SAASPASS is the only identity and access management tool you need to secure your corporate network or your own personal data, a comprehensive and frictionless solution fully-secured with dynamic passcodes and out-of-band multi-factor authentication. Whether logging into your work emails and company apps, accessing your personal online bank account, making purchases at online retailers, browsing social media, or even unlocking the door of your car, home, or hotel room, SAASPASS allows you to use your mobile or other enabled device to manage all your digital and physical access needs securely and conveniently.

Usernames and passwords are not very secure, but simply adding proper multi-factor authentication (MFA) to your most sensitive apps can reduce your likelihood of getting hacked by at least 80%. The problem, however, is that most MFA products add several time-consuming and inconvenient steps for the user. Also, simply using an MFA solution doesn’t necessarily mean you’re more secure, as some forms of MFA used by sites, are known to be less secure (such as text messaging based verification codes). In order to comprehensively secure your computer as well as your personal apps and services, on all your devices, multiple products must typically be cobbled together.

SAASPASS cuts through that complexity and is the only identity and access management tool you need to secure your personal data, a comprehensive and frictionless solution fully-secured with dynamic passcodes and out-of-band multi-factor authentication. With a single product, it allows you to use your mobile phone or other enabled device to manage all your digital and physical access needs securely and conveniently.

If you set up recovery options before your phone was disabled, lost, or stolen, then you can now initiate a recovery. When you download the app on your new phone, and run a recovery, your SAASPASS account will automatically clear from your original device. Here are detailed instructions: https://saaspass.com/how-to-recover-saaspass-id-account If you have not previously set up the recovery options, and you have not cloned your SAASPASS ID onto another device, you must now set up a new account.

SAASPASS is the only identity and access management tool you need to secure your corporate network, a comprehensive and frictionless solution fully-secured with dynamic passcodes and out-of-band multi-factor authentication. Whether logging into your work emails and company apps, accessing your personal online bank account, making purchases at online retailers, browsing social media, or even unlocking the door of your car, home, or hotel room, SAASPASS allows you to use your mobile or other enabled device to manage all your digital and physical access needs securely and conveniently.

• Replace hard tokens or repurpose existing tokens by integrating with SAASPASS
• Replace ID cards, single sign-on products, and password managers with a single, easy-to-use solution
• Secure every access point to your corporate network, personal data, physical door, or IoT device using out-of-band MFA with dynamic passcodes
• Login to your PC, with full MFA, even when offline
• Authenticate to cloud-based and on-premise apps securely and seamlessly
• Eliminate password breaches and their impact on you or your organization
• Eliminate the costs and risks of purchasing and managing security tokens and hardware
• Eliminate the manual typing of passwords and the resources involved with password complexity rules and resets
• Minimize admin resources by streamlining the provisioning and deprovisioning of employees and temporary partners to your active directory and corporate apps
• Control and instantaneously manage network access by employees and partners

For more industry-specific information, check out our White Papers.

SAASPASS secures organizations and individuals primarily by adding multi-factor authentication with dynamic passwords from the operating system level all the way down to individual apps and services, integrating seamlessly with both on-premise and cloud applications. Because cloud applications are accessible from many locations, authentication security is paramount. Most enterprise cloud platforms (like Google Apps and Salesforce) are accessible both inside and outside the office, and from a variety of different devices, leaving corporate network perimeters dramatically more extended and exposed than just a few years ago. With SAASPASS, users can authenticate to their corporate and personal apps and services securely and conveniently, without an easy-to-steal or guess static username and password, and regardless of their location or device.

Also, because SAASPASS offers the full-stack of identity and access management solutions in one product, it’s able to provide seamless and integrated security without the risk of security holes and cracks that result from stitching together different products. The usability and convenience inherent in such a comprehensive design also reduces circumventions. Other, intrusive or tedious security products, or combination of products, encourage employees and other individuals to find ways to evade security measures.

In addition to being a beautiful and super cool marine mammal, the orca, also known as a "killer whale," represents SAASPASS’ mission of "killing" the password.

In the marketplace of identity and access management (IAM) solutions, enterprises often cobble together two or more solutions in order to meet their needs, for example, pairing a single sign-on product with an MFA hard token. There are obviously extra resources involved with managing multiple solutions from different vendors, but just as important are the inevitable cracks and seams resulting from relying on a patchwork of products. Some of these fragmented solutions are less secure; others are simply less convenient. SAASPASS offers seamless security and greater convenience for less time and cost to you and your organization.

By providing a comprehensive and frictionless solution fully-secured with dynamic passwords and multifactor authentication, SAASPASS is the only IAM tool you need to secure your corporate network or your own personal data. However, its advantage is not simply in its range. SAASPASS has engineered each of its features to be independently second to none. Using out-of-band MFA with dynamic passwords, SAASPASS enables you to securely authenticate and login to your PC from your mobile phone or wearable device.

Other IAM products are typically designed for enterprise, while some are geared towards individuals. These two approaches are often viewed as separate or incompatible, the result being that individuals are frequently forced to use a different solution to secure their personal data at home as they do at work. SAASPASS takes a very different approach to IAM with its individual-oriented enterprise solution. SAASPASS understands that for an organization to be truly protected, its security perimeter must be extended to protect its employees, suppliers, and subcontractors--anyone with access to the corporate network. A password breach of an employee using Facebook, for example, on his or her personal computer in an airport or at a Starbucks, can provide just enough information for a hacker to gain access to that employee’s corporate network. SAASPASS extends the security perimeter without compromising the individual’s privacy. The SAASPASS ID serves as a key to the network, but it is owned by the individual, not the enterprise. When an employee changes jobs, he or she doesn’t get a new bank account or a new driver’s license, and yet, most likely both are required to operate as an employee. Employers don’t own an employee’s identity, and yet they are vulnerable if that employee’s identity is compromised. Personal and enterprise security are inextricably linked. Unlike other IAM products, SAASPASS has crafted its solution with this important reality in mind.

