Air-Gapped MFA with TOTP & Hardware Tokens
Air-gapped authentication means providing multi-factor authentication in environments that have no internet connection. Mideye Server supports fully air-gapped MFA using on-premise TOTP (Time-based One-Time Passwords) and hardware tokens — all validated locally on your server, with no data leaving your network.
What is an air-gapped environment?
Section titled “What is an air-gapped environment?”An air-gapped environment is a network that is physically or logically isolated from the internet and from external networks. No outbound or inbound connections exist — the network operates entirely on its own.
Organizations use air-gapped networks to protect their most sensitive systems from remote attacks. If there is no network connection, there is no remote attack surface.
Who needs air-gapped MFA?
Section titled “Who needs air-gapped MFA?”- Defense and military — Classified systems that must be isolated from public networks by regulation.
- Critical infrastructure — Power grids, water treatment, industrial control systems (ICS/SCADA) where a compromise could endanger public safety.
- Government agencies — Systems processing classified or sensitive information with strict data handling requirements.
- Financial services — Trading systems, payment processing, and core banking platforms in high-security segments.
- Healthcare — Medical device networks and systems handling sensitive patient data in isolated segments.
- Research facilities — Laboratories with intellectual property or controlled research data.
Even in these environments, passwords alone are not enough. Stolen credentials, insider threats, and physical access attacks still apply. MFA adds a critical second layer — and with air-gapped MFA, it does so without requiring any external connectivity.
How air-gapped MFA works in Mideye Server
Section titled “How air-gapped MFA works in Mideye Server”In air-gapped mode, Mideye Server operates without any connection to Mideye Switch, Mideye Cloud, or any external service. Authentication is limited to methods that can be validated entirely on the local server.
Supported authentication methods
Section titled “Supported authentication methods”| Method | How it works | Token type |
|---|---|---|
| On-premise TOTP | User enters a 6-digit code from an authenticator app (Mideye+, Google Authenticator, Microsoft Authenticator, etc.) | Software token |
| On-premise HOTP | User enters a code from an event-based hardware token | Hardware token |
| TOTP hardware tokens | User enters a code displayed on a physical token device | Hardware token |
All these methods share a common principle: a secret seed is stored on both the token (app or hardware device) and the Mideye Server. The code is generated from the seed and the current time (TOTP) or a counter (HOTP). Validation happens entirely on the server — no network call is needed.
Step-by-step authentication flow
Section titled “Step-by-step authentication flow”- The user enters their username and password in the VPN client or network device.
- The VPN sends a RADIUS Access-Request to Mideye Server.
- Mideye Server validates the password against LDAP/Active Directory or the local user database.
- Mideye Server sends a RADIUS Access-Challenge, prompting the user for a TOTP code.
- The user opens their authenticator app (or reads their hardware token) and enters the current code.
- Mideye Server validates the code against the stored seed — entirely locally, with no external call.
- If the code is valid, Mideye Server returns a RADIUS Access-Accept. Access is granted.
At no point does any data leave your network. The RADIUS conversation happens between your VPN/firewall and your Mideye Server. The TOTP validation is a local cryptographic operation.
For the full sequence diagram, see Authentication Flows — On-premise TOTP.
Setting up air-gapped MFA
Section titled “Setting up air-gapped MFA”Token registration
Section titled “Token registration”In an air-gapped environment, TOTP tokens are registered through one of two methods:
- Admin assignment. An administrator generates a TOTP seed in the Mideye Server admin interface and provides the QR code to the user. The user scans the QR code with their authenticator app.
- Self-Service Portal. Users access the Mideye Server Self-Service Portal (hosted on your local network) and register their own TOTP app by scanning a QR code.
For hardware tokens, the administrator imports the token seed files (typically in PSKC format) into Mideye Server and assigns tokens to users.
Configuration
Section titled “Configuration”Air-gapped mode is configured during the initial setup wizard or by updating the Switch configuration:
- Disable Mideye Switch connectivity (no primary or secondary Switch host)
- Set the default authentication type to On-prem (type 11)
- Ensure TOTP token seeds are distributed to users before going live
No Mideye license server connectivity is required in air-gapped mode — licensing is handled offline.
