gemalto


Diverse Form Factors for Convenient Strong Authentication.


Offering the broadest range of authentication methods and form factors supported by any single vendor, Gemalto facilitates and empowers enterprise-wide initiatives for maintaining and improving strong authentication.

Gemalto - 's authenticators include hardware and software OTP tokens, X.509 certificate-based USB tokens and smart cards, OOB, hybrid tokens, and phone tokens for all mobile platforms. Many Gemalto SafeNet hardware tokens support physical access control to secure buildings and sites.

Allowing you to address numerous use cases, assurance levels and threat vectors, Gemalto - 's SafeNet authenticators are supported by authentication platforms which offer uniform, centralized policy management - delivered in the cloud or on premises. Gemalto management solutions include SafeNet Authentication Service (SAS), SafeNet Trusted Access (STA) and SafeNet Authentication Manager. To tailor strong authentication to your business and IT needs, choose from the authenticators shown below.

Hardware OTP Tokens

Gemalto - 's SafeNet OTP hardware tokens provide a strong and scalable foundation for securing access to enterprise and cloud applications, and complying with privacy and security regulations.

Gemalto - 's SafeNet hardware tokens offer rich case-branding options, and are field-programmable by the customer, enabling organizations to maintain stringent control over their own critical OTP security data.


SAS/STA SafeNet Authentication Manager
SafeNet OTP 110

SafeNet OTP 110 is a cost effective OATH-certified OTP hardware token that features waterproof casing, and enables two-factor authentication to a broad range of enterprise resources.

SafeNet eToken PASS

eToken PASS is an OATH compliant token that allows organizations to conveniently establish one-time password (OTP) -based secure access to network resources, SaaS cloud applications and online services. A compact and portable OTP authenticator, eToken PASS offers secure two factor authentication, in time- sync and event-based modes.

SafeNet GOLD

Offering an additional layer of security beyond basic OTP, the SafeNet GOLD is activated with a personal identification number (PIN), which prompts the authenticator to provide an OTP. In challenge response mode, users activate GOLD with their PIN, and then must validate a numeric challenge on their GOLD authenticator.

KT-4 Token

The KT-4 token is a hardware token that can generate both time-sync and event-based OTPs with a press of a button. OTPs can be configured to comprise passcodes of varying lengths and selectable combinations of digits, upper and lower case letters and punctuation.

RB-1 Keypad Token

The RB-1 generates event-based OTPs with a press of a button, and in challenge-response mode, presents an OTP only after a user enters their PIN.


Certificate-based Smart Cards.


As convenient as another credit card in your wallet, Gemalto - 's SafeNet credit card-size form factors enable enhanced security with PKI Certificate-Based-Authentication (CBA) and enable preboot authentication, disk encryption, file encryption, digital signatures, and secure certificate and key storage.

All Gemalto SafeNet smart card tokens can easily double as physical access cards to secure buildings and sites, in addition to offering rich branding options and support for photo-badging. Depending on the configuration, Gemalto - 's SafeNet certificate-based authenticators are FIPS and CC certified.


IDGo800 Mobile SafeNet Authentication Client
IDPrime MD 3810

PKI minidriver-based smart card. Dual interface and FIPS certified.

IDPrime MD 3811

PKI minidriver-based smart card. Dual interface. MIFARE Classic and/or MIFARE DESFire emulation

IDPrime MD 3840

PKI minidriver-based smart card. Dual interface and CC certified authenticator.

IDPrime MD 830

PKI minidriver-based contact smart cards. FIPS certified.

IDPrime MD 840

PKI minidriver-based contact smart cards. CC certified

SafeNet Prime 8840

Secure MicroSD card. CC certified.


Certificate-Based USB Tokens.


Gemalto - 's SafeNet PKI Certificate-Based Authentication (CBA) USB tokens enable strong authentication to local and remote networks, including VPNs and web-based applications. Depending on their configuration, the certificate-based USB tokens can be FIPS and CC certified (for details, see the "Authenticator Technical Specifications" section).

Providing pre-boot authentication, file encryption, disk encryption, digital signature, and secure certificate and key storage.

SafeNet Authentication Manager offers centralized management of SafeNet authenticators, including certificate life- cycle and self-enrollment functionality.


SASSTA SafeNet Authentication Manager
SafeNet eToken 5110

The eToken 5110 provides PKI based two-factor authentication for secure remote and network access, as well as support for advanced security applications, including digital signature and pre-boot authentication.

Requires SafeNet Authentication Client

Smartphone and Software Tokens


Offering the convenience of phone-as-a-token authentication, Gemalto offers both PKI certificate-based and OTP tokens for portable memory sticks, desktops and smartphones, enabling strong authentication both in the office and on the go.