SAASPASS also distinguishes itself from others because of its unrelenting attitude towards passwords. Other products, particularly password managers and app authenticators, and even many single sign-on solutions, seem content to help users manage passwords or facilitate their use. SAASPASS does not accept the status quo and strives to replace passwords wherever and whenever possible. By continuously expanding our list of secure links to apps, SAASPASS will not stop until passwords are eradicated. Leave your mother’s maiden name and childhood pet back in the 20th century where they belong! It’s time to commit pass-ticide. Move beyond passwords with the only full-stack identity and access management solution.

SAASPASS works seamlessly on iPhones, Android phones, Blackberry, and many feature phones. Over 350 Java MIDP2 enabled mobile phones have been tested and certified through our extensive internal quality assurance process, and we constantly test and certify new models as they become available.

SAASPASS works basically like a traditional lock and key system, where your "key" is your mobile phone or other SAASPASS-enabled device, and the "lock" can be a computer, a smart lock on your car or home, an IoT device, and so forth.

THE KEY:

SAASPASS can be installed and/or cloned onto any device that supports:

• iOS (iPhone, iPad, Apple Watch, etc)
• Android (Android phones, Android tablets, Android Wear Watches, Kindle Fire, or other Android devices)
• BlackBerry
• Feature Phones (any device that supports J2ME)
• Tokens (key fobs, etc)

THE LOCK:

SAASPASS can be used to secure and authenticate to any device that supports:

• Windows
• Linux
• Custom IoT OS, using our API (i.e. smart locks)

When you authenticate your identity to a website, an app, or any kind of service or product that requires identification, you typically use a username and a password. This is the first layer, or "factor," of authentication. Because hackers have countless ways of obtaining this information, usernames and passwords on their own are no longer considered secure. Adding a second or third "factor" to verify your identity is known as "two-factor authentication" or "multi-factor authentication" and makes it exponentially harder for hackers to access your accounts. The verifying factor can be something you know (a PIN), something you are (a fingerprint), or something you have (a key fob, ID card, or mobile device).

Multi-factor authentication (MFA) can drastically reduce the risk of hacks, but both the ease-of-use and the level of security provided by different MFA solutions vary widely across the spectrum. Sending and receiving dynamic passcodes by SMS, for example, as some MFA solutions do, should hardly be classified as MFA, as the message is highly vulnerable to interception in man-in-the-middle attacks. Also, passwords should be dynamic, so that even if acquired, they cannot be reused or sold. Only out-of-band MFA solutions with dynamic passwords, such as SAASPASS, offer the high levels of security associated with MFA.

As for convenience, typical MFA solutions require anywhere from 4 to 6 steps in order to securely sign in. SAASPASS can do the same in just a single step, with just a touch of a biometric sensor. SAASPASS provides strong and frictionless MFA through its mobile app and on a number of mobile platforms that include iPhones, iPads and Androids among others. The random number generated through the mobile app can be used to authenticate to any website, service, or device through either our Authenticator format or through custom integration using our RESTful APIs and SAML adapters to over 300 of the top SAAS products.

Typical SMS-based solutions involve sending one-time-passwords (OTPs) to a phone via SMS. A user then enters the transmitted password into an online site to authorize a transaction. These SMS messages are unencrypted, insecure, and can be susceptible to interception in what are known as man-in-the-middle hacks. SAASPASS uses an out-of-band multi-factor authentication (MFA) solution, with your device generating the code itself, with dynamic passcodes to provide higher levels of security.

Multi-factor authentication (MFA) using dynamic passcodes is possible on any SAASPASS-enabled mobile device. SAASPASS one-time passcode generation is offline and user-generated to provide out-of-band MFA. With a single touch, users can generate a one-time passcode to supplement static usernames and passwords with added security. The random passcode changes every 30 seconds and can be automatically populated to any website, service, or device through either our Authenticator format or through custom integration using our RESTful APIs and SAML Adapters to over 300 of the top SAAS products.

The one-time passcodes are generated by the SAASPASS app which is available on nearly every mobile device on the market today: iPhones, iPads, Android phones, Android tablets, Blackberrys, and Java ME feature phones.

Single sign-on products are often used by organizations to secure links to cloud-based apps using a SAML or other protocol, eliminating the need for passwords. SAASPASS’s single sign-on console operates basically like a secure bookmarks folder for all your corporate applications, allowing you to sign-in and authenticate to any corporate app or service securely with a click of the mouse.

While single sign-on products are often used by organizations to secure links to cloud-based apps using a SAML protocol, eliminating the need for passwords, password management products typically just store and populate usernames and passwords into a browser. These are often used by individuals, rather than enterprises, as they are more about convenience than security. Through its Authenticator format, SAASPASS is able to integrate a 2FA security layer into its password management flow, providing the same level of convenience as other password managers, but with added security.

In cases where an app or service does not enable 2FA, SAASPASS still serves as a traditional password manager, authenticating to those apps automatically with just a stored username and password.

With our API, developers can add secure sign in to their Apps, where SAASPASS offers the same convenience as logging into apps with Facebook or LinkedIn, but with the added security of dynamic passwords.

Secure endpoint access management, which basically involves putting multi-factor authentication on physical stuff, to lock and unlock a computer for example, typically requires extra hardware such as smart card readers and usb key fobs. These must be purchased, managed, replaced, tracked, and are cumbersome to deactivate. SAASPASS can lock or unlock Windows, or Linux-based machines in a fully cross-platform manner with no additional hardware.

Offline capabilities are unique to SAASPASS. Other Endpoint Access Management and Multi-factor Authentication products typically only work when connected to the Internet, reverting to static credentials when offline, but because of its superior design, SAASPASS can be used to login or lockdown your PCs securely, using dynamic MFA, even while offline.

This capability is particularly important for authenticating securely to PACS. Many PACS that claim to be secure are only encompassing the security of encryption of the transport layer for the credentials, which for the most part still rely on static credentials opening them up to attacks. Building SAASPASS into your PACS using our RESTful APIs allows users to authenticate to your smart lock or PACS using dynamic passwords (always changing).

As the quality of IoT devices becomes increasingly associated with security, having superior features or a more aesthetic design for your product are no longer adequate competitive advantages. Security must also be a primary concern. Many IoT devices that claim to be secure are only encompassing the security of encryption, and almost 100% of IoT devices still rely on static credentials. Building SAASPASS into your device allows users to authenticate to the device using dynamic passwords (always changing), even when those devices are offline (i.e. during a power outage or an earthquake). In fact, our superior design gives us offline capabilities that are unique to SAASPASS, and these are particularly important to securing IoT devices. Build SAASPASS into your device using our APIs.

