We develop custom FIDO2 security keys in smart card form factor on NXP JCOP
4.5 P71 — EAL6+ certified, NFC-enabled, and compatible with any WebAuthn service.
FIDO2 and WebAuthn have become the global standard for phishing-resistant authentication. MostFIDO2 keys come as USB dongles — convenient for individual users but problematic at enterprise scale. Smart card form factor changes the equation entirely: the same ISO 7816 plastic credentialthat your employees already carry for physical access can simultaneously serve as their FIDO2authentication token, accessible over NFC from any modern smartphone or reader.
Cryptnox implements FIDO2 natively on the NXP JCOP 4.5 P71 secure element — the same platform behind our own FIDO2 card product. The P71 holds a Common Criteria EAL6+ certification, the highest level commercially available in the smart card market, and is the basis for FIDO Alliance certification. Every private key generated for WebAuthn authentication never leaves the secure element and is protected against physical extraction even under laboratory conditions.
Our custom FIDO2 development service enables enterprises, governments, and platform providers to issue their own branded, customized FIDO2 credentials. You control the attestation certificates, the card art, the additional applications co-resident on the card, and the issuance infrastructure. The result is a FIDO2 deployment that is fully under your operational and security governance, not dependent on a third-party vendor’s credential store.
The NFC interface on JCOP P71 conforms to ISO 14443 Type A, enabling tap-to-authenticate on iOS14+, Android 7+, and all modern NFC card readers. Authentication round-trip completes in under 500ms — indistinguishable from contactless payment in user experience. No drivers, no dongles, no USB-C adapters required.
Employees already carry their wallet everywhere. Smart card credentials live alongside payment cards and IDs — the natural home for authentication tokens. Lower loss rates than USB dongles that get left in laptop ports or forgotten at home.
One card replaces door badge, login smart card, and FIDO2 authentication token. A single physical credential manages physical access, Windows Hello for Business login, and WebAuthn authentication across all enterprise applications simultaneously.
Smart cards at enterprise volumes are significantly less expensive than USB keys per unit. Combined with reduced helpdesk burden from lost or broken tokens, the total cost of ownership improvement is substantial at deployments of 1,000 seats or more.
NFC tap works with any NFC-enabled phone on iOS 14+ or Android 7+. Employees authenticating from personal devices, kiosks, or shared workstations get the same phishing-resistant FIDO2 experience without needing a USB port or a specific cable adapter.
Standard FIDO2 certification is just the baseline. The JCOP P71 platform enables a range ofcustomizations that are impossible with off-the-shelf security keys. Cryptnox has implemented eachof these in production engagements and can deliver them as part of a custom development project.
Control the trust chain end-to-end. With your own attestation CA embedded in the card during manufacturing, your organization’s FIDO2 keys are
cryptographically distinguishable from all other credentials in any WebAuthn relying party. This enables conditional access policies that enforce “only our cards
can authenticate to these resources” at the protocol level, not just at the policy layer.
FIDO2 and PIV (Personal Identity Verification) co-resident on a single credential, or FIDO2 combined with a cryptocurrency hardware wallet on the same card. The JCOP P71’s multi-application JavaCard environment enables entirely novel credential combinations that solve operational problems no single-purpose token canaddress.
Custom provisioning workflows integrated with your identity provider, SCIM directory, or HR system. Deprovisioning that revokes the card’s FIDO2 applet remotely via GlobalPlatform Secure Channel without requiring physical retrieval. Inventory management APIs that give your security operations center real-time visibility into issued credentials.
Custom printing with your organization’s logo, employee photo, name, and access tier. Holographic overlaminates, UV-visible security features, and laser-engraving options are all available through our manufacturing partners. The card your employees carry every day becomes an expression of your security posture and organizational identity.
Financial services organizations face the most demanding authentication requirements of any industry. PSD2 in Europe, FFIEC guidance in the United States, and equivalent frameworks in every major banking jurisdiction mandate strong multi-factor authentication for customer-facing and internal operations alike. FIDO2 satisfies these requirements at the protocol level — and smart card form factor satisfies the physical security requirements that USB tokens cannot meet.
