Multi-Factor Authentication

Universal Authentication Methods Widely Deployed Across The U.S. Federal Government

Offering the broadest range of authentication methods and form factors, Thales allows customers to address numerous use cases, assurance levels, and threat vectors with unified, centrally managed policies—managed from one authentication back end delivered in the cloud or on premise.

Supported authentication methods include context-based authentication combined with step-up capabilities, OOB, one-time password (OTP) and X.509 certificate-based solutions. All authentication methods are available in numerous form factors, including smart card, USB token, software, mobile app, and hardware tokens.

Thales TCT offers both its own line of government-specific, high assurance authentication solutions and Thales CPL’s commercial-of-the-shelf authentication solutions.

Multi-Factor Authentication Solutions

Thales’s range of certificate-based smart cards offer strong multi-factor authentication in a traditional credit card form factor and enable organizations to address their PKI security needs. Thales’ smart cards offer a single solution for strong authentication and applications access control, including remote access, network access, password management, network logon, as well as corporate ID badges, magnetic stripes and proximity.

Thales’s certificate-based smart cards meet the highest security standards, including FIPS 140-2 Common Criteria CC EAL5+ and eIDAS compliancy, and enable compliance with security regulations. Thales TCT’s Smart Card 650 (SC650) is certified for use in defense networks.

Thales TCT Smart Card 650

SC650 enables strong two-factor authentication and proof-positive user identification in all PKI environments and is certified for use in Defense Networks. It supports numerous algorithms, X.509 digital certificates and on-card certificate validation.

IDPrime Plug & Play Smart Cards

IDPrime Smart CardDual interface IDPrime smart cards are Minidriver-enabled PKI certificate-based smart cards that provide a high level of assurance of the identity of the user.  The IDPrime product portfolio is made up of a variety of cards with varying feature choices, including contactless technologies, certification type, and secure storage. SafeNet Authentication Client  extends the compatibility of these smart cards to any type of application in Windows environments or contact interface smart cards and are compatible with any environment through support by the SafeNet Authentication Client.

IDPrime PIV - PIV ID Credentials for Gov Agencies

IDPrime PIVThales’s IDPrime PIV  card is a FIPS 140-2 and FIPS 201 standards-based card for government agencies, state and local government organizations to issue users credentials that the federal government can trust. The same card can be used for either a CIV or PIV-I-based deployment depending on company policies and use requirements. IDPrime PIV cards deliver high levels of security for identity management, interoperability and trust with federal agencies and departments as well as serving as a form of passwordless authentication.

Thales’s portfolio of certificate-based USB tokens offers strong multi-factor authentication in a traditional USB form factor, enabling organizations to address their PKI security needs. Thales PKI USB tokens offer a single solution for strong authentication and applications access control, including remote access, network access, password management, network logon, as well as advanced applications including digital signature, data and email encryption.

Depending on their configuration, the certificate-based USB tokens can be FIPS and CC certified.

eToken 5110+ FIPS

TAA-compliant, ultra strong authentication, security in a convenient, portable form factor. Secure remote and network access, as well as certificate-based support for advanced security applications, including digital signature and pre-boot authentication.

eToken 5300 FIPS

Deploy the military-grade security of PKI, while maintaining a convenient solution for employees. Used with any USB connection for IAM applications such as network authentication, digital signatures, email encryption & other advanced services based on PKI.

eToken 5300 USB-C

Portable two-factor USB-C authenticator with advanced smart card technology, customizable logo and presence detection. Used with any USB connection for IAM applications such as network authentication, digital signatures, email encryption & other advanced services based on PKI.

eToken FIDO/Fusion (PKI/FIDO CC)

Ultra-secure MFA—Portable Form Factors. 

SafeNet eToken Fusion Series

The SafeNet eToken Fusion Series enables organizations to utilize passwordless phishing-resistant authentication methods improving security for enterprise resources accessed from any device. This series allows presence detection and supports all PKI and FIDO use cases. The SafeNet eToken Fusion Series includes an option with CC certification.

SafeNet eToken Fusion is available in two form factors: USB-A and USB-C. The USB-C form factor enables users to authenticate to any cloud resources by plugging this token to their mobile devices (phone/tablets).

SafeNet eToken FIDO

The TAA-Compliant SafeNet eToken FIDO is a USB token, an ideal solution for enterprises looking to deploy passwordless authentication for employees. This FIDO authenticator is a compact, tamper-evident USB with presence detection, which creates a third factor of authentication: Something you have (physical token), something you know (PIN), something you do (touching the token).

Thales TCT sKey3250

sKey3250, a high assurance certificate-based USB authenticator ,contains a custom smart card ASIC, the SCC650, developed on-shore by Thales TCT. This SCC650 ASIC designed to the highest security principles, implements a security architecture found in other Thales TCT certified ASICs, and is fabricated at a trusted foundry.

SafeNet’s One-Time Password (OTP) Authentication products generate highly secure one-time passwords ensuring that only properly authenticated users are authorized access to critical applications and data. SafeNet OTP authenticators are available in both time- and event-based versions, never expire, and require no battery replacements. They also comply with OATH standards and are ideal for remote access solutions.

SafeNet OTP 110 Token

OATH-certified OTP hardware token

Enables multi-factor authentication to a broad range of resources. Featuring time and event-based configurations and waterproof casing, the SafeNet OTP 110 can be used anywhere a static password is used today.

SafeNet OTP Display Card

OATH-certified OTP token in credit card form factor

With a press of a button, the SafeNet OTP Display Card generates a highly secure, unique one-time passcode (OTP) that is linked only to your card. Secure access to any enterprise resource, be it cloud, web portals, VPNs, custom applications or virtual environments.

eToken PASS OTP Authenticator

Compact & portable OTP device

Conveniently and effectively establish OTP-based access control. Strong and scalable framework for implementing user access control, increasing employee productivity and complying with regulations.

Thales offers many different tokenless authenticators. Utilizing this solution is a great way to offer your end user both security and convenience. Prevent hacking attempts and breaches by circumventing the need to provision and ship a physical token.

Out-of-Band or SMS

Delivered by SMS text messages or email, out-of-band authentication reduces the administrative overhead of a strong authentication solution by removing the need to install software or distribute hardware.

Push OTP

Safenet MobilePASS+

SafeNet MobilePASS+ is a next generation software token that offers secure one-time passcode (OTP) generation on mobile devices, as well as single-tap push authentication for enhanced user convenience. Integrating out-of-the-box with a broad range of enterprise resources, the MobilePASS+ app offers frictionless authentication for users, as well as simple management for IT administrators.

Grid Authentication


Thales’s GrIDsure flexible authentication method allows an end-user to generate a one-time password without the requirement for hardware tokens or software applications. GrIDsure tokens work by presenting the end-user with a matrix of cells which contain random characters, from which they select a ‘personal identification pattern’ (PIP).