Offline capabilities are unique to SAASPASS. Other Endpoint Access Management and Multi-factor Authentication products only work when connected to the Internet, but because of its superior design, SAASPASS can be used to login or lockdown your PCs securely, using dynamic MFA, even while offline.

This capability is particularly important for securing IoT devices. Many IoT devices that claim to be secure are only encompassing the security of encryption, and almost 100% of IoT devices still rely on static credentials. Building SAASPASS into your device allows users to authenticate to the device using dynamic passwords (always changing), even when those devices are offline (i.e. during a power outage or an earthquake).

Yes. SAASPASS is a cloud-based identity and access management solution. Simply download and install the SAASPASS application, and you’re done. There’s no hardware needed and no servers or other equipment to manage or maintain. You focus on your business while we focus on keeping you and your business protected in the most convenient and least intrusive way possible.

No, we believe software tokens to be easier to manage and deploy. Although we do have support for hard tokens, for those organizations that may need them. As technology evolves, SAASPASS will continue to evaluate how hardware improvements might be used to enhance security.

Yes. SAASPASS can replace any and all combinations of IAM products, offering seamless, integrated, security in a single product. However, for a variety of reasons, some companies or individuals may choose to use a different product to integrate with SAASPASS for one part of their IAM stack. This can be done easily and effectively.

Hardware solutions like smart cards and key fobs must be purchased, managed, replaced, tracked, and cannot always be easily deactivated if they fall into the wrong hands. SAASPASS can lock or unlock Windows, or Linux-based machines in a fully cross-platform manner with no additional hardware.

A mobile device, which typically is in an owner’s possession at all times, can be considered a trusted device. The window of opportunity for a thief to commandeer a phone without notice is substantially smaller than stealing an ID badge or token --you realize your phone is gone long before you miss any key fob or card. This short period gives one the opportunity to take preventative action before any damage is done.

Yes, of course! Pair your smartphone, tablet, work computer and personal laptop with a single SAASPASS ID. Each time you add a new device, synchronize all the devices online.

The SAASPASS ID is owned by the individual, is unique to the individual, is portable, and can be used for both work and personal use. The same ID can even be used by a user employed at multiple companies. Because corporate and personal data operate in sandboxed silos, company admins can manage and configure user access to their own corporate network, but have no access to the employee’s personal apps and services, or another employer’s network. This allows a company to extend the security perimeter of their organization to the personal data of employees, without compromising their privacy.

If an attacker stands over your shoulder as you type your SAASPASS PIN into your mobile device, and that same attacker physically steals your device, then your personal data and corporate data are vulnerable. This is the same physical risk level you face everyday as you carry around your ATM card and the keys to your home and car. However, the risk is minimized in the case of SAASPASS, because you can quickly disable the stolen device through a number of different options (i.e. call your mobile service provider and disable your phone number or transfer to another device, disable your stolen device from a cloned SAASPASS device, etc.)

The greatest threat to your cybersecurity is not from a physical attack, but through a remote hack, and hacking is exponentially more difficult to do on a SAASPASS-enabled device. Compromised passwords and user credentials are the number one source of hacks, and SAASPASS virtually eliminates this risk through its design and layered use of proper out-of-band multi-factor authentication.

No solution can guarantee 100% security from every kind of attack, and one should be wary of any solution making this claim. SAASPASS, however, does everything possible to be the most secure solution available on the market, and has been penetration-tested by numerous organizations. As an organization, SAASPASS employs security best-practices, including requiring that all employees use multi-factor authentication. Additionally, all critical systems operate behind relevant firewalls and deploy numerous other defensive measures against attacks.

A critical weakness of many security products or features is often the recovery process. Recovery can create a backdoor that leaves the solution as a whole vulnerable to attack. SAASPASS has devised a number of measures to keep our recovery process from being the weak link in the chain. Some of these added precautions make the recovery process less convenient, but users can decide on their own what level of security they require. When a Recovery is initiated on a device, the SAASPASS account is always automatically deleted from all other devices. A recovery question can also be added, and a verification code delay can be applied. For the most concerned users, Recovery can be disabled completely, so that an account cannot be restored.

No. First of all, mobile devices are inherently more secure than desktop and laptop computers for several reasons. Mobile devices use "sandboxing" to separate and constrain apps from communicating with each other without explicit permission. It’s much more difficult to secretly install software on a mobile device, and even if malware finds its way into the mobile device, these isolated sandboxes can limit the spread and impact. Also, one can download software to a desktop computer from any website, but the apps typically downloaded and used on mobile devices are purchased through reputable stores (i.e. Apple Store, Google Play) which vet apps and require developer registration.

However, even though mobile devices have natural security advantages over computers, SAASPASS takes sandboxing and other security precautions even further through its use of out-of-band multi-factor authentication, encryption, and device management to alert you in case of unauthorized use of your SAASPASS ID. The connection from your mobile device to your cloud-based or on-premise apps is secure and encrypted, and uses multi-factor authentication with dynamic passwords, so there is no backdoor.

Also, even though the mobile device is the "key" that unlocks your computer or other device, you still must unlock the key itself through a PIN code or biometric fingerprint. This PIN code uses our own custom-built keyboard platform which can even be randomly scrambled at each use for extra security.

No. Each SAASPASS ID is unique and verifiable, so only an original SAASPASS application downloaded from an authorized app store (i.e. Apple Store, Google Play) can be paired with the SAASPASS system.

As with any security system, reverse engineering and building modifications are difficult but not impossible. However, a modified version of SAASPASS is useless within the SAASPASS system, because it cannot be paired without the personalization data embedded in a legitimate version of the application.

SAASPASS goes above and beyond conventional best-practice for PINs by using our own custom-built keyboard, rather than relying on integration using the keyboard APIs built for the device’s operating system, as all competing solutions do. This means that other apps downloaded onto your device cannot gain access then "listen in" to your PIN as it’s being typed into the keyboard. SAASPASS also has a "Scrambled Keypad" option which, when turned on, scrambles the keyboard randomly each time users are prompted to enter their PIN.

