 1). Print employee photos, company branding, or department names on each card.

ORDERS TO THE EU SHIP DIRECTLY FROM THE EU – NO IMPORT DUTIES

 39.00

Tax included. Shipping calculated at checkout.

Pay with Debit or Credit Card

Description

Customer rating: ★★★★☆ 4.2 / 5 — based on 290 Amazon customer reviews. Read on Amazon.

The Cryptnox FIDO2 + MIFARE White PVC card is the customizable variant of our flagship dual-application security card — a Swiss-engineered NFC smart card that combines FIDO2 web authentication and MIFARE DESFire EV2 physical access control on a blank PVC face ready for in-house printing. FIDO Alliance Certified (FIDO2 v2.1 and CTAP Level 1), it’s used primarily as a hardware 2FA / MFA second factor for digital sign-in plus a building-access badge — all on one printable, employee-personalizable card.

Built for branded enterprise rollouts

The face of this card ships blank — ready for any standard PVC ID card printer (Zebra, Evolis, Fargo, Magicard, Matica). Print your company logo, employee photo, name, department, QR code, or any combination on each card. Inside, every card carries the same Swiss-engineered FIDO2 + MIFARE DESFire EV2 chip as our Cryptnox-branded variant. Typical buyers:

  • Corporate IT rolling out 2FA company-wide with branded employee badges
  • MSPs and resellers applying their own branding for client deployments
  • Compliance-driven projects needing visible card identifiers tied to a documented FIDO2 hardware inventory

Tap to authenticate — on phone or computer

The card supports both NFC and contact (ISO 7816) interfaces. For FIDO2 authentication, tap on supported phones: iPhone 7+ on iOS 13.3+ supports FIDO2 over NFC; Android external NFC keys are mainly supported as CTAP1 / U2F second-factor authenticators (not full FIDO2 / passwordless). MIFARE access depends on the target access-control reader and the encoding programmed onto the card. On desktop, use a contactless reader or a contact reader. For Windows desktop users on the contact interface, the Cryptnox dual-slot Smartcard Reader features a dedicated “tap” button that electronically simulates card extraction and reinsertion (Windows only) — press the button when a FIDO2 service prompts you to tap. See our click-to-tap tutorial for the full FIDO2 sign-in workflow.

How this card differs from the rest of our FIDO2 lineup

  • This card (FIDO2 + MIFARE White PVC): blank printable face for custom branding. Single card.
  • FIDO2 + MIFARE (Cryptnox-branded): same dual functions, ships with our standard Cryptnox branding. Single card.
  • FIDO2 + MIFARE 25-pack: 25 of these White PVC dual-application cards in one bulk SKU for enterprise IT.
  • FIDO2-only White PVC: same printable PVC face but FIDO2 only — no MIFARE. Cheaper if you don’t need physical access control.

About FIDO2 + MIFARE on a single chip

Each card carries a single secure-element chip running two independent firmware applications: a FIDO2 applet for web sign-in (FIDO Alliance Certified) and a MIFARE DESFire EV2 applet for physical access. The two applets are logically firewalled inside the chip — each uses its own keys and memory space, so a compromise of one cannot reach the other. FIDO credentials are managed through the user’s online services or identity provider; DESFire applications and AES keys are managed through the access-control system or integrator. The two domains never share keys or memory. The MIFARE side ships with NXP factory default keys; your facilities team or access integrator encodes them with your organization’s diversified AES keys before deployment.

Features

Customize the card face for branded employee badges

The blank White PVC surface is dimensioned to standard CR80 ID card printer specs. You can:

  • Print employee photo, name, department on each card via dye-sublimation or thermal transfer
  • Add company logo and color branding
  • Add QR codes, visible serial numbers, employee identifiers, or asset tags — avoid applying additional NFC stickers / tags or metallic overlays that could interfere with the card’s NFC performance
  • Apply optional laminate overlay for added durability

Most local ID badge services or corporate ID-print departments can run a small batch of cards if you don’t have an in-house printer.

Compatible services (FIDO2 side)

  • Personal accounts: Google, Microsoft, Apple ID, Facebook, X, Dropbox, Bitwarden, 1Password
  • Developer & cloud: GitHub, GitLab, AWS, Cloudflare, Vercel, Fastly
  • Enterprise SSO: Okta, Auth0, Microsoft Entra ID, Google Workspace, Duo, Ping Identity
  • Government identity: login.gov (US), AGOV (Switzerland), SwissID
  • Compliance support: can support phishing-resistant MFA programs aligned with OMB M-22-09, NIST SP 800-63B, PCI DSS v4, NIS2, and DORA. Final compliance depends on how the organization configures enrollment, account recovery, policy enforcement, logging, and access governance.

MIFARE DESFire EV2 — building access

The MIFARE side is designed for standard, plain-vanilla DESFire EV2 deployments with open AES key programmability. Compatibility with proprietary access-control ecosystems is not universal — test a sample card end-to-end with your readers, access-control software, key diversification, and application / file structure before bulk rollout. Some proprietary systems only accept cards with vendor-specific overlays.

