cryptnox-logo
Cryptnox FIDO2 security key NFC smart card
Cryptnox FIDO2 NFC security key card packaging and product details
Cryptnox FIDO2 and MIFARE DESFire EV2 dual-interface smart card specifications
Cryptnox FIDO2 certified security key card for two-factor authentication
Cryptnox FIDO2 Level 1 certification certificate
Cryptnox FIDO2 security key smart card with MIFARE DESFire contactless technology

Cryptnox SA

Cryptnox FIDO2 + MIFARE Card — Hardware Security Key for 2FA, MFA & Building Access

The Cryptnox FIDO2 + MIFARE card is the flagship of our FIDO2 lineup — a single Swiss-engineered NFC smart card combining FIDO Alliance Certified FIDO2 (v2.1 + CTAP Level 1) authentication with MIFARE DESFire EV2 physical access control on the same chip. One card for 2FA / MFA on every major web service plus office door access. Cryptnox-branded face. Single card.

ORDERS TO THE EU SHIP DIRECTLY FROM THE EU – NO IMPORT DUTIES

 39.00

Tax included. Shipping calculated at checkout.

Pay with Debit or Credit Card

Description

Customer rating: ★★★★☆ 4.1 / 5 — based on 289 Amazon customer reviews. Read on Amazon.

The Cryptnox FIDO2 + MIFARE card is the flagship of our FIDO2 lineup — a single Swiss-engineered NFC smart card that combines two security functions in one Cryptnox-branded credential. FIDO Alliance Certified (FIDO2 v2.1 and CTAP Level 1), the card is primarily used as a hardware 2FA / MFA second factor on every major FIDO2 / WebAuthn service and adds a MIFARE DESFire EV2 (4K) applet for physical access control on the same chip. One card replaces both your 2FA security key and your office building badge.

Two security functions, one credential

A single secure-element chip runs two independent firmware applications, logically firewalled inside the chip:

  • FIDO2 applet — 2FA / MFA on Google, Microsoft, Apple, GitHub, Bank of America, login.gov, AGOV, SwissID, and any service supporting FIDO2 / WebAuthn / U2F. Passwordless sign-in supported on services that have explicitly enabled FIDO2-only login (Microsoft Entra ID, Google Workspace, login.gov, etc.)
  • MIFARE DESFire EV2 (4K) applet — physical access control on office doors, elevators, printers, and time-clock systems that accept standard DESFire EV2 cards

Each applet uses its own keys and memory space, so a compromise of one cannot reach the other.

Tap to authenticate — on phone or computer

The card supports both NFC and contact (ISO 7816) interfaces. Tap on any NFC-capable phone for FIDO2 sign-in or MIFARE access; on a desktop or laptop, use a contactless smart card reader for tap-and-go workflows or a contact reader for a physical-connection sign-in.

For Windows desktop users who sign in with FIDO2 via the contact interface, the Cryptnox dual-slot Smartcard Reader features a dedicated “tap” button that electronically simulates card extraction and reinsertion — press the button when a FIDO2 service prompts you to tap, instead of physically removing the card. (Tap button feature is Windows-only.) See our click-to-tap tutorial for the full FIDO2 sign-in workflow.

How this card differs from the rest of our FIDO2 lineup

  • This card (FIDO2 + MIFARE, Cryptnox-branded): flagship dual-application card with our standard branding. Best for individuals and small organizations who want one credential for both web auth and building access without custom printing.
  • FIDO2 + MIFARE White PVC: same dual functions on a blank, printable face — for organizations that print employee photos or company branding.
  • FIDO2 + MIFARE 25-pack: bulk pricing for enterprise rollouts of the dual-application card.
  • FIDO2 only (basic): if you don’t need physical access control, the FIDO2-only card is simpler and more affordable.

What does FIDO2 mean?

FIDO2 is the modern open authentication standard (WebAuthn + CTAP2) for phishing-resistant strong authentication. Most services use FIDO2 cards as a hardware second factor — sign in with your password as usual, then tap the card to confirm. A growing set of services (Microsoft Entra ID, Google Workspace, login.gov, AGOV) also support FIDO2-based passwordless sign-in. Backed by the FIDO Alliance — a consortium including Google, Microsoft, Apple, Amazon, and major banks — FIDO2 is the foundation of modern hardware-backed authentication on the web.

