Cryptnox FIDO2 Card — Hardware Security Key for 2FA, MFA & Passwordless

Frequently Asked Questions

What is a FIDO2 security key?

A FIDO2 security key is a hardware authenticator that replaces or supplements passwords using public-key cryptography. Instead of typing a password that can be phished or stolen in a data breach, you tap or insert a physical device that proves your identity with a cryptographic signature — the private key never leaves the card’s secure element. This Cryptnox FIDO2 card is certified to the FIDO2 standard (WebAuthn + CTAP2) and also supports the older U2F protocol, so it works with every major service that accepts either, from Google and Microsoft to Bank of America, GitHub, login.gov, AGOV, and SwissID.

How does this card differ from the FIDO2 + MIFARE version?

Same FIDO2 applet certification (FIDO Alliance Certified — FIDO2 v2.1 + CTAP Level 1), same web-authentication behavior, and same FIDO2 / WebAuthn service compatibility. The chip platform differs: FIDO2-only cards use NXP JCOP 4.5 on P71D600, while FIDO2 + MIFARE cards use JCOP 4 on P71D321 to support the DESFire EV2 applet. The difference is function:

• This card (FIDO2 only): WebAuthn / FIDO2 and U2F authentication for online accounts — primarily hardware 2FA / MFA, with passwordless sign-in on services that explicitly support FIDO2 / passwordless flows.
• FIDO2 + MIFARE DESFire card: adds a second firmware application on the same chip for physical access control (building doors, elevators, printers, time-clocks).

If you only need web 2FA and passwordless sign-in, the basic card is simpler and more affordable. If you also want one credential to open your office door, go with the FIDO2 + MIFARE version.

How do I register this FIDO2 key with my accounts?

Every major service follows the same flow:

1. Sign in to your account (Google, Microsoft, Apple, Facebook, GitHub, etc.)
2. Go to Security settings → Two-step verification / Security keys / Passkeys
3. Click “Add security key” or “Add passkey”
4. Tap the card against your phone’s NFC area, or place it on a contactless reader connected to your computer
5. Follow the prompt to set a PIN (if required) and name the key

Registration takes 10–30 seconds per account. You can register the same card with many services — it stores a separate cryptographic key pair for each one, so no two services can link your identities through the card.

OS and browser compatibility: iOS supports FIDO2 over NFC on iPhone 7 or later running iOS 13.3 or later. Android currently supports only CTAP1 / U2F (FIDO1) for external NFC keys — not FIDO2 / CTAP2. Most major services maintain CTAP1 backward compatibility, so the card works as a U2F second-factor authenticator on Android, but the feature set is reduced and CTAP1 implementations vary. macOS FIDO2-over-NFC support varies by version and browser. Linux browsers expect FIDO2 authenticators on a HID interface — use the Cryptnox FIDO2 HID bridge to present the card to the browser as an HID-FIDO device. Windows 10/11 has full FIDO2 support across all major browsers. Always test with your specific OS + browser + service before committing to a production deployment.

Is this a FIDO Certified security key? Which compliance frameworks accept it?

Yes — this is a FIDO Certified FIDO2 security key (FIDO2 v2.1 and CTAP Level 1, WebAuthn + passkey support, with legacy U2F backward compatibility). FIDO certification is often a prerequisite or recognized building block for regulatory frameworks that require phishing-resistant hardware MFA:

• US federal agencies — OMB M-22-09 explicitly names FIDO2 / WebAuthn as acceptable phishing-resistant authentication (acceptance for a specific deployment depends on the agency’s authenticator policy and audit context)
• DoD contractors — CMMC 2.0 requires phishing-resistant MFA at higher maturity levels
• US government deployments — NIST SP 800-63B AAL3 lists FIDO2 hardware authenticators
• EU critical infrastructure — NIS2 requires strong authentication for essential and important entities
• EU financial services — DORA requires operational resilience with phishing-resistant MFA
• Payments — PCI DSS v4 MFA requirement for cardholder data environments
• Consumer banking — some banks and exchanges now support external FIDO2 security keys (Bank of America, supported crypto exchanges, and others); coverage varies by institution — verify with your specific bank before purchase

If you need a documented FIDO Certified security key for a compliance deployment, or a hardware authenticator for personal use on services that support external FIDO2 keys (login.gov, AGOV, supported banks), this card qualifies as FIDO Certified hardware — final acceptance at any specific service should be verified with that service.

How do I choose the best FIDO2 security key for my needs?

“Best” depends on your priorities:

• Portability in your wallet: card format (this product) — fits in your cardholder, works with any NFC phone, no dongle hanging off your keychain
• Ruggedness on a keyring: metal dongle format USB / NFC keychain authenticators — built to survive keychain abuse at the cost of size and wallet-friendliness
• Budget: this card is priced as an entry point to FIDO Certified hardware, affordable for individuals and for teams deploying FIDO2 at scale
• Compliance-driven procurement: a traceable, documented manufacturer matters — Cryptnox firmware is designed in Switzerland by Cryptnox SA
• Combined with physical access: if you also need one credential to open your office door, pick the FIDO2 + MIFARE DESFire version instead of the basic card

The card works with every FIDO2-compliant service — from Google, Microsoft, Apple, Bank of America, and login.gov to the Swiss AGOV and SwissID portals — so “best” really comes down to form factor, price, and whether you need dual-application (web auth + building access).

What can the Cryptnox FIDO2 app do?

The Cryptnox FIDO2 app can change the card PIN, factory reset the card, and manage resident keys (list, register, delete). It cannot migrate credentials to another card because FIDO2 private keys are generated and stored inside the secure element and never leave the card. For daily sign-in, the app is not required — registration on each service is done through the standard browser flow.

Is the Cryptnox FIDO2 card FIPS 140-3 certified?

The Cryptnox FIDO2 applet itself is FIDO Alliance Certified (FIDO2 v2.1 + CTAP Level 1). The underlying secure-element platform on this single-application FIDO2 product (NXP JCOP 4.5 on P71D600) is FIPS 140-3 Overall Level 3 validated with Physical Security at Level 4 — NIST CMVP certificate #4679, validated in 2025. FIPS 140-3 is the latest NIST cryptographic-module standard (it superseded FIPS 140-2 in 2026). The FIDO2 applet does not carry a separate FIPS certification.

What Common Criteria certification does this card carry?

The underlying NXP secure-element platform (JCOP 4.5 on P71D600) is Common Criteria EAL 5+ augmented certified, with AVA_VAN.5 (the highest vulnerability-analysis tier in CC) — Netherlands scheme NSCIB-CC-0313985. AVA_VAN.5 is the same vulnerability-analysis level required for EAL 6+ certifications. The Cryptnox FIDO2 applet runs on top of this certified platform.

Which elliptic curve does the Cryptnox FIDO2 applet use?

The Cryptnox FIDO2 applet performs all cryptographic signing on NIST P-256 (P-256 r1), the curve mandated by the FIDO2 / WebAuthn specification. The underlying chip platform supports additional curves (Brainpool 224/256/320/384/512, NIST P-224 / P-384 / P-521, and Secp256k1) on its ECC coprocessor, but the FIDO2 applet exposes only NIST P-256 to remain spec-compliant.