By default nothing is stored on servers; however, activating features such as Recovery necessitates it. When you set up Recovery, your passwords are stored on SAASPASS servers, but they are fully encrypted, hashed, and salted in accordance with industry best-practice. Moreover, even in the unlikely event that hackers successfully ran a brute-force or dictionary attack on each hash in our database, the dynamic passcodes used to add a second layer of verification to your authentications are generated by your own device and change every 30 seconds. Without obtaining this second factor, breached usernames and passwords aren’t as useful to a hacker.

Yes. When your passwords are stored on SAASPASS servers, they are fully encrypted, hashed, and salted in accordance with industry best-practice. Moreover, even in the unlikely event that hackers successfully ran a brute-force or dictionary attack on each hash in our database, the dynamic passcodes used to add a second layer of verification to your authentications are generated by your own device and change every 30 seconds. Without obtaining this second factor, breached usernames and passwords are useless to a hacker.

All communications between your mobile device and your computer and our servers is completely encrypted at industry-standard, including the Bluetooth offline communications.

Someone probably added an account that uses your email address into their SAASPASS Password Manager such as a Netflix or Newspaper subscription account, which automatically informs you as the owner. The other option is that someone may have hacked your email account and added SAASPASS as a 2FA layer, in which case you would have to contact your mail provider about fraudulent activity.

Yes, they are always encrypted, both at rest and in transit. When you sign in to your laptop, your laptop "inherits" the credentials from your app (only if you have SSO turned on from the app for that computer), which remains encrypted within the SAASPASS agent and only gets decrypted and used when you click on a credential in the password manager/Authenticator/shared accounts... fields. Anything in the company applications field is passwordless, and your account sign in is asserted using SAML/OATH or other industry standard technologies via certificate from SAASPASS to the Service being authenticated to. If you are talking about a remote launch of a service, initiated from the app, to launch in the computer, we have considered that. It is on our distant roadmap, not a near term priority though.

A number of our customers, have conducted security audits on us before they adopted us, including military contractors and government entities worldwide.

Please check out our User page for clear instructions and tutorials.

If you are using Windows 10, please make sure to use the "Apps & features" from the "System" group of your Settings, else please make sure to use the Uninstall a program option under the Programs category of your Contol Panel to remove it from your Windows. Do not delete the SAASPASS mobile phone app until you have fully removed it and done successful restarts.

Yes, of course! Pair your smartphone, tablet, work computer and personal laptop with a single SAASPASS ID. Each time you add a new device, synchronize all the devices online.

A smartphone is not required to run SAASPASS. The SAASPASS mobile app runs on any of the following devices:

• iOS (iPhone, iPad, Apple Watch, etc)
• Android (Android phones, Android tablets, Android Wear Watches, Kindle Fire, or other Android devices)
• BlackBerry
• Feature Phones (any device that supports J2ME)
• Tokens (key fobs, etc)

Yes. The SAASPASS admin console has detailed instructions for how your admin can pair a hard token with a SAASPASS ID.

The computer connector modifies login at the OS level to require a second factor of authentication--the dynamic passcode generated by your SAASPASS or other integrated token. Additionally, the computer connector comes integrated with a Single Sign-On agent.

No, but the app itself comes in numerous languages.

The browser will prompt you to download an extension, if needed. This can be downloaded directly from the SAASPASS site, or through reputable stores such as the Firefox or Chrome extension stores.

The auto-pairing is intended to work when you don't have 2FA active on your account to begin with. If you already have it, via Google Authenticator, you would first need to turn it off. Then, add it again, saying you will use an Authenticator app. But instead of using the Google Authenticator app, you would scan the pairing code with your SAASPASS app, type in the pairing code, back into the service you are using, and you'll be done. If you want to use SAASPASS's single sign-on capabilities, you would also need to save your password under that authenticator in the SAASPASS app. SAASPASS would essentially replace your Google Authenticator app. SAASPASS has a number of security and usability advantages over the Google Authenticator, including that the seed is encrypted and protected by your PIN entry or Touch ID. Also, you are able to clone it if you want onto other devices such as a backup phone, a tablet/iPad etc... as well as the ability to turn on Recovery should you wish.

If your computer won’t accept your OTP code, first make sure the clock in your computer is in sync with the one on your mobile device. If necessary, change the time on your phone to be synchronized with the computer.

If that doesn’t work, try restarting your computer. Automatic computer updates can sometimes cause the computer’s username and password to be rejected until the computer is restarted.

If SAASPASS will still not let you log in, please contact our support team.

Yes. Users can login manually or through the Proximity Feature, with full dynamic MFA, even when offline.

Silent mode means that SAASPASS Connector desktop app will not interrupt the users and will not show warnings and messages such as when you lose internet or get it back, etc.

That error occurs when the SAASPASS app cannot communicate with the SAASPASS servers for activation. If you’re on your company’s wi-fi, try switching it off and using 3G/4G/LTE etc... That should solve the issue. Meanwhile if you will be using SAASPASS regularly at the company, make sure that your network allows ports 5222 and 443 to have unfettered inbound and outbound communication to SAASPASS.

This is a security measure. When SAASPASS senses it has been updated, it connects to SAASPASS servers to verify that the app update was an official update.

After your computer runs updates, occasionally you must power off your computer completely, then restart. If you are still locked out, please contact our support team.

When you change the login password to your computer, you must also change it in the mobile app. Click on the computer in the Computer Login section of the mobile app and enter in the new password.

In the mobile app under Settings, select PIN Settings. In the menu, turn on the method you would like to enable.

Yes. To customize your pairing settings for the Proximity Login feature, go to Settings in the mobile app under Settings, and select Proximity. Choose your preferences from this menu.

In the mobile app under Settings, select Proximity. Customize your preferences in this menu.

Your computer must have an Internet connection to use the barcode scan login feature. Without a proper Internet connection, the QR code will not load and display properly. If you do have an internet connection, but it’s still not showing a QR code, then it means a firewall or other network configuration is blocking one of the Ports needed by SAASPASS.

Scan barcode is available on iPhones, Android phones and Blackberry 10 phones. Scan barcode is also available on most iPads, and Android tablets.