Features

Built for hardware-backed 2FA / MFA + physical access in one credential

The Cryptnox FIDO2 + MIFARE card combines two security capabilities on one chip:

  • FIDO2 / WebAuthn / U2F on every major personal, developer, financial, and government service
  • MIFARE DESFire EV2 on every access control system that accepts standard DESFire cards

Compatible services and frameworks (FIDO2 side)

  • Personal accounts: Google, Microsoft, Apple ID, Facebook, X, Dropbox, Bitwarden, 1Password
  • Developer & cloud: GitHub, GitLab, AWS, Cloudflare, Vercel, Fastly
  • Enterprise SSO: Okta, Auth0, Microsoft Entra ID, Google Workspace, Duo, Ping Identity
  • Government identity: login.gov (US), AGOV (Switzerland), SwissID
  • Financial services: Bank of America, Coinbase, Kraken, EU/Swiss banks via PSD2 SCA
  • Compliance: required for OMB M-22-09; accepted under NIS2, DORA, NIST SP 800-63B AAL3, PCI DSS v4

MIFARE DESFire EV2 — building access

The MIFARE side is plain-vanilla DESFire EV2 with open AES key programmability. It works with any access control system that accepts standard DESFire cards — most modern enterprise systems do, but always test a sample card with your specific reader and access control software before a wider rollout. Some proprietary access systems are configured to only accept cards issued by specific vendors with their own overlays.

Easy to use, easy to deploy

  • Tap to authenticate on any NFC-capable phone (iOS for full FIDO2; Android for CTAP1 / U2F second-factor)
  • Contact mode for desktop: insert into any USB CCID-class smart card reader; for a smoother flow on Windows, use the Cryptnox dual-slot Smartcard Reader with its dedicated tap button (Windows only)
  • No drivers required on Windows / macOS / Linux when used with a standard USB CCID smart card reader
  • No charging — passive NFC, no battery, equivalent lifespan to any contactless card
  • No app required for daily use — register once on each service through the standard browser flow

When to choose this Cryptnox-branded version

This card is for individuals and small teams who don’t need to print custom branding on the face. For organizations that want employee photos, company logos, or department names printed on each card, see the FIDO2 + MIFARE White PVC variant. For larger deployments, see the 25-pack.

For setup walkthroughs, integration guides, and service-specific tutorials (Google, Microsoft, Apple, GitHub, Bank of America, login.gov, AGOV, SwissID), browse our FIDO2 tutorials hub.

Specifications

Technical specifications

  • Form factor: ISO/IEC 7810 ID-1 (CR80, credit-card size)
  • Interface: NFC (ISO/IEC 14443 Type A) + contact (ISO 7816)
  • FIDO2 certification: FIDO Alliance Certified — FIDO2 v2.1 and CTAP Level 1
  • FIDO2 standards: WebAuthn, CTAP2, FIDO U2F (legacy)
  • MIFARE chip: MIFARE DESFire EV2 (4K), open AES key programmability
  • Secure element: EAL6+ certified chip, single-chip dual-applet architecture
  • Power: passive — no battery, energy harvested from the NFC reader’s RF field
  • Operating systems (FIDO2): iOS (full FIDO2), Android (CTAP1 / U2F over NFC), Windows 10/11, macOS 11+, Linux (with Cryptnox FIDO2 HID bridge)

Compliance

  • FIDO Alliance Certified (FIDO2 v2.1 + CTAP Level 1)
  • ISO/IEC 7810 (card form factor)
  • ISO/IEC 7816 (contact interface)
  • ISO/IEC 14443 (NFC interface)
  • MIFARE DESFire EV2 standard (NXP)

Frequently Asked Questions

What is the Cryptnox FIDO2 + MIFARE DESFire card?

It’s a Swiss-designed NFC smart card that combines two security functions on a single secure-element chip:

  • FIDO2 applet (FIDO Alliance Certified — FIDO2 v2.1 and CTAP Level 1, with WebAuthn + legacy U2F support) for passwordless and 2FA sign-in on every major web service
  • MIFARE DESFire EV2 (4K) applet for physical access control — office door readers, elevator gates, time-clocks, building-access systems

The two applets are logically firewalled inside the chip — each uses its own keys and memory space, so a compromise of one cannot reach the other. Firmware is designed in Switzerland; cards are programmed in Switzerland or Poland. The face carries the Cryptnox branding — for a blank, in-house-printable face, see the FIDO2 + MIFARE White PVC variant.

How does this compare to a YubiKey 5 NFC?

Both are FIDO2-certified and work over NFC. Key differences:

  • Form factor: the Cryptnox card fits in a wallet cardholder slot; YubiKey is a keychain dongle.
  • Building access: this card adds a MIFARE DESFire EV2 chip for physical access control on the same credential — YubiKey doesn’t include one, so you’d carry a separate badge.
  • Branding: the Cryptnox card ships with our standard branding on the face. For a blank surface ready for custom employee printing, see the FIDO2 + MIFARE White PVC variant; YubiKey branding is fixed.

