Thales banner

Two-factor authentication (2FA) solutions


Two factor authentication methods are based on a variety of technologies, most prominently one time passwords (OTPs) and Public key infrastructure (PKI). What is the difference, and which should you use for your organisation?

One-time passwords

One time passwords (OTPs) are a form of ‘symmetric’ authentication, where a one-time password is simultaneously generated in two places – on the authentication server and on the hardware token or software token in the user’s possession. If the OTP generated by your token matches the OTP generated by the authentication server, then authentication is successful and you’re granted access.

PKI authentication

PKI authentication is a form of ‘asymmetric’ authentication as it relies on a pair of dissimilar encryption keys – namely, a private encryption key and a public encryption key. Hardware PKI certificate-based tokens, such as smart cards and USB tokens are designed to store your secret private encryption key securely. When authenticating to your enterprise network server, for example, the server issues a numeric ‘challenge’. That challenge is signed using your private encryption key. If there’s a mathematical correlation, or ‘match,’ between the signed challenge and your public encryption key (known to your network server), then authentication is successful and you’re granted access to the network. (This is an oversimplification. For more details, watch The Science of Secrecy videos by Simon Singh.)

Single sign-on

SSO + MFA + Access Management

All in one platform

What is the best strong authentication method to use?

When it comes to authentication, one size does not fit all. Below are several considerations to keep in mind when choosing the method or methods best suited for your organisation:

Appropriate level of security

While OTP authentication, for example with OTP apps, may provide sufficient protection for most enterprise use cases, verticals that require higher levels of assurance, such as e-government and e-health, may be mandated to use PKI security by law.

Industry standards and mandates

In PKI authentication, a private encryption key is used, which is non-transferrable when stored in a hardware token. Given its asymmetric nature, PKI is used in many parts of the world for higher assurance use cases. However, the security of OTP is also being increasingly recognised by many sectors, for example, healthcare in the US, and satisfies the DEA’s EPCS requirements when a FIPS-compliant OTP app is used.

Depending on regulations relevant to your industry, the hardware or software token you deploy may need to comply with FIPS 140-2 in North America or Common Criteria in other regions of the world.

Physical/logical access

Where a combination of physical and logical access is required, hardware tokens that support RFID-based physical access control may be preferred. Learn more, visit our Physical and Logical Access Control solutions page.

Multi-factor authentication

Regardless of the two-factor authentication technology being used, security can be elevated when assessing additional contextual attributes of a login attempt, such as various device and behavior-based variables. Learn more, visit our Context-based Authentication page.

Mitigating diverse threat vectors

Different authentication technologies are effective in countering different threats. For a survey of authentication methods and the threats they counter, download the Survey of Authentication Technologies White Paper


Deployment and administration costs

OTP authentication has traditionally been more affordable, as well as easier and quicker to deploy, as it does not require setting up a PKI infrastructure that involves purchasing PKI digital certificates from a Certificate Authority for each user. Unlike OTP authentication that utilises OTP apps can be installed on users’ mobile devices and desktops, PKI authentication requires a hardware token to be procured for each user to keep their private encryption key safe. For this reason, OTP authentication usually involves lower deployment costs and less time and effort on the part of IT staff.

When a software token is used, whether PKI-or OTP based, token replacement can be performed over-the-air, eliminating the costs associated with mailing a replacement hardware token.

Retaining current token investments

Organisations that have already deployed a two-factor authentication solutions, whether PKI or OTP-based may seeks ways to retain their current investment.
Where PKI tokens are already deployed, organisations can expand or evolve their deployments to accommodate mobility. To this end, advances in mobile technology such as SafeNet IDPrime Virtual and FIDO devices, may enable an organsation to retain its current token investment and leverage its current PKI infrastructure.
Where OTP tokens are already deployed, organisations can retain their current investment by seeking solutions that support third party tokens and third party RADIUS servers, or seek solutions that can import their current standards-based tokens into a new solution (e.g. OATH-based tokens)


Organisations that offer greater workforce mobility, or extend strong authentication to partners and consultants, may seek increasingly transparent authentication methods. Software and mobile-based tokens, as well as tokenless solutions, provide a more convenient authentication journey that facilitates the implementation of secure mobility initiatives.