The Remote Login feature works through an Internet connection, turning your mobile device into a remote secure key that can unlock and launch devices and applications using dynamic multi-factor authentication.

Similar to the Remote Login feature, the Push Login feature allows users to login to apps with the push of a button. However, while Remote Login works on devices paired with a user’s SAASPASS ID, Push Login requires no plug-ins or any other downloads, so it can be useful for login to a public or shared computer.

After typing in your computer login and password manually, enter in the dynamic passcode listed in your mobile app for the select computer. This can be done even without an Internet connection.

While single sign-on products are often used by organizations to secure links to cloud-based apps using a SAML protocol, eliminating the need for passwords, password management products typically just store and populate usernames and passwords into a browser. These are often used by individuals, rather than enterprises, as they are more about convenience than security. Through its Authenticator format, SAASPASS is able to integrate a 2FA security layer into its password management flow, providing the same level of convenience as other password managers, but with added security.

In cases where an app or service does not enable 2FA, SAASPASS still serves as a traditional password manager, authenticating to those apps automatically with your stored username and password.

No. If you click "save my password" when prompted, you are telling the browser to save a password, but if you have already set up SAASPASS password manager, then the passwords are securely saved in your SAASPASS account, and don’t need to be saved in the browser, which is at times one of the stores of information most easily exploited by attackers.

In the Authenticator section of the mobile app, click on the "+" for a number of app integration options. If you select "Choose Authenticator," you can select from our hundreds of supported applications and integrate automatically using the ready code we have created.

If you are currently using Google Authenticator (or another Standalone Authenticator), in order to transfer your authenticated apps, you should first turn Google Authenticator off. Then, add it again, this time opting to use an Authenticator app. However, instead of using the Google Authenticator app, scan the barcode with your SAASPASS app, type in the pairing code, and you'll be done. To use SAASPASS' single sign-on capabilities, you will also need to save your password under that email address in the SAASPASS mobile app. SAASPASS would essentially replace your Google Authenticator app.

SAASPASS has a number of security and usability advantages over the Google Authenticator, including that the seed is encrypted and protected by your PIN entry or Touch ID. Also, you are able to clone it if you want to onto other devices such as a backup phone, a tablet/iPad etc... as well as the ability to turn on Recovery should you wish.

We currently support hundreds of applications listed here. If we do not currently support an app that is under your own control, please see our Developers site for instructions on how to add your app. If you are unable to add, or if you’d like to authenticate to a third-party application that we do not currently support, please contact our support team.

If an app or service does not allow two-factor authentication, you can still use SAASPASS as a password manager for your convenience. When you click on that app, your username and password will be automatically populated for convenient sign-in, but for that app, you will not have the added security of multi-factor authentication. If you’d like to authenticate to a third-party application that we do not currently support, please contact our support team.

In the mobile app, under Settings, select "Erase My Data." Click "Continue" and you will be asked to authenticate again as an added security measure. Next, select the apps you wish to erase. Never erase an App if you still have authentication with 2FA / MFA turned on for that app, as you will be unable to login without the code.

In the mobile app, under Settings, select "Custom Menu Layout." From there, you will be able to rearrange your menu as desired.

The Scrambled Keypad randomly changes the order of the keypad when turned on, to add additional security to the PIN on your mobile app so that people in your vicinity won’t be able to guess your PIN based on where on the screen they see you touching.

No. Apple currently doesn’t allow any third-party 2FA / MFA.

Yes. If our SAASPASS APIs are used to integrate a smart lock or other device, you can "lock" or "unlock" a door or item from your mobile device just as you would a computer.

The Locker feature allows users to store important and sensitive information (i.e. passport numbers, credit card or bank account information) in an encrypted, sandboxed vault on their device. Only the user can access his Locker. Users can opt to turn on synchronization between devices, which enables the information in the Locker to be accessed and synchronized on any of his cloned devices, and for the information to be restored in the event of a SAASPASS recovery.

In "Open in App" on the mobile device, a user signs into a service through a browser built into the SAASPASS app, at which point the username, password, and dynamic one-time-password are automatically populated.

In "Open in Browser," the user must manually enter in his or her username and password for that app, then press "paste" when prompted for the dynamic code (SAASPASS automatically copies the relevant dynamic code to the user’s clipboard). Because of the manual entry, the In-Browser function is slightly less convenient that the In-App function, but in some cases, depending on the app, it can provide the user with a better interface.

Yes. Your SAASPASS ID belongs to you and is portable. It can be linked to multiple companies. The admins at each company have zero access to anything in your SAASPASS app except for the specific corporate apps and services in their network to which they configured you.

When you are deprovisioned from a corporate network, you lose access to all the corporate apps and services, and these instantly disappear from your mobile app. Your personal apps and services remain, as well as any corporate apps from other employers you may have.

In Device Management, under Settings in the mobile app, you can view all your SAASPASS-enabled devices, and delete any as needed.

To remove or disable a SAASPASS-enabled device, go to Settings in the mobile app. Under Device Management, you can view all your SAASPASS-enabled devices, and delete if needed. Also, if you download the app onto a device, and run a recovery, your SAASPASS account will automatically clear from all other devices.

When you download the app on your new phone, and run a recovery, your SAASPASS account will automatically clear from your original device. If you prefer to keep your old phone, and want your SAASPASS app to remain enabled on it, then you can clone your SAASPASS ID from the original device onto the new device. This will enable you to use SAASPASS on both devices.

Clone your SAASPASS ID onto two or more devices in a fully cross-platform manner, from an iPhone to an Android, for example. Cloning allows you to backup your SAASPASS ID without resorting to a SMS-based Recovery and security questions. If desired, you can permanently turn off Recovery and use only a Cloned SAASPASS device to restore your ID to other devices.

To clone your SAASPASS ID, go to Settings in the mobile app of your original device, select "Clone SAASPASS ID," then enter your PIN. A cloning code will be generated as well as a barcode that can be scanned. Download the SAASPASS app onto the target device, and choose the Cloning option at the bottom right after activating it. Next, use the new device to scan the cloning code on your original device, or manually enter the code.