SAS/STA SafeNet Authentication Manager
eToken Virtual

eToken Virtual is a software based two-factor authentication security solution that provides full PKI functionality for secure remote access, network access, and digital signing.

Requires SafeNet Authentication Client
SMS Out-of-Band Authentication

Delivered by SMS text messages, out-of-band authentication reduces the administrative overhead of a strong authentication solution by removing the need to install software or distribute hardware. Delivery is also available via email.

SafeNet MobilePASS

Supporting all leading mobile platforms, SafeNet's MobilePASS family of OTP software authentication solutions generates One-time Passcodes via a software application installed on desktops or mobile devices. MobilePASS is available in time-sync and event-based configurations, as well as in challenge- response mode, and offers optional PIN protection.

SafeNet MobilePASS+

SafeNet MobilePASS+ is a next generation software token that lets users generate OTPs on their mobile devices, while also offering convenient out-of-band, single-tap push authentication. SafeNet MobilePASS+ offers an enhanced user experience, with optional QR code enrollment and optional biometric fingerprint PIN on iOS and Android devices.


Tokenless Authentication Solutions


Gemalto's tokenless technology enables any user to be authenticated anytime and anywhere.


SAS/STA SafeNet Authentication Manager
GrIDsure Authentication

GrIDsure Authentication works by presenting the user with a matrix of cells during enrollment containing random characters, from which the user selects a Personal Identification Pattern (PIP). Every time the challenge grid appears, the characters in the cells are different, so the user is always entering a one-time passcode.

Context-Based Authentication

By evaluating predefined testable parameters, SafeNet's Context- Based Authentication distinguishes between legitimate login attempts and suspicious ones, safeguarding networks and assets in a completely seamless, transparent manner. Context-Based Authentication provides secure access to a wide range of web-based resources, including SSL VPNs, webbased applications and cloud services.


Authenticator Technical Specifications



Model Supported Management Platform OTP security algorithm Battery lifetime OTP length OTP character type Field Programmable
SafeNet eToken PASS SafeNet Authentication Service, SafeNet Authentication Manager, SafeNet Authentication Manager Express OATH compliant (HOTP and TOTP available in SHA-1 and SHA-256) For event-based OTPs: 7 years For time-synced OTPs: 5 years 6 chars Digits Yes
SafeNet GOLD SafeNet Authentication Service, SafeNet Authentication Manager, SafeNet Authentication Manager Express X9.9 - Challenge response algorithm Synchronous - proprietary event based algorithm 7 years 8 chars Selectable combinations of digits, hexadecimal characters, and user- friendly alphanumeric characters No
KT-4 Token SafeNet Authentication Service AES-256 bit encryption 5 - 6 years 6- 8 chars Selectable combination of digits, upper and lower case letters and punctuation. Yes
RB-1 Keypad Token SafeNet Authentication Service AES-256 bit encryption For event-based OTPs: 5 - 6 years For time-synced OTPs: 5 - 6 years Up to 8 chars Selectable combination of digits, upper and lower case letters and punctuation Yes
SafeNet MobilePASS (software token) SafeNet Authentication Service, SafeNet Authentication Manager, SafeNet Authentication Manager Express Event OTP - HOTP HMAC- SHA-256 Time OTP - TOTP HMAC-SHA - 256 Challenge- response - OCRA HMAC- SHA-256 N/A 8 chars Digits Yes, dynamic reseeding allows organizations to reprogram tokens on-the-fly as required.
SafeNet SSafeNet Authentication Service Event OTP - HOTP HMAC- SHA 256 Time OTP - TOTP HMAC- SHA 256 Challenge- response - OCRA HMAC-SHA256 N/A 8 chars Digits Yes, dynamic reseeding allows organizations to reprogram tokens on-the-fly as required.

PKI Tokens



Model Supported Management Platform Supported Operating Systems API Standards and Protocol Support On-Board Security Algorithms Supported Standards and Specifications Security Certifications
SafeNet eToken 5110 SafeNet Authentication Manager Windows Server 2008/R2, Windows Server 2012 and 2012 R2, Windows 7, Mac OS, Linux, Windows 8, Windows 10 PKCS#11, Microsoft CAPI, PC/SC, X.509 v3 certificate storage, SSL v3, IPSec/IKE, MS minidriver, CNG X.509 v3 certificate storage, SSL v3, IPSec/IKE SafeNet eToken 5110 -Symmetric: 3DES (Triple -DES), AES 128/192/256 bit -Hash: SHA1, SHA256 -RSA 1024-bit / 2048-bit -Elliptic curves: P-256, -P-384 SafeNet eToken 5110 FIPS -Symmetric: AES, 3DES (Triple DES) -128/192/256 bit -Hash: SHA-256 -RSA: 2048-bit, -Elliptic curves: P-256, P-384 SafeNet eToken 5110 CC -Symmetric: 3DES (ECB, CBC), AES (128,192, 256 bits) -Hash: SHA-1, SHA-256, SHA-384, SHA-512 -RSA: up to RSA 2048 bits (and optionally up to 4096 bits) -RSA OAEP & RSA PSS -Elliptic curves: P-256, P-384, P-521 bits, ECDSA, ECDH -On-card asymmetric key pair generation (RSA up to RSA2048 & Elliptic curves) ISO 7816-1 to 4 specifications SafeNet eToken 5110