SafeNet Trusted Access

SafeNet Trusted Access

See how simple it is to secure cloud apps with SSO

Easily go from global to granular access policies.

Take the next step.

Two-factor authentication products

SafeNet OTP Authenticators: Thales offers the broadest range of hardware, software and mobile-based OTP authenticators, enabling organisations to meet diverse assurance levels when securing any enterprise solution, be it on-premises, cloud-based, remote or virtual.
Learn more

Thales SafeNet OOB Authenticators: Offering out-of-band authentication via push notifications, SMS or email, Thales’ out-of-band authenticators utilise a communication channel other than the one being accessed to deliver a one-time passcode, elevating both security and user convenience.
Learn more

Physical and Logical Access Control: By combining physical access controls with logical access, organisations can secure physical access to offices and secure industrial and manufacturing sites while protecting access to sensitive networks and applications.
Learn more

PKI Authenticators: Thales' suite of SafeNet certificate-based PKI tokens enable secure access to a broad range of resources, as well as other advanced security applications, including digital signature, email encryption and two-factor authentication.
Learn more

2 factor authentication Frequently Asked Questions

Two-factor authentication (2FAs) ensures that a user is who they claim to be. The more factors used to determine a person’s identity, the greater the trust of authenticity.

What is 2 factor authentication used for?

Just as you wouldn’t want your bank to allow access to your checking account with a simple password, you want to make sure your resources are protected by asking employees to provide an additional factor of authentication. This ensures the employees’ identity and protects their login credentials from easily being hacked or stolen. You do not want to allow access to your valuable assets (be it VPN, Citrix, Outlook Web Access or cloud applications) with only one factor – often a weak password.

Two-Factor Authentication enables to strengthen the protection of vital resources by drastically reducing the chances of various security attacks including identity theft, phishing, online fraud and more.

How does it work?

There are multiple authentication methods that can be used to validate a person’s identity. SafeNet offers the broadest range of authentication methods and form factors, allowing customers to address numerous use cases, assurance levels and threat vectors.

  • Hardware-based authentication – an additional hardware that the user physically possesses, without which authentication is not possible.
  • Out-of-band authentication – hardware that is already in the user’s possession and that can be used to receive information securely through SMS or email.
  • Software-based authentication – authentication methods of this type deploy a software application on the user’s computer, smartphone or mobile device.
  • One-time password (OTP) – generate dynamic one-time passwords (OTPs) for properly authenticating users to critical applications and data, whether on a token, mobile device or grid-based authentication.
  • Certificate-based authenticators (CBA) USB tokens – provide secure remote access as well as other advanced applications, including digital signing, password management, network logon and combined physical/logical access.
  • Certificate-based authenticators (CBA) smartcard tokens – traditional credit card form factors that enable organisations to address their PKI security and access control needs.
  • Hybrid authenticators – authenticators that combine one-time password, encrypted flash memory or certificate-based technology on the same strong authentication device.

What is context-based authentication?

Context-based authentication uses contextual information to ascertain whether a user’s identity is authentic or not. It is recommended as a complement to other strong authentication technologies.

SafeNet’s next-generation authentication solutions offer IT administrators a multilayer approach to access control. Employees can easily and securely access enterprise and SaaS applications, as long as they meet pre-defined policy rules set in advance by the administrator. If a user does not comply with the access rules in place, they might be requested to provide an additional authentication factor before they are granted access. This could be an SMS or a one-time passcode generated by a phone token, or a hardware token, depending on organisational policies. Click here to see our Context Based Authentication Infographic.

Does it secure access to cloud applications?

