Marketplace logo
MarketplaceListingsSolutionThales TCT Luna Credential System (FIPS HSM)
Thales TCT Luna Credential System (FIPS HSM)

Thales TCT Luna Credential System (FIPS HSM)

by Thales Trusted Cyber Technologies




back button
back button
next button
next button






Certificate-based, multi-factor authentication is a mainstay security technique used by the U.S. Federal Government to ensure the identities of entities within a Public Key Infrastructure (PKI).  Two primary components of multi-factor authentication are “what you have” and “what you know.” The “what you have” in a PKI consists of a securely stored private key and an associated digital certificate that are the unique user credentials identifying the entity. The “what you know” is a password to unlock access to the securely-stored credentials.

When the entity in need of a certified identity is a person, secure storage and distribution of the user credentials is often easily facilitated by utilizing existing technology, such as a secure smart card or USB token.  The person assumes physical ownership and responsibility of the token and can use it as needed to access PK-enabled resources.  But what if the entity in need of credentials is a non-person entity (NPE), like a device, software robot or some other automation technology?  These entities still must have hardware-secured credentials to meet security mandates.  Or what if the entity is indeed a person, but token use is not desirable or not an option?   With this in mind, any or all of the following issues may present roadblocks to the use of a multi-factor token for all users in a PKI:
  • Policy may dictate that a token cannot be issued to a non-person entity
  • The physical security of a token issued to a non-person entity presents a cumbersome, inefficient, or impossible requirement to meet
  • Virtual machines are being used which can’t access physical tokens
  • Multiple physical machines require access to the credentials on a single token
  • Hardware-based, multi-factor authentication is needed for human users, but token use is either not feasible or undesirable


The Luna Credential System (LCS) introduces a new, patent pending,  approach to multi-factor authentication by maintaining user credentials in a centralized hardware device that is securely accessible by endpoints in a distributed network.  It unites the familiarity of certificate-based authentication with the security of a FIPS 140-2 certified hardware security module (HSM).  LCS is a multi-purpose, secure credential system ideally suited for an environment in which the UiPath Robot endpoints cannot use a traditional small form-factor token. Composed of the Luna Credential HSM and the Luna Credential Client, LCS supports a number of use cases with UiPath Orchestrator and Robot, including authentication to PK-enabled applications and websites, Windows Logon, and HSM-secured Credential Stores.


Derived from TCT’s flagship Luna Network HSM, the Luna Credential HSM generates and protects PKI user credentials within the HSM thereby replacing individual tokens. Credentials never leave the security boundary of the HSM and can only be accessed by authorized endpoints over a secure communication link. The Luna Credential HSM provides a scalable architecture and supports multiple independent “credential bins.”  A credential bin is a cryptographically isolated location within the HSM that contains  the private key and associated certificate for individual entities.   These identity credentials can only be accessed by endpoints when the correct password for the credential bin is provided.  An internal credential directory is maintained by the Luna Credential HSM to correspond bins with entities that access the bins via the Luna Credential Client.


The Luna Credential Client, which is installed on the endpoint machine, provides an equivalent user experience to traditional multi-factor authentication login.  During any operation that needs the entity’s certificate and corresponding private key, the Luna Credential Client establishes secure communications to the HSM. Utilizing the credential directory onboard the HSM, the client determines the correct credential bin for the given entity and sends the password to the HSM. Once the password is validated, the process on the endpoint system can proceed to utilize the keys and certificates within the entity’s specific credential bin.  This password may be entered by a human user, or in the case of a NPE, may be supplied by an automated process.

The Luna Credential Client includes a Windows credential provider component that prompts the user for their credential bin password and proceeds to complete the standard Windows Logon using identity credentials residing in the credential HSM. By hooking into the natural authentication flow of Windows systems, the user experience is no different from what users are accustomed to. Additionally, the Luna Credential Client includes an API to allow technology partners with their own credential providers or automated Windows Logon processes to make use of the Luna Credential System.



  • Provides a highly secure, FIPS 140-2 Level 3 validated HSM solution for unattended Robot logon.
  • Supports on-premises LCS HSM from Thales TCT and Azure Dedicated HSM.
  • Addresses U.S Federal Government CAC/PIV Requirements with PKI Authentication.
  • Comprehensive integration and administration documentation.
  • Developed, built, and supported within the U.S. for agencies of the U.S. Federal Government.

Additional Information

Additional Information



Thales Trusted Cyber Technologies

Visit publisher's page

Trusted Source

License & Privacy

License Agreement

Privacy Terms



Jul 12, 2022

Works with

Studio: 19.10 - 22.10




Luna Credential System


Phone: +



Our fully U.S.-based technical support experts provide our customers with a variety of services including troubleshooting, problem resolutions, and recovery advice. Additionally, customers can rely on our technical support team to help them maintain their products at the latest level of functionality.


Similar Listings