Physical Security

Hardware Tokens

MFA that works without mobile phones — for high-security and air-gapped environments

Not everyone can use a mobile phone for authentication. Hardware tokens provide a physical, dedicated device for generating one-time passwords — no batteries to charge, no apps to install, no network connection required.

Two Ways to Get Started

🔐

YubiKey

Works out of the box

Already have YubiKeys? They work with Mideye Server immediately. Touch the YubiKey to generate and type the OTP automatically — no manual code entry needed.

  • Buy from Yubico or any reseller
  • Touch to generate OTP
  • 6-digit TOTP codes
  • USB-A, USB-C, and NFC models
🏢

HID Tokens from Mideye

Fully managed

Order enterprise-grade HID tokens directly from us. We handle procurement, seed management, and worldwide shipping to your end-users.

  • Token cards or key fobs
  • 8-digit OTP codes
  • Long battery life (5+ years)
  • Volume pricing for enterprises
Hardware Token

OATH-compliant tokens generate time-based one-time passwords (TOTP) — the same standard used by Google Authenticator and other authenticator apps.

When to Use Hardware Tokens

📵

No Mobile Phone Policy

Secure facilities, manufacturing floors, or contractors who aren't allowed to bring personal devices. A hardware token provides MFA without phone requirements.

🔒

Air-Gapped Networks

Networks with no internet connection can't use push notifications or SMS. Hardware tokens work completely offline — just time synchronization is needed.

👷

Contractors & Temporary Staff

External consultants who shouldn't install apps on personal phones. Issue a token for the project duration, revoke when the contract ends.

💡

Fallback for Mideye+ Users

Users who primarily authenticate with Mideye+ push notifications can also have a hardware token assigned. If push delivery fails (no network, phone lost), they can enter the OTP from their token instead. This is configured per user as a fallback option.

How It Works

📦
1. Get Token YubiKey or HID from Mideye
🧑‍💻
2. Assign to User Self-service or admin portal
3. Authenticate Enter OTP from token

Technical Specifications

Token Types TOTP (time-based), HOTP (event-based)
Code Length 6 digits (YubiKey) or 8 digits (HID)
Time Period 30 seconds
Clock Drift Tolerance ±2 intervals (±60 seconds)
Replay Protection Each OTP can only be used once
Administration WebAdmin UI or Self-Service Portal
Advanced: Import tokens from other vendors (PSKC)

If you have existing OATH-compliant tokens from vendors like Feitian, SafeNet, or others, you can import them via PSKC (Portable Symmetric Key Container) files.

  • Upload PSKC file with transport key via WebAdmin
  • Seeds are encrypted and stored in your Mideye Server database
  • Assign tokens to users by serial number
  • Supports SHA-1 hash algorithm (OATH standard)

Read the technical documentation →

Security Features

  • No OTP reuse — Each code can only be used once, even within the validity window
  • Revocation states — Track why tokens are disabled: lost, broken, or other reasons
  • Authentication logging — Every authentication attempt logged with timestamp, result, and user details
  • Self-service enrollment — Users can register their own hardware token via the self-service portal

Need Hardware Tokens?

Hardware token support is included with Mideye Server 6.x. Contact us to order HID tokens or discuss your requirements.

Contact Sales →