SafeNet Trusted Access
Getting started
- Subscription plans
- Log in to the STA consoles
- STA consoles
- Provision tokens
- Enroll a token
- Access your first application
- Protect cloud applications
Users and groups
- Configure individual users
- Manage tokens for a user
- Users on the STA Access Management console
- Groups
- Containers
- Restrict access based on the time, day, or date
- Account lockout and unlock policies
User provisioning
- Microsoft Entra ID synchronization
- User Provisioning through Identity Management Framework
  - Bi-directional Synchronization
  - Identity Management Framework Deployment
  - Using CSV as Identity Source
  - Using Active Directory (AD) as Identity Source
  - Using Microsoft Entra ID as Identity Source
  - SafeNet Trusted Access IdM Connector
  - Identity Management Framework - Frequently Asked Questions
- Add immutable IDs to users in Microsoft Entra ID
- User Provisioning through miniOrange using SCIM
- User Provisioning through Okta using SCIM
- Multi-role accounts
Operators and roles
- Operators
- External operators
- Provision roles automatically
- Alerts
Tokens
- Token allocations
- Token templates
- Token restrictions
- Temporary password policy
- Token passcode processing policy
- Configure server-side PINs
- Token synchronization
- Token authentication
- Import SafeNet tokens
- MobilePASS target and push OTP settings
- MobilePASS+ token self-provisioning
- SMS credits
- SMS, email, and voice OTP delivery
- GrIDsure
- Quicklog authentication
- Initialize hardware tokens
- Import YubiKey tokens
Provisioning tokens to users
- Automate token provisioning
- Self-provisioning rules for groups
- Provisioning tasks
- Assign a hardware token to a user
- Bulk assign third-party tokens
Push OTP
- Requirements and considerations for push OTP
- Enable push OTP and MobilePASS+
- Push OTP rejection policy
- Customize push notifications and alerts
- Configure applications for push OTP
- Token management and enrollment
- Push OTP authentications
Access policies
- Global access policy
- Add a policy
- Scenarios and conditions
- Grant or deny access to groups of users
- Logon policies
- Pre-authentication rules
Applications
- User portal
- SAML applications
- Custom SAML applications
- OIDC applications
- Custom OIDC applications
- SafeNet agents
- Share your applications
- SafeNet Application Gateway for Amazon Elastic Beanstalk
- Windows Logon app sharing
- Legacy SAML configurations
Authentication
- Integrated Windows Authentication (Kerberos)
- Certificate-based authentication
- Delegated password validation
- FIDO authentication
- External FIDO management
- IDP orchestration
  - ADFS as an external identity provider
  - Microsoft Entra ID as an external identity provider
  - Okta as an external IDP
  - OneWelcome as an external IDP
- STA Hybrid Access Management Add-On
  - Balancing Security and Flexibility with Hybrid IAM
  - STA Access Continuum
- Flexible Passwordless Authentication Journeys
RADIUS integrations
- RADIUS attributes for users or groups
- RADIUS third-party token support
- Block RADIUS authentication
Server and agent settings
- Authentication nodes
- Single sign-on session timeout
- Restrict IP range
- Email server settings
- SMS settings
- Voice OTP settings
- Configuring a voice provider
- FTP/SFTP/SCP settings
- Time zone offset
- Data collection
- Download an encryption key for agents
- Language
- Migrate SafeNet authentication servers
User self-service
- Self-service site
  - Site appearance and default language
  - Self-service modules
  - Self-enrollment pages
  - Configure authorities, OOB enrollment, and policies
  - Process requests and view reports
- Prefill the user name
Branding the appearance
- Customize user and operator login pages
- Customize email messages
- Customize SMS messages
- Customize voice OTP messages
Language customization
- Languages on the user login pages
- Languages on self-provisioning pages
- Languages on the user portal
Dashboard
- Access logs
- Authentication activity
- Authentication metrics
- Access and authentication log fields
- Audit logs of operator activity
- Log Streaming
- SafeNet MobilePASS+ authenticators
- Usage report
Reports
- Billing reports
- Compliance reports
- Inventory reports
- Security policy reports
Identity governance and administration
- STA Identity Governance with SailPoint IdentityIQ
- Solution Overview
- Generate STA Authentication API key
- Create and Configure a Web Services Application in SailPoint IdentityIQ
- Running the Solution
- Certification
- Rules
Security integrations
- Security Orchestration with Cortex XSOAR
Compliance and standards
Community content
- Authentication with AD Federation Services
- Protecting Remote Desktop Services
Previews
- Access risk score
- API access management
- Mobile app for API access management
- Configure STA for API access management
- Policy enforcement using an API gateway
- Back-end API for the mobile app
- STA integration with Entra ID EAM

SafeNet MobilePASS+ authenticators

SafeNet MobilePASS+ authenticators requires the STA or STA Premium plan.