Cloning to a second or third device can add convenience in case your original device is lost, stolen, or disabled. In this case, there would be no need to initiate a SAASPASS Recovery; the original device can simply be removed through the Device Management menu.

Also, the cloned device can serve as a convenient and immediate backup in case the original device has no power or is temporarily disabled.

No. For someone to clone your device, they would need full possession of your original device, and they would need to know your PIN to access the SAASPASS app within that device. Even in the unlikely event that someone was able to obtain access this way, without your knowledge, and then clone your ID to their own device, that new device would appear in your Device Management console.

Yes. You can always use or clone to a device that doesn’t have an associated phone number, but if it’s your only SAASPASS-enabled device, you will not have recovery capabilities if you lose that device.

The risks of having your SAASPASS ID cloned to more than one device, are not too different to having more than one key to your house door. The chances of a key being lost potentially increase, but unlike a key which can be used by anyone if found, the SAASPASS app can’t be used unless the finder already knows the correct PIN. Additionally from the device management menu, one can always deactivate any cloned devices that go missing, thereby limiting risks significantly.

Recovery enables you to restore your SAASPASS account onto a new device. In order to be able to initiate a Recovery, you must set up Recovery options before your mobile device was disabled, lost, or stolen. Here are detailed instructions:

https://saaspass.com/how-to-recover-saaspass-id-account

When you initiate a Recovery, your SAASPASS account will only be restored on the mobile device on which you are running the Recovery. Every other SAASPASS mobile app associated with your SAASPASS ID immediately clears and resets on any device on which it is installed or cloned.

When you first install SAASPASS, you should set up Recovery in the event that your mobile device is lost, disabled, or stolen. Here are detailed instructions: https://saaspass.com/how-to-setup-secure-recovery-two-factor-authentication-2fa

If someone is able to hijack your phone number (not your phone), so that calls and SMS messages to you are redirected to their device, theoretically, the SMS verification code would then be sent to them if they initiated SAASPASS Recovery from their device. With that code, they could Recover your SAASPASS account to their device. As extremely unlikely as this is, SAASPASS offers protective measures against this scenario:

• 1. Setting up a Recovery question requires the phone number thief to answer the question before receiving the verification code.
• 2. Adding a delay to the verification code creates a, say, 20-hour window before the verification code is sent, during which your SAASPASS account is frozen and you can contact your mobile service provider to alert them that your number has been stolen.
• 3. Recovery can be disabled completely, so that there is no way to restore your account to any other device.

If you have not received a verification code after initiating SAASPASS Recovery, most likely you either did not set up Recovery when you installed the app, or you set a verification code delay. If neither of these has occurred, please contact both your mobile service provider and also our support team.

To minimize the risk of interception when your verification code is sent by SMS during SAASPASS Recovery, SAASPASS has the following security controls:

• The verification code is a dynamic one-time password, so once you use it, it is no longer valid, even if it’s intercepted.
• The verification code delay option freezes the account for the duration of the delay and allows you the ability to contact your mobile service provider in the event your mobile device or phone number is stolen.
• Cloning a device enables you to use the cloned device in the event of a disabled, stolen, or lost device, so that SAASPASS Recovery is unnecessary.
• Recovery can be disabled completely.

To add additional security to the Recovery process, go to the Settings icon in the top right corner of the mobile app. Under Settings, click on Recovery, then Advanced Settings. There are several options available:

• 1. You can setup a delay between when you initiate Recovery and when you receive the verification code. In other words, if you lose your phone, and initiate the recovery process, the verification code will not be sent to your number for the duration of the time period you set (i.e. 20 hours) to give you time to cancel your lost or stolen device and set up your mobile number on a new device through your mobile service provider.
• 2. You can add your own custom recovery question and answer (a customized security question).
• 3. Also, if extreme protection is required, recovery options can be disabled completely, meaning there will be no way to recover your account if your phone is lost, broken or stolen (unless you have cloned your SAASPASS ID onto another device). Disabling Recovery is an irrevocable action, so SAASPASS recommends that users maintain an active Recovery option.

First, remove the application from your computer. To remove from Windows machines, run the Windows uninstaller. Next, delete the application from your SAASPASS-enabled mobile or other device(s). If you’ve set up recovery, you will still be able to restore your account. To permanently delete your SAASPASS account, you must go to Recovery in the mobile app and select "Remove" under the Active Recovery Option.

If you’ve set up recovery, then you can restore your account. Otherwise, you must set up a new account.

Please check out our our Developer page for clear instructions and tutorials.

No. All of the tools you need to build SAASPASS into your app or device are available online through this site. Check out our Developer page for clear instructions, downloads, and tutorials on how to get started.

Build SAASPASS into your app using our RESTful APIs, as well as ready codebase in a number of languages. Further information can be found at https://developer.saaspass.com

As the quality of IoT devices becomes increasingly associated with security, having superior features or a more aesthetic design for your product are no longer adequate competitive advantages. Security must also be a primary concern. Many IoT devices that claim to be secure are only encompassing the security of encryption, and almost 100% of IoT devices still rely on static credentials. Building SAASPASS into your device allows users to authenticate to the device using dynamic passwords (always changing), even when those devices are offline (i.e. during a power outage or an earthquake). In fact, our superior design gives us offline capabilities that are unique to SAASPASS, and these are particularly important to securing IoT devices.

Build SAASPASS into your IoT device using our RESTful APIs.

We’ve provided ready code in a number of different languages for you to use; however, if we don’t have ready code in your preferred coding language, you can use our API documentation for guidance on how to build and integrate SAASPASS into your web application. Of course our support is also available to help guide you if necessary too.

Please check out our our Admin page for clear instructions and tutorials.

No. All of the tools you need to register and implement SAASPASS at your organization are available online through this site. Check out our Admin page for clear instructions, downloads, and tutorials on how to get started.

SAASPASS is free for companies for the first 1 months. If your company is not satisfied, there is no obligation to purchase after that period. Also, smaller companies (under 20 users) can continue to use SAASPASS for free.

In the upper right hand corner of the screen, choose ‘LOGIN’. From here choose ‘REGISTER A COMPANY’ to setup your firm. You must register with the email address that is to be your first admin, and your corporate domain is derived from the email address.

Check out our Admin page for clear instructions, downloads, and tutorials on how to get started.

