Air-Gapped MFA

   Right-sized and right-priced
   Traditional and phishing-resistant MFA
   99.999% ("Five Nines") availability
   Legacy apps and devices

Air-gapped multi-factor authentication. SurePassID does it better - and more cost-effectively - than any competing solution.


The experts in air-gapped MFA

SurePassID has been providing modern, advanced user authentication solutions for air-gapped systems in IT and OT for more than a decade.

33% of our install base - literally hundreds of customers - relies on SurePassID to lock down user access within their air-gapped environments.

What makes our advanced, deploy-anywhere MFA platform the solution of choice for air-gapped needs? Because we stand behind it - the experts in air-gapped MFA.


Air-gapped MFA for 5 sites using phishing-resistant MFA


Air-gapped private cloud MFA or "cloud-gapped MFA"

Air-gapped private cloud? It sounds like a misnomer - but it's the future of rapid, cost-effective, and highly scalable MFA for demanding security requirements.

SurePassID has pioneered air-gapped private cloud MFA - or as we like to call it, cloud-gapped MFA - in Azure Commercial, GCC, and GCC High environments.

These are highly locked down private cloud instances that provide customers with the best of both worlds - cloud solutions and air-gapped security. Supported deployment options include:

  • Infrastructure-as-code (Bicep template)
  • Virtual machine (Hyper-V)
  • Container instance (ACI)

SurePassID also offers a SaaS Private managed hosting option for customers seeking a truly turnkey solution. As the experts in air-gapped MFA, we can do it all for you.

Air-gapped MFA for OT and critical infrastructure

Providing air-gapped MFA for OT teams and critical infrastructure operators is a vital mission for SurePassID. We leverage years of experience and hundreds of deployments when building solutions that address the most demanding requirements.

  • Right-sized and right-priced for OT's smaller environments
  • Integrations for SCADA systems like EcoStruxure Geo SCADA Expert
  • Support for legacy applications and devices
  • Support for online and offline use cases

Secure enclave MFA

Securing Controlled Unclassified Information (CUI) for compliance with FISMA/NIST 800-53 and NIST 800-171 /CMMC 2.0 is often done with secure enclaves. These are physically and logically isolated environments where compliance needs can be localized to minimize scope and costs - such as in defense manufacturing.

SurePassID makes it easy and cost-effective to deploy air-gapped MFA within secure enclaves, locking down user access to all CUI no matter where it lives:

  • Shop floor machinery - CNC machines, process control equipment, etc.
  • Windows, MacOS, Linux, and Raspberry Pi endpoints
  • Shared resources like workstations and terminals
  • Servers, data repositories, and full-spectrum librarians
  • Network appliances within secure enclaves
  • Legacy devices and legacy applications

MFA for SCIFs and SAPFs

Sensitive Compartmented Information Facilities (SCIFs) and Special Access Program Facilities (SAPFs) are U.S. government-accredited facilities designed to store, discuss, or process classified or sensitive information.

SurePassID has complete, turnkey solutions for deploying multi-factor authentication within SCIFs and SAPFs - right down to the smallest facilities with only a handful of users and endpoints.

Don't take risks with MFA for your SCIFs and SAPFs. Go with SurePassID, the industry leader in air-gapped MFA. We will ensure that you benefit from our tailored solutions, deep expertise, and unrivaled technical support.


Frequently asked questions about SurePassID air-gapped MFA

Does SurePassID need internet access during installation?

No. In air-gapped mode, SurePassID is a 100% air-gapped MFA solution that never requires internet access.

That includes air-gapped private clouds ("cloud-gapped" systems).

How long does it take to deploy SurePassID in an air-gapped network?

It depends. Air-gapped deployments vary depending on their scale, complexity, and regulatory requirements.

For a few users and endpoints with only a handful of applications to secure, deployment can be as simple as going live after a brief proof-of-concept.

For multiple sites with large numbers of users, heterogeneous apps and devices, and converged credentials or phishing-resistant MFA requirements, the proof-of-concept and deployment can take months.

Regardless, we always move as fast as you need us to - and our Customer Success team is with you every step of the way.

Mobile phones aren't allowed in my air-gapped environment. Can SurePassID provide hardware tokens too?

Yes. We provide a wide range of hardware authenticators ("tokens") - and if necessary, card readers and other complementary hardware - as part of a complete solution:

  • Traditional MFA tokens - OTP display cards, OTP keyfobs, etc.
  • Phishing-resistant passkeys - Yubico Yubikeys, wearable wristbands, etc.
  • Converged credentials - HID Global c2300 Crescendo cards, etc.

Can SurePassID integrate with my SCADA system?

Probably. We have pre-built integrations for many popular SCADA systems, such as EcoStruxure Geo SCADA Expert. We also have a wide range of authentication tools to lock down SCADA systems:

  • SAML2
  • RADIUS (and FreeRADIUS)
  • Proxy server MFA

But there are thousands of different SCADA systems out there, including legacy software applications running on legacy hardware with challenging limitations. It's not always possible - or cost-effective - to add MFA.

Check with us to see if we can integrate with your SCADA system.

I have Raspberry Pi devices in my secure enclave. Can SurePassID lock those down?

Yes. We have PAMs for Raspberry Pi OS (Raspbian/Debian) and other Linux variants.

Providing air-gapped MFA to 11 of 16 critical infrastructure sectors

SurePassID is proud to protect customers that own, support, and supply critical infrastructure - no matter what sector they are in.


How can we help?

Talk to one of our MFA experts about your air-gapped environment and needs. Or jump right into a free trial and see how quick and easy air-gapped MFA can be with SurePassID.