Access Control

   Windows / MacOS / Linux domain and account logins
   VPNs and RDP / SSH remote access
   Legacy apps and devices

SurePassID makes it quick and easy to add multi-factor authentication (MFA) to your access control points

  • atkins bw
  • niagara bw
  • calfire bw
  • webmd bw
  • ontario bw
  • aetna bw
  • bank of america bw
  • jazz bw
  • giesecke bw
  • uscp bw
  • wns bw
  • collins bw
  • ibm bw
  • fbi bw
  • infosys bw
  • leidos bw

Windows Logon Manager with MFA and Offline 2FA

SurePassID keeps Windows domain and account logons secure – in all use cases. SurePassID seamlessly integrates with Microsoft Windows client and server operating systems to add multi-factor authentication (MFA) to local and Remote Desktop logins. Enforcing Zero Trust and maintaining secure access to company resources has never been easier.

But what if the user is offline when trying to login? Then SurePassID automatically falls back to a compliant HMAC-based one-time password (OATH HOTP) authentication method and an OTP generated by their Push Authenticator app or other registered authenticator. The result is seamless end-to-end authentication with no inconvenience to the user or calls to your helpdesk.

MS-Windows (1)

MacOS / Linux with MFA (PAM)

SurePassID seamlessly adds MFA to MacOS and Linux domain and account logons via the privileged access module (PAM) functionality. No longer do machines running flavors of Unix need to be ignored or special-cased when it comes to MFA. Users simply log into them using the same SurePassID solution and authenticators ("tokens") that they use to log into any other system.

SurePassID has PAMs for MacOS and all major distros of Linux, including:

  • RHEL (Red Hat Enterprise Linux)
  • SUSE
  • Centos
  • Ubuntu

Virtual Private Networks (VPNs)

SurePassID quickly and easily adds MFA to VPN software and hardware solutions that are used for remote access. From newest VPNs to legacy VPNs, we have a solution for you.

For modern VPNs that support the FIDO2/WebAuthn protocol, SurePassID enables you to use passwordless, phishing-resistant MFA, as well as Push, OTP, and Challenge-Response authentication methods.

For legacy VPNs that do not support the FIDO2/WebAuthn protocol, SurePassID enables you to use Push, OTP, and Challenge-Response authentication methods.

Supported VPN hardware vendors include Cisco, Zyxel, GL.iNet, Netgear, UTT, Dell Sonicwall, D-Link, and Linksys.

aca-rdp-ssh-subheader - Edited


Connecting remotely to workstations and server infrastructure is an everyday occurrence for IT/OT organizations – and a focus of ransomware gangs and hostile state actors exploiting security breaches. No matter whether you’re using Windows Remote Desktop Protocol (RDP) or Secure Shell (SSH) protocol, securing remote access on local consoles or via incoming connections is essential to Zero Trust and regulatory compliance.

SurePassID Authentication Server seamlessly integrates with your identity provider and RDP or SSH servers to secure remote access with MFA. For RDP, Credentialed User Access Control (UAC) elevation requests can invoke MFA depending on your Windows UAC configuration. For SSH, MFA can be applied to both Shells and Tunnels. The result is RDP/SSH multi-factor authentication that you can rely upon.



SurePassID Authentication Serve can secure any RADIUS-compliant or TACACS+ system such as Microsoft Universal Access Gateway, VPN routers/devices, Citrix applications, Wi-Fi access points, FreeRADIUS on Linux distros, Cisco applications, and more. SurePassID supports key features such as:

  • Challenge Response – The server “challenges” the user for any of their registered assigned credentials. Most challenges will be to provide a One Time Password (OTP) after successfully entering a valid username and password. (Some RADIUS and TACACS+ devices only support single-factor authentication, in which case two-factor authentication (2FA) is added by appending the OTP to the user’s password.)
  • Proxy Server Chaining – In RADIUS authentication, there are often multiple RADIUS servers as part of the authentication process.
  • nFactor Authentication Framework – Enables organizations to define dynamic authentication methods at the time of authentication on a user by user basis.

But SurePassID’s strengths don’t end there. As a highly extensible solution, our platform encompasses on-prem, cloud, and hybrid deployment architectures. No matter what your RADIUS or TACACS+ clients and remote access gateways look like, SurePassID can secure it with RADIUS and TACACS+ multi-factor authentication.


Reverse Proxy MFA

Adding MFA to legacy devices and shop floor equipment isn't always easy. They often lack modern interface points, are not connected to Active Directory (AD), do not support modern authentication methods, and may not even support the concept of user accounts.

In those challenging IT/OT situations, SurePassID deploys a reverse proxy MFA solution using NGINX. That enforces MFA and creates an audit trail by requiring users to log into the reverse proxy before they can access the legacy devices or equipment.


Frequently asked questions about SurePassID

What are SurePassID's deployment modes?

  • Software-as-a-Service (SaaS Public, SaaS Private)
  • Windows Installer Package (Microsoft Windows Server 2012-2022, any edition, and Microsoft Windows 8-11)
  • Virtual Machine (Microsoft Hyper-V)
  • Container Image (Docker/Kubernetes, Microsoft ACI, Amazon ECS)
  • Embedded (Windows 7 or later, Linux OpenEmbedded for 32/64-bit ARM/PPC/MIPS/x86)
  • Secure Element (NXP EdgeLock SE050/SE051, NXP A71CH/A71CL/A1006)

How long does it take to deploy SurePassID?

Cloud deployments can occur same day.

On-premise and air-gapped deployments will vary depending on the complexity of your requirements.

Regardless, our Customer Success team will be with you every step of the way.

Can SurePassID integrate with my IAM solution?

As a SAML 2.0 IdP, SurePassID easily and seamlessly adds MFA to any existing IAM solution, such as Okta or Ping Identity.

SurePassID also integrates with Third-Party directory services, such as Workday, Oracle, and SAP.

We even integrate with legacy SCADA systems that have built-in user directories.

What makes SurePassID better than other MFA solutions?

  1. Unmatched on-premise and air-gapped capabilities
  2. Outstanding technical support
  3. Unbeatable value

How secure is SurePassID?

SurePassID is the most hardened MFA solution on the market. We never stop innovating to protect our customers from evolving cyberthreats.

  • USA company
  • Secure SBOM (Software Bill of Materials)
  • Secure user and token provisioning (QR code to one-time-use provisioning page)
  • Comprehensive logging and audit trail
  • FIPS 140 mode
  • AES 256 encryption for data at rest
  • SHA 256 or SHA 512 encryption for data in iransit
  • And much more...

How much does SurePassID cost?

Visit https://www.surepassid.com/pricing for a complete guide to SurePassID Authentication Server pricing and features.

An MFA solution should be a game changer

See how SurePassID can help you authenticate anywhere, eliminate passwords, and use one solution.