Note regarding FIPS 140-2 validation for SurePassID G-Pass keyfob for AWS GovCloud

Note regarding FIPS 140-2 validation for SurePassID G-Pass keyfob for AWS GovCloud

We have received a few inquiries regarding whether our G-Pass TOTP keyfobs available on for use with AWS GovCloud accounts (only) and thought we would set the record straight when it comes to FIPS 140-2 validation.

The FIPS support referred to on our website is regarding our Authentication Server where we can deploy, if a customer requires it, a Hardware Security Module (HSM) to protect the keys of the OATH OTP tokens that would be hosted on our server side. The HSM unit is FIPS certified which will protect the secret keys under that scenario. This does not apply to our G-Pass tokens.


Regarding the OATH TOTP G-Pass tokens, it is our understanding that OATH TOTP tokens do not fall under the FIPS requirements because they are not based on key pair or PKI technology which requires the use of crypto modules on the token to protect the private key. There is no private key that requires a crypto module on the SurePassID G-Pass tokens.


Here is an excerpt from an RSA article regarding the TOTP type of tokens:


“In general, FIPS 140-2 is not applicable to hardware OTP devices as cryptography is not used here in the traditional sense. Some people have pointed to the FIPS 140-2 requirement around random number generation (RNG), but [SurePassID] does not use RNG in this way (SurePassID token OTPs can't be a random number or there would be no way for token and server to derive the same value). Others have pointed out the FIPS requirement for performing a Power-On Self Test (POST). Unlike an event-based token that is "powered on" with each button press, however, [SurePassID] time-based tokens are always on and are therefore not subject to this requirement. It is worth noting that RSA [and SurePassID tokens] does perform an initial POST in manufacturing when the token is first powered on and programmed.”


The G-Pass tokens are tamper-resistant and conform to all other OATH standards for TOTP tokens and are used in various government agencies and contractors where FIPS compliance is required for other types of PKI, PIV, and CAC credentials that are based on "smart card" or "smart chip" cryptographic modules.


If you need more information, send an email to or call us at (888) 200-8144 to speak with a SurePassID Solution Advisor.
    • Related Articles

    • SurePassID Return Merchandise Authorization (RMA) Procedures

      This document provides our customers with an RMA Request Form and the procedures to follow for returning hardware tokens under warranty. Customers who have made SurePassID direct purchases (not purchased through Amazon and not purchased from ...
    • Deploy SurePassID Windows Login Manager (WLM) via script or Windows Active Directory Group Policy Object

      The following is information about how to deploy our Windows Login Manager (WLM) product as a Windows Login provider and optionally to filter our other providers, presenting only our WLM (enforcement). Prepping a test machine to thoroughly test the ...
    • How to Uninstall SurePassID Windows Credential Provider

      Sometimes, you may need to uninstall the SurePassID Windows Credential Provider to re-task a computer or perform an upgrade from an older version of Windows. Here are the steps you need to take: 1) Perform a complete back-up of the target computer. ...
    • Deploying SurePassID Windows Credential Provider

      Deploying Credential Provider You have several options in deploying Credential Provider. The first thing you should do is install the credential provider on a test machine, get everything configured to your requirements and verify it is working ...
    • Token accidentally deleted for a user.

      To resolve this issue followed these steps. (1) Open a ticket and provide the token serial number to SurePassID Technical Support (SPTS) (2) SPTS will add the token to your account. (3) You will then assign the token to the user that the token was ...