For pure web 2FA on a keyring, either works. For one credential that handles both web sign-in and office door access, this card combines them.

Which online services and accounts work with this card?

Any service that supports FIDO2, WebAuthn, or legacy U2F — which is now the vast majority of major online platforms:

  • Personal: Google / Gmail, Microsoft / Outlook / Xbox, Apple ID, Facebook, X (Twitter), Dropbox, Proton, Bitwarden, 1Password, LastPass
  • Developer & cloud: GitHub, GitLab, AWS, Cloudflare, Vercel, Fastly
  • Enterprise SSO: Okta, Auth0, Ping Identity, Duo, Microsoft Entra ID (Azure AD), Google Workspace
  • Government & digital identity: login.gov (US federal single sign-on), AGOV (agov.ch — Swiss federal e-government login), SwissID (swissid.ch — federated digital identity for banks, insurance, and cantonal services)
  • Financial: Bank of America, Coinbase, Kraken, Binance, most major exchanges, many Swiss and EU banks via PSD2-aligned SCA
  • Government & regulated environments: US federal agencies under OMB M-22-09, DoD contractors under CMMC 2.0, NIST SP 800-63B AAL3 deployments. Also suitable where organizations choose phishing-resistant MFA to meet NIS2, DORA, or PCI DSS v4 obligations.

If the service’s security settings show a “security key” or “passkey” registration option, this card will work. Registration is done by tapping the card on your phone’s NFC area or placing it on a contactless reader connected to your computer.

Does the MIFARE DESFire chip work with my existing access control system?

MIFARE DESFire EV2 is a widely-used enterprise contactless credential standard, and our cards are plain-vanilla DESFire chips with open AES key programmability. Compatibility is not universal: many readers accept standard DESFire cards once encoded with the right AES keys and application structure, but some access control systems are configured to only accept cards issued by specific vendors with proprietary overlays. We recommend testing a single card end-to-end with your specific reader + access control software before any larger rollout — or ask your systems integrator whether your stack allows third-party DESFire cards.

How do I register and use the card on phones and computers?

Phones:iOS — any iPhone 7 or newer; Safari supports FIDO2 over NFC natively. – Android — Android currently supports only CTAP1 / U2F (FIDO1) for external NFC security keys, not the newer FIDO2 / CTAP2. Most major services (Google, Microsoft, GitHub, etc.) maintain CTAP1 backward compatibility, so the Cryptnox card works on the majority of mainstream sites as a second-factor authenticator on Android. The feature set is reduced — no passwordless or passkey-style sign-in — and CTAP1 implementations vary across servers, so it isn’t 100% guaranteed for every service. Test with your target service before relying on it.

To register on a supported phone, sign in to your account, go to Security settings → Security keys / Passkeys, click “Add security key,” and tap the card against your phone’s NFC area (typically the upper back). Registration takes 10–30 seconds per service.

Desktop / laptop:Windows 10/11 — full FIDO2 support across all major browsers; tap on built-in NFC or use a contactless reader. – macOS — FIDO2 over NFC support varies by macOS version and browser. Test before relying on it for production. – Linux — Linux browsers expect FIDO2 authenticators to expose a HID interface, which contactless smart card readers do not. Use our open-source Cryptnox FIDO2 HID bridge — a small daemon that presents the card to the browser as an HID-FIDO device.

If your computer doesn’t have built-in NFC, we make two USB-C readers: the NFC Contactless Reader and the dual-slot Cryptnox Smartcard Reader. Both use the standard USB CCID interface — no Cryptnox-specific driver needed.

Cryptnox FIDO2 app (advanced features only): the free Cryptnox FIDO2 app (App Store / Play Store) is for advanced management — PIN changes, factory reset, and handling resident-key (discoverable) credentials stored on the card. It is not required for day-to-day use — registering the card with a service, signing in, and 2FA all work directly with any FIDO2-supporting browser or service, no app needed.

Replacing a card: keys are bound to the card’s secure element and never leave it, so cards cannot be cloned or migrated card-to-card. To replace a lost or retired card, register the new card on each account/service and delete the old card’s registration at that service. The new card creates its own fresh per-service keys; the old card’s registrations are revoked server-side. For high-stakes deployments, register a backup card on each account in advance so a lost primary doesn’t lock the user out.

Select your currency
EUR Euro
CHF Swiss franc
0
    0
    Shopping cart
    Your cart is emptyReturn to Shop
    Continue shopping