Nitrokey 3

CTAP 2.1

Supports CTAP 2.1, including features like enforced PIN complexity, credBlob, largeBlob, and alwaysUv

More Info

FIDO2 Certification

Certified by the FIDO Alliance as conforming to FIDO2 standards

More Info

FIDO L1 Certification

Certified by the FIDO Alliance to meet L1 Security Standards

More Info

HOTP passwords

Supports Hashed One-Time-Password generation

More Info

Resident Cryptographic Keys

Supports WebAuthn discoverable resident credentials, the building block of passkeys

More Info

Resident ECDSA keys

Supports ECDSA discoverable keys

Resident ED25519 keys

Supports ED25519 discoverable keys

PKCS#11 SmartCard

Conforms to PKCS11 SmartCard interface standards

More Info

Timed OTP passwords

Supports Time-based One-Time-Password generation

More Info

U2F Authentication

Conforms to the U2F Authenticator and WebAuthn standard

More Info

The Nitrokey 3 is the current generation Nitrokey, available in three form factors: the 3A NFC with USB-A and NFC, the 3C NFC with USB-C and NFC, and the 3A Mini, a smaller USB-A only nano variant. All three share the same firmware base, which is built on the open source Trussed framework.

The Nitrokey 3 supports FIDO2, U2F, OpenPGP smart card, PIV, OATH HOTP and TOTP, and a broader set of curves than most keys, including secp256k1 for cryptocurrency users. The discoverable credential capacity was raised to one hundred in early 2026 firmware.

Nitrokey publishes the firmware source and supports updating in the field, both unusual in this market. The hardware uses an EAL6+ certified secure element for key storage.

Older Nitrokey FIDO2 and Nitrokey FIDO U2F products are deprecated and have been superseded by the Nitrokey Passkey for FIDO only use cases and the Nitrokey 3 for everything else.