In order to register a company, you must sign up using an email address from your corporate domain. Using free email service addresses such as Gmail, Yahoo, Outlook, AOL, or Yandex will prompt an error message reading "Invalid email address format."

If you’ve received an "Existing domain" error message, then you or someone from your company has already registered using an address from that domain. Please make sure that you’ve downloaded the SAASPASS app and that you’ve verified the email that you receive. It may have gone to your spam folder. If you are the admin for your domain, please email our support team, in this case, so that we guide you on how to complete registration.

On your firewall are you white-listing by domain or IP? If by domain, you need to allow *.saaspass.com for TLS 443 and XMPP 5222. The fully qualified domain names are : www.saaspass.com,xmpp.saaspass.com,jlist.saaspass.com and for the main IP addresses 146.148.53.91 and 104.154.49.147 In addition:

• pubsub.saaspass.com
• saaspass.com
• xmpp.saaspass.com
• Port number: 5222

Only your SAASPASS-enabled mobile device(s) can access your data, and your SAASPASS PIN is never known to us and never leaves your device. We have access to the interface between your system and other apps, but not what’s in your system. We act only as a gatekeeper, enforcing multi-factor authentication on users.

A VPN is useful, but can be anachronistic given the evolving structure of companies. When companies used to run everything on-premise (all of their servers, software, etc), then providing users with a secure digital "tunnel" into their corporate "castle" made sense. Now, as organizations increasingly use cloud-based servers and software-as-a-service (SaaS) applications, and as employees increasingly use their devices for both work and their personal needs, the single, enclosed network no longer exists. Networks have become decentralized. SAASPASS is the next generation VPN, protecting resources by identifying, authenticating, and protecting the individuals who access those resources at every gate.

SAASPASS Web SSO allows users to access their corporate apps and services securely and conveniently from any public or shared computer without any downloads, plugins, or extensions. Simply open a web browser, go to your company’s portal, or to www.saaspass.com, then login by scanning the barcode displayed on the screen with your mobile app. Your emails and all of your corporate apps and services can now be accessed securely with a single click through the SSO console.

On your personal or work computer, you’ve downloaded the SAASPASS browser plug-in and extensions. A public or shared computer is unlikely to have these SAASPASS downloads, so proximity login will not work on the computer, and the single sign-on console will not be displayed in your computer’s finder. Instead, simply open a web browser, go to your company’s portal, or to www.saaspass.com, then login by scanning the barcode displayed on the screen with your mobile app. Your emails and all of your corporate apps and services can now be accessed securely with a single click through the SSO console.

When you finish using the public computer, logout and clear the browser for added protection. You’ve just accessed all your corporate apps without ever typing any passwords into the computer. Now you’ll leave without a trace.

Yes. In Settings on the mobile app, go to "Login to SAASPASS Web." This is basically a secure link to the Admin Console. From here, you can switch to Enterprise mode and securely carry out all of the functions as your company’s admin.

The SAASPASS integration calls commands with a simple REST API. SAASPASS can be integrated into custom apps with a few simple lines of code or integrated into public products like Google Apps or Salesforce in a few steps. This simple portability eases integration everywhere without diminishing the strength of SAASPASS.

In the Admin portal, under Applications, specific info is listed under each app. If the app is not shown, please email our support team.

It is incredibly easy and requires no coding to secure Google Apps with SAASPASS. The whole process takes less than five minutes and a screencast of step-by-step instructions is available.

Yes. For specific help with integrating on-premise apps, please email our support team.

Admins can select the applications and services to which they want to enable a single sign-on connection. Also, access to these apps and services can be configured for each individual employer or user.

No. The SAASPASS app and associated ID is owned by the individual, is unique to the individual, is portable, and can be used for both work and personal use. The same ID can even be used by a user employed at multiple companies. Because corporate and personal data operate in sandboxed silos, company admins can manage and configure user access to their own corporate network, but have no access to the employee’s personal apps and services, or another employer’s network. This allows a company to extend the security perimeter of their organization to the personal data of employees, without compromising their privacy.

Not really. Even though the SAASPASS app and associated ID is owned by the individual, is unique to the individual, is portable, and can be used for both work and personal use, any work credentials on it are fully controlled and instantly revocable by that company’s admin. SAASPASS has additional security measures incorporated into it, such as how the PIN operates on a zero knowledge basis, the ability to use biometrics, support for pattern unlock and scrambled keypad which all make it harder for even a compromised mobile device to be misused. Because corporate and personal data operate in sandboxed silos, company admins can manage and configure user access to their own corporate network, but have no access to the employee’s personal apps and services, or another employer’s network. This allows a company to extend the security perimeter of their organization to the personal data of employees, without compromising their privacy, thus even potentially increasing their organizational security.

No. The opposite is true. Employees are going to carry, protect, and maintain their personal mobile device regardless of any security tools or methods your company implements. Why ask them to carry and keep track of an extra piece of hardware (i.e. an ID card, a key chain fob, or hard token) that must also be guarded and managed? For most users, being able to use a mobile device they already carry in their purse or pocket is more convenient.

Tokens can be ordered and issued to employees who prefer to use them.

SAASPASS support hard tokens, but we encourage companies to use soft tokens (mobile app). Using the mobile device minimizes costs and resources to your company in terms of maintenance, replacement, inventory, etc.

Also, mobile devices are potentially more secure. Based on a recent study by Nottingham Trent University, the average person checks their phone 85 times a day. This translates to once every 11 minutes if the average person is assumed to sleep 8 hours, whereas hard tokens tend only to be checked when needed. This means it could be hours or even days before a user realizes a hard token is lost, versus minutes for a soft token. This time advantage exponentially increases security as it gives admins the ability to take action and cut out sooner the potential of an attack surface window.

Additionally, more features are available on the soft token. Hard tokens are generally issued to employees by the company, and they do not authenticate to the user’s personal apps and services, so users lose some of the portability and versatility advantages of the mobile app.

Yes.

When synchronized, your Active Directory (AD) automatically adds users to SAASPASS when you add them to AD. If you don’t use AD, or your AD is not synchronized, users can be added through the Admin Console under Groups & Users (either manually or via file upload). Users will need to download the SAASPASS app to their mobile device.

