Offline Authentication

Fully isolated MFA.

Run Mideye Server entirely inside your isolated network. No internet connection, no cloud dependencies, no external infrastructure.

Concept

Complete network isolation.

Air-gapped mode allows Mideye Server to operate in fully isolated networks without any connection to the internet or Mideye's central infrastructure.

Designed for classified environments, critical infrastructure, and high-security data centers where network isolation is mandatory. This on-premises multi-factor authentication solution enables secure authentication entirely on-site using passwords and locally-provisioned hardware TOTP tokens.

Video thumbnail: Mideye air-gapped mode walkthrough

Use cases

When should you use air-gapped mode?

Classified Networks

Government, defense, and intelligence environments requiring complete network isolation.

Critical Infrastructure

Power plants, water treatment, industrial control systems where internet access is strictly prohibited.

Isolated Data Centers

Secure processing environments with no external network connectivity.

Compliance Requirements

Regulatory frameworks requiring authentication without cloud dependencies or supply chain risks.

Configuration

How do you enable air-gapped mode?

Air-gapped mode is configured during initial Mideye Server setup through the Install Wizard:

1

Advanced Settings

During the Switch Configuration step, click "Show Advanced Settings".

2

Enable Mode

Check the Air-Gapped Mode checkbox. The Switch connection fields become optional.

3

Complete Setup

Finish the remaining setup steps without requiring an internet connection.

Important

Air-gapped mode is a permanent configuration choice made during setup. Switching between connected and air-gapped mode after initial deployment requires reinstallation.

Capabilities

What works, and what doesn't.

Supported Methods

Password Authentication

Validates against Active Directory or local Mideye user database. Standard first factor for all users.

Hardware TOTP

Hardware tokens (YubiKey, HID) or authenticator apps. Tokens are provisioned locally and work completely offline.

Disabled Features (Require Cloud Connection)

Cloud Services

SMS OTPs, Mideye+ Push Notifications, and Magic Links are disabled as they require connection to our central infrastructure and gateways.

Mideye Shield

Mideye Shield and IP reputation checks are disabled as they rely on real-time threat intelligence from our central service.

Operations

Provisioning and maintenance.

Provisioning Hardware Tokens

Pre-programmed OATH TOTP hardware tokens can be imported via PSKC files. Seeds are securely loaded during deployment without network access.

Learn about hardware tokens →

Provisioning Authenticator Apps

TOTP secrets can be provisioned to authenticator apps via a QR code displayed locally on the admin portal. The provisioning happens inside the isolated network.

  • Software Updates: Must be transferred via secure media (USB, approved file transfer) from a connected system.
  • License Management: Air-gapped deployments use offline license activation.
  • Time Synchronization: TOTP requires accurate time. Ensure a reliable local NTP source or GPS-synchronized time server.

Compliance

Critical infrastructure compliance.

Air-gapped deployment addresses strict security requirements for critical infrastructure and zero-trust supply chain security.

NIS2 & Supply Chain Security

Requirement: Essential entities must manage supply chain risks.

Solution: Zero external dependencies for authentication. No cloud services or third-party authentication providers required, eliminating the supply chain attack surface.

NIS2 Directive → Cybersäkerhetslagen →

DORA Article 11

Requirement: Manage third-party dependencies and concentrations.

Solution: Eliminates runtime dependencies on external authentication providers. Authentication is 100% under your control with no third-party service concentration risk.

DORA Regulation →

ISO/IEC 27001:2022

Requirement: Network segmentation (ICS/SCADA, classified networks).

Solution: Authentication infrastructure remains entirely within your security perimeter, preventing breaches of network segmentation policies.

These are requirements our customers address using Mideye's controls as part of their own certification and compliance programs. See the full compliance mapping.

Ready for Air-Gapped Deployment?

Contact our team to discuss your isolated environment requirements and plan your deployment.