Easy to use, easy to deploy

  • Tap to authenticate on any NFC-capable phone (iOS for full FIDO2; Android for CTAP1 / U2F second-factor)
  • Contact mode for desktop: insert into any USB CCID-class smart card reader; for Windows, the Cryptnox dual-slot Smartcard Reader tap button streamlines the flow
  • Driverless reader support — when used with a standard USB CCID smart-card reader, the reader is recognized by Windows, macOS, and Linux without vendor-specific drivers. The card itself is an NFC / contact smart card (not a USB security key). FIDO2 sign-in on Linux additionally requires the Cryptnox FIDO2 HID bridge
  • No charging — passive NFC, no battery
  • No app required for daily use

Bulk procurement

For deployments above a few cards, see the 25-pack. For volumes of 500+ or pre-printed batches (1,000+ cards), get in touch via our contact form.

For setup walkthroughs, integration guides, and service-specific tutorials (Google, Microsoft, Apple, GitHub, Bank of America, login.gov, AGOV, SwissID), browse our FIDO2 tutorials hub.

Specifications

EAN: 7649992538141

Technical specifications

  • Form factor: ISO/IEC 7810 ID-1 (CR80, credit-card size)
  • Card face: blank White PVC, ready for ID card printers (dye-sublimation or thermal transfer)
  • Interface: NFC (ISO/IEC 14443 Type A) + contact (ISO 7816)
  • FIDO2 certification: FIDO Alliance Certified — FIDO2 v2.1 and CTAP Level 1
  • FIDO2 standards: WebAuthn, CTAP2, FIDO U2F (legacy)
  • MIFARE applet: MIFARE DESFire EV2 (4K), open AES key programmability, ships with NXP factory-default DESFire keys (to be changed and diversified by your facilities team or access-control integrator before deployment)
  • Secure element: EAL6+ certified chip, single-chip dual-applet architecture
  • Power: passive — no battery, energy harvested from the NFC reader’s RF field
  • Operating systems (FIDO2): Windows 10/11 — full FIDO2; iPhone 7+ / iOS 13.3+ — FIDO2 over NFC; Android — external NFC keys mainly via CTAP1 / U2F second-factor (not full FIDO2 / passwordless); macOS — FIDO2 over NFC varies by version and browser; Linux — FIDO2 sign-in requires the Cryptnox FIDO2 HID bridge

Compliance

  • FIDO Alliance Certified (FIDO2 v2.1 + CTAP Level 1)
  • ISO/IEC 7810 (card form factor)
  • ISO/IEC 7816 (contact interface)
  • ISO/IEC 14443 (NFC interface)
  • MIFARE DESFire EV2 standard

Certifications

Chip platform certifications (NXP JCOP 4 on P71D321):

  • Common Criteria EAL 6+ augmented — NSCIB-CC-180212_3
  • FIPS 140-2 Overall Level 3 with Physical Security at Level 4 — NIST CMVP certificate #3746
  • AIS-31 compliant True Random Number Generator (chip-level)

Applet certifications:

  • MIFARE DESFire EV2 applet: Common Criteria EAL5+
  • Cryptnox FIDO2 / U2F applet: FIDO Alliance Certified — FIDO2 v2.1 + CTAP Level 1

Supported elliptic curve (FIDO2 applet):

  • NIST P-256 (P-256 r1) only — the chip platform supports additional curves, but the FIDO2 applet exposes only NIST P-256

Frequently Asked Questions

How does this differ from a basic FIDO2 security key?

A basic FIDO2 key handles digital login only — 2FA and passwordless sign-in. This card adds a second function on the same credential: a single secure-element chip runs two independent firmware applications — a FIDO2 applet for web authentication (Google, Microsoft, Apple, Facebook, GitHub, Dropbox, Bank of America) and a MIFARE DESFire EV2 applet for physical access control (office doors, elevators, printers, time-clocks). One card in your wallet covers both your digital identity and your physical building access. The two applications are logically firewalled inside the chip — each uses its own keys and memory space, so a compromise of one cannot reach the other.

How does this compare to a YubiKey 5C NFC?

Both are FIDO2-certified and support NFC. Key differences: (1) form factor — our card fits in a wallet cardholder slot, the YubiKey is a keychain dongle; (2) the Cryptnox card adds a MIFARE DESFire EV2 applet on the same secure-element chip for physical access control, which YubiKey doesn’t offer; (3) the Cryptnox card face is blank white PVC (can be customized with a logo or identifier if your organization uses card printers), while YubiKey is fixed-branding. If you only need web 2FA, either works — if you also need physical access control on the same credential, this card combines the two.

Does the MIFARE DESFire chip work with my existing building access system?

