Physical Security Cards: Phish-Resistant Authentication

Introduction

I’ve been lucky enough to get my hands on some exciting new tech, courtesy of HID and Neowave, and both of them are members of the FIDO Alliance. They manufacture a range of phish-resistant security keys and security cards, and I’ve spent some time testing them out.

If you’ve followed my previous Passwordless / Phish-Resistant Authentication series (Part 1–4), you’ll know I went deep into the subject - comparing several popular FIDO2 security keys from top vendors. Most of that content is still relevant today, but as we all know, technology evolves faster than my morning coffee goes cold.

Rather than repeating everything I’ve already covered in that series, this post is short, sweet, and focused on my hands-on experience with these new physical security keys in card form.

Before we dive in - shoutout to Jan Bakker, who recently delivered an excellent session on passkeys at the Microsoft 365 Security & Compliance User Group (https://www.meetup.com/m365sandcug) I co-organise with Ru Campbell and William Francillette. You can check out the user group and register for future events (yes, you do need to register for each one to get the Teams link - don’t shoot the messenger!).

Jan has also been posting tons of great content on passkeys, so definitely go and give his work a look (https://janbakker.tech/)

Right - let’s talk security cards.

Table of Contents

1. What are security cards?

2. My testing experience

3. Why not just use other phish-resistant options?

4. Conclusion

1. What are physical security cards?

Physical security cards are smart, phish-resistant authentication devices that use strong cryptographic standards (such as FIDO2 or PKI) to verify a user’s identity. They look like standard ID badges but contain secure chips capable of storing cryptographic keys. When used with a compatible reader, they enable passwordless, phish-resistant sign-ins to systems, applications, and networks.

Now, to put it simply - think FIDO2 security keys, but shaped like a standard ID badge.

These cards combine digital authentication and physical access control in one device, offering a secure and convenient way to prove who you are, both online and in the real world.

These security cards can:

• authenticate you to online services (e.g. signing into M365 apps)

• act as physical access badges to unlock doors, buildings or server rooms

One card. Two use cases. One less thing to lose in your backpack.

It’s a clever approach - especially for organisations already using physical access systems. Instead of giving staff a badge plus a separate USB key, you can combine them into a single secure card.

What’s more, these cards can also be used to authenticate to some legacy or on-premises systems that still rely on smart card–based authentication methods. This makes them particularly useful in hybrid environments where cloud and on-prem infrastructure coexist; offering a modern, phish-resistant experience without leaving older systems behind.

2. My testing experience

I dusted off a smart card reader from Amazon (you can buy similar ones easily - they work with most NFC cards). I also now have the Neowave NFC reader (it is the LinkeoA-NFC model which you can read about here), which works brilliantly too.

Setup is simple:

• Connect the NFC reader to your computer

• Register the card as an authentication method (same process as any FIDO2 key) If you're not sure how to do it - check out my previous post here: https://www.welkasworld.com/post/beyond-passwords-the-passwordless-authentication-series-part-2?force_isolation=true

  
  

Using it is even easier:

1. Open any portal and start signing in

2. Enter your email

3. You’ll be prompted for your passkey PIN

4. Enter your PIN

5. Tap your security card on the reader

Boom - you’re in.

Both the HID Crescendo card (which you can read more about here) and Neowave security card (link here) were very easy to set up and use, and I’m excited to lab even more advanced scenarios with them soon!

I also tested a few of Neowave's FIDO 2 keys. The ones pictured below are:

• Winkeo-C FIDO2 (link)

• Winkeo-A FIDO2 (link)

• Winkeo2-A FIDO2 (link)

Each one worked seamlessly in my tests and offered the same simplicity and reliability I’ve come to expect from established FIDO2 devices.

3. Why not just use other phish-resistant options?

You might be thinking:“Why bother with a security card when I can use a FIDO2 key or Windows Hello for Business?”

Great question. Here’s why cards still matter:

• Physical access Security cards can unlock buildings and rooms, not just apps. Some FIDO2 keys can’t open a door.

• Not all devices support Windows Hello for Business And if yours does support face sign-in - lucky you! (Also, I’m slightly jealous if you don’t do that awkward dance every morning while your camera insists you’re either too close or too far away before you cave and type your PIN.)

• Compatibility with older and on-prem systems

  Many organisations still have on-prem infrastructure or legacy applications that support smart card authentication. Security cards bridge the gap between modern, passwordless authentication and those older systems, helping you modernise securely at your own pace.

• Accessibility and simplicity I recently spoke with a client whose users are visually impaired or not especially tech-savvy. For them:

  • Small FIDO2 keys can be fiddly

  • On-screen prompts can be confusing

  • A tap-and-go card is much easier and safer

• Familiar form factor Everyone already knows how to use an access badge. No training needed. Just tap.

Conclusion

Phish-resistant authentication is evolving, and physical security cards are an excellent addition to the toolkit.

They offer the security of FIDO2, the convenience of a badge, and the accessibility that some other authentication methods can lack. Plus, they can integrate with legacy systems and on-prem infrastructure, making them a flexible choice for many organisations.

I’ve had a great experience testing both HID’s Crescendo card and Neowave’s Security Card, and I can’t wait to explore more advanced scenarios and integrations - stay tuned, because I’ll be sharing those soon.

If you haven’t already, check out my previous passwordless series for the deep dive (part 1, part 2, part 3, part 4).

Finally, a huge thank you to HID and Neowave for the opportunity to test and explore their latest phish-resistant authentication tech - it’s been a pleasure!