As the switch to the cloud blurs the boundaries of the traditional network security perimeter, organisations are having difficulty affording, implementing and managing consistent, unified access policies to distributed corporate resources. With SaaS adoption growing, there is no longer a single point of entry to corporate apps.

SafeNet authentication solutions overcome this challenge by allowing organisations to seamlessly extend secure access to the cloud through identity federation.  SafeNet authentication platforms leverage organizations’ existing authentication infrastructures, allowing them to extend users’ on-premises identities to the cloud and enabling them to implement unified access control policies for both cloud and network applications. Read more about strong authentication for cloud-based SaaS applications & services

Does 2 factor authentication secure mobile employees and employees with different risk levels?

Providing a single point of management for defining and enforcing access controls to all virtual, cloud, and on-premises resources, SafeNet enables to extend two-factor authentication to all users, at all risks levels, including mobile employees.

Different authentication methods and form factors address the different risk levels of users. As such, an employee that only has access to the enterprise portal will have a different authentication method/form factor than the company’s IT administrator.

How does 2FA work with BYOD adoption?

SafeNet offers several methods to ensure secure access from mobile devices to network resources, email, VDIs and more:

  • User authentication – positively identify users accessing corporate resources via VPN, wireless, access points, VDI.
  • Certificate credentialing for iOS devices – only users whose devices are provisioned with certificates can access corporate resources.
  • Device recognition with context-based authentication – recognises registered users logging into web-based applications from the mobile browser.

SafeNet authentication solutions help secure access in BYOD scenarios by requiring users to register their devices. In this way, organisations may decide that only pre-registered devices may access the network or that non-registered devices require the user to provide an additional method of authentication such as a one-time passcode.

How do we manage all these different needs and solutions?

The need to implement unified access policies to SaaS applications, cloud-based solutions, and on-premise environments is essential in order to set and maintain secure access in current workforce environments, highly influenced by mobility.

Under pressure to reduce costs and prove value, IT administration staff is on a constant quest to reduce their TCO. Streamlined management includes user management, provisioning, single sign-on, strong authentication, authorisation, reporting, auditing and policy alerts integrated with LDAP/Active Directory.

SafeNet’s centrally managed authentication solutions are based on a single management platform that supports:

  • Secure mobility for employees from both corporate-issued and personal mobile devices
  • Secure remote (VPN) access to enterprise networks
  • Secure access to cloud applications
  • Secure access to virtual desktop infrastructures (VDI)
  • Secure network logon
  • Secure access to web portals
  • Advanced security applications, such as pre-boot authentication and digital signing

How does 2 factor authentication fit with the current enterprises' fragmented IT eco-system?

A fragmented IT eco-system hampers security and compliance. Securing employees’ access to enterprises resources under such a fragmented environment is indeed challenging. SafeNet authentication solutions provide a single point of management that applies consistent access controls to the entire IT eco-system. With complete use case coverage, our solutions provide over 100 seamless out-of-the-box integrations for cloud, VPN, VDI, web portals and LAN.

SafeNet ensures frictionless management for IT administrators by providing:

  • Fully automated workflows
  • Solution management by exception
  • Single audit trail of all access events
  • Use self-service portal
  • Secure access from any device
  • Over-the-air dispatch of software tokens

The desire to maintain acceptable levels of access security without burdening end users, combined with the need to support multiple devices, is leading organisations to adopt solutions that have minimal impact on the user experience. SafeNet delivers users frictionless authentication with a wide range of 2FA tokens and tokenless methods of authentication and federated SSO to the cloud.

SafeNet MobilePASS+ Mobile Authenticator App - Push and OTP

SafeNet MobilePASS+ Mobile Authenticator App - Push and OTP - Product Brief

End users and IT teams are experiencing waves of high stress due to the pandemic and escalating cyberattacks. Thales offers a simple and highly secure authenticator app that makes login fast and secure throughout each login session, lowering risk and ensuring secure remote...

Push authentication from your mobile with MobilePASS+