The STA Access Management console lists all of the SafeNet MobilePASS+ authenticators deployed to your users and identifies the level of risk associated with the host devices.

Acquisition of risk data requires SafeNet MobilePASS+ 2.0 or later.

View SafeNet MobilePASS+ authenticators

To view a list of SafeNet MobilePASS+ authenticators:

In the STA Access Management console, select the Home tab.
Select the MobilePASS+ Authenticators tab.

All SafeNet MobilePASS+ 2.0 authenticators display in descending order from the time of last use.
In the summary at the top, select Risk Detected to display the at-risk authenticators only.

SafeNet MobilePASS+ authenticator details

The list of SafeNet MobilePASS+ authenticators includes the following information:

Column	Description
Last Used	The time of the last access attempt made with the SafeNet MobilePASS+ authenticator.
UserID / Email	The user ID and email address of the user who made the access attempt.
Authenticator Name	The name of the SafeNet MobilePASS+ authenticator that was used for the access attempt. This name is configured by the user in the token settings of the SafeNet MobilePASS+ app.
Device	Name and model information, based on the device's operating system: Android - Brand name, model, and OS version iOS - User-configured name and OS version Windows - Computer name and OS version
App Version	The version of the SafeNet MobilePASS+ application used by the authenticator.
PIN Status	Type of PIN required to authenticate: No PIN User PIN Biometric PIN Server PIN
Risk Detection	The risk associated with the SafeNet MobilePASS+ authenticator. See Risk detection states.

Risk detection states

The risk detection states for each operating system include the following information:

Risk State	Description	Android	iOS	Windows
Debug	SafeNet MobilePASS+ is running in a debugging environment, exposing all security-relevant data, compromising the token.	safe, suspected, or confirmed	-	safe or confirmed
Hook	A function hook or hooking framework was detected which allows skimming of security critical secrets, like token shared secrets or PIN’s.	safe, suspected, or confirmed	safe, suspected, or confirmed	safe, suspected, or confirmed
Jailbreak	The mobile device is jailbroken, which allows all OS built-in security mechanisms to be bypassed. Security of the token secrets cannot be guaranteed.	-	safe, suspected, or confirmed	-
Root	The mobile device is rooted, which allows all OS built-in security mechanisms to be bypassed. Security of the token secrets cannot be guaranteed.	safe, suspected, or confirmed	-	-

Risk detection state values

Safe - no risk detected
Suspected - some signals indicated a risk, but the data is inconclusive. Could be a false positive
Confirmed - risk is confirmed

Risk detection updates

Android

On Android devices, the application will send the risk data randomly within eight hours of activating the first authenticator. Any updates to the risk detection data will be sent on subsequent application launches or push notification responses, delayed by approximately 30 seconds.

iOS and Windows

On iOS and Windows devices, during the 48 hours following enrollment of the first token, a random check at each application launch determines whether the data will be sent; with a probability of 20%. After 48 hours, risk detection data is sent on each application launch for which a change has been detected.

Data update triggers

Risk detection updates are triggered by:

SafeNet MobilePASS+ application upgrade
Device operating system upgrade
Token information update (new token enrollment, token deletion, token alias change)
User PIN change
Biometric setting change (enable/disable)
Device push setting change (enable/disable push from the device setting)
Risk state change (device is hooked, rooted/jailbreak, debugger attached)

Suggest A Change

SafeNet MobilePASS+ authenticators

View SafeNet MobilePASS+ authenticators

SafeNet MobilePASS+ authenticator details

Risk detection states

Risk detection state values

Risk detection updates

Android

iOS and Windows

Data update triggers

On this page