For customer-facing deployments, the smart card FIDO2 credential pairs naturally with existing payment card infrastructure. Your customers already receive a plastic card from your institution. Adding FIDO2 capability to that card — or issuing a companion authentication card — is operationally straightforward and leverages existing card issuance processes. The NFC tap gesture for authentication is identical to the contactless payment gesture customers already perform daily, reducing friction to essentially zero.
For internal bank operations, the convergence of physical access control and FIDO2 authentication onto a single employee credential is transformative. Treasury operations, wire transfer authorization, trading platform access, and administrative control panels all benefit from FIDO2’s phishing resistance. A compromised password alone cannot authorize a wire transfer if FIDO2 is in the path— the attacker would need to physically steal the employee’s card, which triggers physical security protocols entirely.
PSD2, FFIEC guidance, and national banking regulations mandate strong authentication. FIDO2 satisfies these requirements at the protocol level with cryptographic proof that cannot be phished or replayed.
The same tap gesture as contactless payments makes FIDO2 authentication familiar and intuitive for banking customers. Zero friction, zero new hardware required on the customer’s side beyond a smartphone.
Treasury, wire transfers, trading platforms, admin control panels — all protected by phishing-resistant FIDO2. Physical card possession becomes a mandatory factor in every sensitive operation.
Every custom FIDO2 implementation we deliver is built on a consistent technical foundation derivedfrom our production FIDO2 card product. The following specifications apply to standardengagements; we support custom cryptographic profiles and interface configurations forspecialized requirements.
| Specification | Detail |
|---|---|
| Standards | FIDO2 WebAuthn Level 2, CTAP 2.1, FIDO U2F |
| Communication | NFC via ISO 14443 Type A |
| Cryptography | ECDSA P-256 for FIDO2 key operations |
| Secure Element | NXP JCOP 4.5 P71, Common Criteria EAL6+k |
| Certification | FIDO Alliance certified |
| NFC Performance | Under 500ms complete authentication round trip |
| Identity Providers | Azure AD, Okta, Duo, Google Workspace, any WebAuthn IdP |
| Developer Resources | Open-source libraries on GitHub, sample integration code |
Yes. Custom attestation is one of the primary reasons enterprises commission custom FIDO2 development rather than purchasing off-the-shelf keys. During the card manufacturing process, we embed your organization’s attestation certificate — issued from your own PKI or a CA we provision on your behalf — into each card’s secure element. When your cards authenticate to any WebAuthn relying party, the attestation statement carries your certificate, which your access policies can use to enforce “only our organization’s cards can authenticate here.” This is fully compliant with FIDO2 metadata service requirements and works with all major identity providers, including Azure AD, Okta, and Duo.
On iOS 14+, Apple’s Core NFC framework exposes FIDO2 NFC authentication natively through Safari and most WebAuthn-capable apps. The user taps the card to the top of their iPhone when prompted during authentication — the same gesture as Apple Pay. The entire exchange completes in under 500ms. On Android 7+, the experience is similar through the native WebAuthn platform authenticator support in Chrome and other browsers. No companion app is required on either platform for standard FIDO2 authentication. For custom enterprise apps that need deeper integration, we provide iOS and Android SDK wrappers around the core NFC APDU exchange.
Custom FIDO2 development engagements typically begin with a technical discovery call to scope the applet requirements, attestation PKI structure, and any co-
resident applications. From there, we produce a development specification and fixed-price engagement proposal. Development and testing typically runs several
weeks, depending on customization depth. For card manufacturing, minimum quantities depend on the customization level — standard profile cards with custom
attestation and branding can be produced at quantities from a few hundred units; more complex multi-application cards may require higher minimums to justify
tooling costs. We can discuss your specific volume requirements and timeline during the initial consultation.
Tell us about your blockchain protocol and we will evaluate feasibility and build it on certified secure hardware.
Overview of our development capabilities on NXP JCOP 4.5 P71. Learn more →
NXP JCOP P71 secure element integration for IoT, payments, identity, and blockchain. Learn more →
JavaCard 3.1 applet development, JCOP 4.5 extensions, GlobalPlatform integration. Learn more →
White-label hardware wallet cards for any blockchain protocol — including non-standard cryptography. Learn more →
Dual-interface NFC smart cards for access, identity, supply chain and multi-application use cases. Learn more →
Real-world SecureBox / JavaCard projects on NXP JCOP P71 — verified on production hardware. Learn more →