140-2 level 3(SC chip and OS)

SafeNet eToken 5110 FIPS

FIPS 140-2
level 3

SafeNet eToken 5110 CC

CC EAL5+


PKI Smart Cards



Model Core Message Supported Management Platform Dual Interface Supported Middleware Memory Cryptographic Algorithms ISO Specification Compliance Certifications
IDPrime MD 3811 NFC compliant smart card with on board MIFARE Classic and MIFARE DESFire emulation vSEC:CMS and SafeNet Authentication Manager Yes SafeNet Authentication Client MD memory allows the storage of up to 15 RSA containers Symmetric: 3DES (ECB, CBC), AES (for secure messaging and Microsoft Challenge/Response only) Hash: SHA-1, SHA-256, SHA-384, SHA-512. RSA: up to RSA 2048 bits RSA OAEP & RSA PSS -Elliptic curves: P-256, P-384, P-521 bits, ECDSA, ECDH -On-card asymmetric key pair generation. ISO 7816 contact interface -ISO 14443 contactless interface compatible with NFC IChip certified CC EAL5+
IDPrime MD 3810 NFC compliant smart card vSEC:CMS and SafeNet Authentication Manager Yes SafeNet Authentication Client MD memory allows the storage of up to 15 RSA containers Symmetric: 3DES (ECB, CBC), AES (for secure messaging and Microsoft Challenge/Response only) Hash: SHA-1, SHA-256, SHA-384, SHA-512. RSA: up to RSA 2048 bits RSA OAEP & RSA PSS -Elliptic curves: P-256, P-384, P-521 bits, ECDSA, ECDH -On-card asymmetric key pair generation. ISO 7816 contact interface -ISO 14443 contactless interface compatible with NFC IChip certified CC EAL5+
IDPrime MD 3840 NFC Smart card offer for European Digital Signature / eIDAS vSEC:CMS Yes SafeNet Authentication Client MD memory allows the storage of up to 15 RSA containers Symmetric: 3DES (ECB, CBC), AES (for secure messaging and Microsoft Challenge/Response only) Hash: SHA-1, SHA-256, SHA-384, SHA-512. RSA: up to RSA 2048 bits RSA OAEP & RSA PSS -Elliptic curves: P-256, P-384, P-521 bits, ECDSA, ECDH -On-card asymmetric key pair generation. ISO 7816 contact interface -ISO 14443 contactless interface compatible with NFC CC EAL5+ / PP Javacard CC EAL5+ /PP QSCD Javacard + IDPrime MD applet Chip certified CC EAL5+
IDPrime MD 830 Standard smart card offer for Logical & Physical Access Control SafeNet Authentication Manager & vSEC:CMS No SafeNet Authentication Client MD memory allows the storage of up to 15 RSA containers Symmetric: 3DES (ECB, CBC), AES (for secure messaging and Microsoft Challenge/Response only) Hash: SHA-1, SHA-256, SHA-384, SHA-512. RSA: up to RSA 2048 bits RSA OAEP & RSA PSS -Elliptic curves: P-256, P-384, P-521 bits, ECDSA, ECDH -On-card asymmetric key pair generation. ISO 7816 contact interface Java platform alone: FIPS 140-2 Level 3 Java platform with IDPrime MD applet: FIPS 140-2 Level 3 Chip CC EAL6+ certified
IDPrime MD 840 Smart card offer for European Digital Signature/ eIDAS vSEC:CMS No SafeNet Authentication Client MD memory allows the storage of up to 15 RSA containers Symmetric: 3DES (ECB, CBC), AES (for secure messaging and Microsoft Challenge/Response only) Hash: SHA-1, SHA-256, SHA-384, SHA-512. RSA: up to RSA 2048 bits RSA OAEP & RSA PSS -Elliptic curves: P-256, P-384, P-521 bits, ECDSA, ECDH -On-card asymmetric key pair generation. ISO 7816 contact interface CC EAL5+ / PP Javacard CC EAL5+ / PP QSCD Javacard + IDPrime MD applet Chip CC EAL5+ certified
IDPrime MD 8840 SafeNet Authentication Manager Yes IDGo 800 MD memory allows the storage of up to 15 RSA containers Symmetric: 3DES (ECB, CBC), AES (for secure messaging and Microsoft Challenge/Response only) Hash: SHA-1, SHA-256, SHA-384, SHA-512. RSA: up to RSA 2048 bits RSA OAEP & RSA PSS -Elliptic curves: P-256, P-384, P-521 bits, ECDSA, ECDH -On-card asymmetric key pair generation. ISO 7816 contact interface Java OS: Common Criteria EAL5+ / Javacard PP (Protection Profile) PKI applet: Common Criteria EAL5+ / PP SSCD certified On request: FIPS140-2 Level 3. The secure chip, the Java OS and the PKI / OTP applets are already FIPS certified
IDPrimePIV v2.0 PIV card for Federal Agencies PIV Card management systems Yes PIV certified Middleware This module is based on a Java Card platform (TOP DL V2) with 128K EEPROM memory and the PIV Applet loaded on the Java Card platform -Hash: SHA-1 SHA-256 SHA-384 SHA-512 Symmetric: AES (128-, 192-, 256-bit), Triple DES, double- and triple-length keys with (ECB or CBC modes) Asymmetric: ECC (256-, 384-bit), RSA (1024-, 2048-bit) using an on-card security controller with key pair generation and true random number generator -ISO 7816 contact interface -ISO1 4443 contactless interface compatible with NFC -IU high coercively magnetic stripe FIPS 140-2, FIPS 201-2 and GSA APL Overall Security level: 2 -Roles, Services, and Authentication: Level 3 -Physical Security: Level 3 -EMI/EMC: Level 3 -Design Assurance: Level 3 SCP01 and SCP02 supported with scripting according to GP2.1.1 Amendment A SCP03 supported according to GP2.2 Amendment DECC (256, 384 ) Asymetric algorithms supported nand Fips certified