MIFARE DESFire EV2 is a widely-used enterprise contactless credential standard, and our cards are plain-vanilla DESFire chips with open AES key programmability. Compatibility is not universal: many readers accept standard DESFire cards once encoded with the right AES keys and application structure, but some access control systems are configured to only accept cards issued by specific vendors with proprietary overlays. We recommend testing a single card end-to-end with your specific reader + access control software before any larger rollout — or ask your systems integrator whether your stack allows third-party DESFire cards.

How do I retire or remove the card from a user’s accounts?

For each account (Google, Microsoft, Apple, GitHub, etc.), go to Security settings → Security keys / Passkeys → delete the entry labeled with this card’s registration. The keys stored on-card are per-service, so removing the registration at the service side is sufficient — the private keys never leave the card. For MIFARE DESFire access control, revoke the card record or DESFire application credential in your access-control system according to your integrator’s process — do not rely on UID-only access control unless your system explicitly requires it. Reissuing a card requires your facilities team or integrator to reset / re-encode the DESFire application and keys; IT should remove or reset the FIDO registrations according to the supported Cryptnox reset workflow (PIN change, factory reset, and resident-key management are available through the Cryptnox FIDO2 app).

Which online services and accounts work with this card?

Any service that supports FIDO2, WebAuthn, or legacy U2F — which is now the vast majority of major online platforms:

  • Personal: Google / Gmail, Microsoft / Outlook / Xbox, Apple ID, Facebook, X (Twitter), Dropbox, Proton, Bitwarden, 1Password, LastPass
  • Developer & cloud: GitHub, GitLab, AWS, Cloudflare, Vercel, Fastly
  • Enterprise SSO: Okta, Auth0, Ping Identity, Duo, Microsoft Entra ID (Azure AD), Google Workspace
  • Government & digital identity: login.gov (US federal single sign-on), AGOV (agov.ch — Swiss federal e-government login), SwissID (swissid.ch — federated digital identity for banks, insurance, and cantonal services)
  • Financial: Bank of America, Coinbase, Kraken, Binance, most major exchanges, many Swiss and EU banks via PSD2-aligned SCA
  • Government & regulated environments: organizations can use FIDO2 hardware authenticators like this card as part of phishing-resistant MFA programs for OMB M-22-09, CMMC, NIST SP 800-63B, NIS2, DORA, PCI DSS v4, and similar frameworks. Whether a deployment satisfies a specific requirement depends on identity-provider configuration, authenticator policy, recovery procedures, logging, and audit controls.

If the service supports FIDO2 / WebAuthn or legacy U2F security keys, this card is generally suitable, but actual behavior depends on the service, operating system, browser, NFC / contact reader path, and whether the service permits CTAP1 / U2F fallback. Test your target workflow before production deployment. Registration is done by tapping the card on your phone’s NFC area or placing it on a contactless reader connected to your computer.

OS and browser compatibility: iOS supports FIDO2 over NFC on iPhone 7 and newer running iOS 13.3 or later. Android currently supports only CTAP1 / U2F (FIDO1) for external NFC keys — not FIDO2 / CTAP2. Most major services maintain CTAP1 backward compatibility, so the card works as a U2F second-factor authenticator on Android, but the feature set is reduced and CTAP1 implementations vary. macOS FIDO2-over-NFC support varies by version and browser. Linux browsers expect FIDO2 authenticators on a HID interface — use the Cryptnox FIDO2 HID bridge to present the card to the browser as an HID-FIDO device. Windows 10/11 has full FIDO2 support across all major browsers. Always test with your specific OS + browser + service before committing to a production deployment.

Is the Cryptnox FIDO2 card FIPS 140 certified?

The Cryptnox FIDO2 applet itself is FIDO Alliance Certified (FIDO2 v2.1 + CTAP Level 1). The underlying secure-element platform on this product (NXP JCOP 4 on P71D321) is FIPS 140-2 Overall Level 3 validated with Physical Security at Level 4 — NIST CMVP certificate #3746. This is the chip-platform certification; the FIDO2 applet does not carry a separate FIPS 140 certification.

What Common Criteria certification does this card carry?

The underlying NXP secure-element platform (JCOP 4 on P71D321) is Common Criteria EAL 6+ augmented certified under the Netherlands scheme (NSCIB-CC-180212_3). EAL 6+ is the second-highest assurance level on the CC ladder, used by passport and high-security ID issuers. The Cryptnox FIDO2 applet runs on top of this certified platform.

Which elliptic curve does the Cryptnox FIDO2 applet use?

The Cryptnox FIDO2 applet performs all cryptographic signing on NIST P-256 (P-256 r1), the curve mandated by the FIDO2 / WebAuthn specification. The underlying chip platform supports additional curves (Brainpool 224/256/320/384/512, NIST P-224 / P-384 / P-521, and Secp256k1) on its ECC coprocessor, but the FIDO2 applet exposes only NIST P-256 to remain spec-compliant.

Select your currency
EUR Euro
CHF Swiss franc
0
    0
    Shopping cart
    Your cart is emptyReturn to Shop
    Continue shopping