Instead of typing the user’s email address as the first step, use their user name instead. Next, in the second step, type the user’s SAASPASS ID, then add the user name to the computer login application.

If you will check all your active SMS Users you will see the same note. This text is just a generic reminder to explain that only the active SMS users will be able to receive SMS.

A SAASPASS ID can't be at the same time a Soft Token and a Hard Token SAASPASS User, therefore if you want an account to be associated to a Hard Token then you will need to change the ownership from a current SAASPASS ID with the Hard Token SAASPASS ID.

Instructions:

• Each Hard Token created under Hard Token Management section has its own associated SAASPASS ID.
• If you already completed the Hard Token registration then, the next thing to do is to assign that Hard Token to your accounts as described in the attached document.
• To assign already existing accounts that currently belong to another SAASPASS ID (In this case it is the SAASPASS ID that you currently have) you need to do following:
• - You will need to go to the Account Details of your accounts and Change The Owner from your current SAASPASS ID with the SAASPASS ID that you can find on 'Edit' of the Hard Token (in Hard Token Management section).

Note: After you complete changing the owner for all your accounts they will no longer belong to your current SAASPASS ID, but instead will belong to the Hard Token SAASPASS ID.

Please check if that user has Admin rights. If the user is an Admin, you cannot delete them. If the user is not an admin you can manage it from the groups and users section by assigning it to another account.

You may be using YubiKey 4s rather than FIDOs. Change the configuration of the key so they fit the OTP profile and amend them in the dashboard so they can work.

After a user initiates recovery, SAASPASS’ default setting is to automatically block the user from all corporate apps and services. To unblock the user, sign into the Admin Console, click on the Groups & Users tab, and click on button on the left-hand side marked "blocked users." This link, which is not visible if there are no blocked users, will display all your blocked users. Click on the SAASPASS ID of the user that you want to unblock, then click "unblock user" when prompted.

In the Admin Console, under Groups & Users, all of your users are listed. After clicking on a user, a pop-up appears showing the services for which the selected user is provisioned. A button to delete the user is also displayed. When deleted, all services are deprovisioned for that user, and those services instantly disappear from the user’s mobile app.

Set up the computer login application in the SAASPASS admin console and configure users for it. Next, roll out the SAASPASS package for install on your PCs. Make sure that all your users are already enrolled before you do the rollout, however, as all machines with SAASPASS will start enforcing 2FA the moment SAASPASS is installed on them (unless you create a configuration where some users are allowed to sign-in without SAASPASS, which is possible from the admin settings).

SAASPASS supports Windows and Linux, and works in a cross-platform manner.

No.

It doesn’t matter. All user names can be manually entered or synchronized with your AD.

No. Configuration is the same for all.

Import users automatically using the SAASPASS synchronization agent for AD. Users can also be entered manually, or through a CSV file upload.

Go to the "Sharing Center" in the SAASPASS admin portal and share this account with all your users (SAASPASS IDs) that you want. You can share this account if it is an account for a company application already integrated in SAASPASS, an authenticator or a Password Manager.

In order to achieve that you need first to create/add this account as a simple user account in the SAASPASS Admin portal / Groups & Users. Now you can go to our Sharing Center and share this simple user account.

It depends on the configuration actually. If they are using it just for domain login, then they would be able to login in offline mode as normal. Scan sign-in, remote lock etc... would not work, but the user could type in their Network Password and the SAASPASS One Time Password from their App.

The Admin can temporarily remove their requirement to have to use SAASPASS, so they could login with just their Password. Also depending on the size of company/IT department, they may even keep a handful of cheap android Devices available as "Joker" devices that they issue to their employees who forgot/lost their device until they get a replacement, for use while they are in the office.

It is possible to also use hard tokens in conjunction with the System. Fido U2F, OATH compliant TOTP & HOTP tokens are all supported.

We use Google Cloud and AWS infrastructure. We currently use a setup with a US West, US East, West Europe, East Europe, Singapore, Japan and Australia data center setup.

For HA we use can switch over from Google to AWS on the fly should there be instability in the Google Cloud. Additionally we have a third bare metal location in central Europe, where we back up systems to, and have offsite data backups to protect against some sort of disaster scenario where both Google and Amazon are down, but somehow the internet is functioning. We use multiple DNS providers to protect in cases where one provider may come under attack (as happened during the Mirai Botnet attack last year). Additionally, all data is backed up multiple times a day, and in a disaster scenario, different time slices can be rolled back to.

It depends on the configuration actually. If they are using it just for domain login, then they would be able to login in offline mode as normal. Scan sign-in, remote lock etc... would not work, but the user could type in their Network Password and the SAASPASS One Time Password from their App.

The offline functionality of SAASPASS is robust enough to ensure the continuity of the user to login to their computer even if there is no internet or SAASPASS is not reachable from the network.

RADIUS is an industry standard protocol described in the Internet Engineering Task Force (IETF) Request for Comments (RFC) 2865, "Remote Authentication Dial-in User Service (RADIUS)," and RFC 2866, "RADIUS Accounting." RADIUS is used to provide authentication, authorization, and accounting services. Most VPN products support the RADIUS protocol and this is why SAASPASS is supporting RADIUS for you so you can secure access to your VPN with Multi Factor Authentication.

In that case, the best option would be for the IT department, to have one mobile device with the app installed and use that as a "backup app" which is what many customers' IT depts do. If say, 2 or more employees experience the same issue, either you can have more than 1 phone or you can assign that to each user for their login one after the other. Naturally, this situation would not occur on a daily basis. The other option would be to disable 2FA for that user's login by removing them from the computer protection group whereby they would log in with a password at that moment. This would not be advisable from a security point of view.

It works with VPN over their Radius or SAML protocol. If the Firewall in question, supports Radius or SAML, it can be secured. Please send us the type/name/model/version etc... The process is similar to how you may currently sign on, except one either receives a push notification to approve the VPN connection, or if they are using hard tokens, they would typically put a comma after their password, and then the dynamic OTP.

We have servers located across the world and within the EU, where the servers one is served from, are distributed according to the locations of the admins/company sign ups. All information regarding a company's instance is encrypted and only available to the Admin of an instance.