Contact readers



Product name Main features Casing Interface host With Main standards Supported OS
IDBridge CT30 USB contact reader, compact and transparent casing, stand accessory as an option Transparent USB PC/SC, USB 2.0, CCID1.0, ISO 7816, EMV L1, CE, FCC Windows up to 10, Mac OS, Linux, CE
IDBridge CT40 Similar to CT30 in a slin- line casing Slim line USB PC/SC, USB 2.0, CCID1.0, ISO 7816, EMV L1, CE, FCC Windows up to 10, Mac OS, Linux, CE
IDBridge CT510 Embedded reader in PC Express form factor PC Express USB (on PC Express connector) PC/SC, USB 2.0, CCID1.0, ISO 7816, EMV L1, CE, FCC Windows up to 10, Mac OS, Linux, CE
IDBridge CT700 Desktop pinpad for secure pin entry Desktop pinpad USB PC/SC, USB 2.0, CCID1.0, ISO 7816, EMV L1, CE, FCC Windows up to 10, Mac OS, Linux, CE
IDBridge CT710 Lightweight pinpad for secure pin entry Mobile pinpad USB PC/SC, USB 2.0, CCID1.0, ISO 7816, EMV L1, CE, FCC Windows up to 10, Mac OS, Linux, CE
SafeNet Reader CT1100 Bluetooth badge holder for Mobile PKI with multi-host capability Badge holder Bluetooth Smart (and USB) Bluetooth 4.0, USB2.0, CCID1.0, ISO 7816, CE, FCC Windows up to 10, Mac OS, Android, iOS
SafeNet Reader K1100 Bluetooth token for CA PKI use cases Token -USB -Plug and Play -CCID (Chip Card Interface Device) Bluetooth 4.0, USB2.0, CCID1.0, ISO 7816, CE, FCC Windows up to 10, Mac OS, Android, iOS
IDBridge K30 Compact, USB device offering multi-application dynamic smart card functionality Token -USB -Plug and Play -CCID (Chip Card Interface Device) -ISO/IEC 7816-1,2,3,4: IC Cards with Microsoft Windows Hardware Quality Labs Linux, CE (WHQL), Windows Logo Program WLP 2.0 -USB 2.0 Full speed certified (USB readers listed on usb.org website)-CCID - Chip Card Interface Device 1.0 Windows up to 10, Mac OS, Android, iOS
IDBridge K50 Compact, tamper-evident USB device offering multi- application dynamic smart card functionality. Token -Plug and Play -CCID (Chip Card Interface Device) -USB 2.0 full speed (12 Mbps) -ISO/IEC 7816-1,2,3,4: IC Cards with contacts -Microsoft Windows Hardware Quality Labs (WHQL), Windows Logo Program WLP 2.0 -USB 2.0 Full speed certified (USB readers listed on usb.org website) Windows up to 10, Mac OS, Linux, CE