What you gain and what you give up
Section titled “What you gain and what you give up”What you gain
Section titled “What you gain”- Zero internet dependency. Authentication works regardless of external network conditions.
- Complete data isolation. No usernames, phone numbers, credentials, or authentication logs leave your network. Ever.
- Compliance simplicity. No data processing agreements needed for external services. No cross-border data transfers. No third-party sub-processors.
- Reduced attack surface. No outbound connections means no man-in-the-middle attacks on authentication traffic, no DNS hijacking, and no dependency on external service availability.
- Resilience. Your MFA works even during internet outages, DDoS attacks against cloud services, or DNS failures.
What you give up
Section titled “What you give up”- Push notifications (Touch). Push requires Apple APNs and Google FCM — both cloud services. Not available in air-gapped mode.
- SMS one-time passwords. SMS delivery requires Mideye Switch connectivity. Not available in air-gapped mode.
- Magic Link. Magic Link sessions are hosted on MAS in Mideye Cloud. Not available in air-gapped mode.
- Mideye Shield. IP reputation scoring requires connectivity to the Shield service. Not available in air-gapped mode. However, static filter rules (manual IP allow/block lists) work locally.
- Mideye+ push features. The Mideye+ app can still generate TOTP codes offline, but push-based Touch and Plus functionality is unavailable.
The hybrid alternative
Section titled “The hybrid alternative”If your environment permits limited outbound connectivity, you can use Mideye Server in hybrid mode: on-premise TOTP as the primary method, with Touch or SMS as options for users in less restricted network segments. Authentication types like Touch-Plus (type 7) and Touch-Mobile (type 8) are designed for this — they try push first and fall back to on-premise TOTP automatically if the phone or cloud services are unreachable.
Air-gapped MFA and compliance
Section titled “Air-gapped MFA and compliance”Operating in air-gapped mode simplifies compliance in several ways:
| Compliance concern | Air-gapped impact |
|---|---|
| GDPR data transfers | No data leaves your infrastructure — no cross-border transfer concerns |
| NIS2 access control | MFA enforced for network access, fully on-premises |
| Data residency | All data stays in your jurisdiction, on your hardware |
| Sub-processor management | No third-party services involved in authentication |
| US CLOUD Act | No data on US-based services (no APNs/FCM in air-gapped mode) |
For organizations where even transient data transfers through cloud services are prohibited, air-gapped mode provides a clean compliance posture. See Data Residency for a complete data flow analysis, and Compliance & Regulatory Frameworks for framework-specific requirements.
Frequently asked questions
Section titled “Frequently asked questions”Can I mix air-gapped and connected users?
Section titled “Can I mix air-gapped and connected users?”Yes. Mideye Server assigns authentication types per user or per group. Users on isolated network segments can use on-premise TOTP, while users with internet access use Touch or SMS. The server handles both simultaneously.
Which authenticator apps work in air-gapped mode?
Section titled “Which authenticator apps work in air-gapped mode?”Any app that supports standard TOTP (RFC 6238) works: Mideye+, Google Authenticator, Microsoft Authenticator, Authy, FreeOTP, and others. The app generates codes locally from the shared seed — no internet connection needed on the phone either.
Do hardware tokens work in air-gapped mode?
Section titled “Do hardware tokens work in air-gapped mode?”Yes. OATH TOTP and HOTP hardware tokens are validated locally. Import the token seeds into Mideye Server and assign them to users. YubiKey OTP validation (which requires Yubicloud) is not available in air-gapped mode, but YubiKeys configured for OATH TOTP work locally.
Can I upgrade Mideye Server without internet access?
Section titled “Can I upgrade Mideye Server without internet access?”Yes. Installation packages (DEB, RPM, MSI) can be transferred to the air-gapped network via approved media and installed offline.
Next steps
Section titled “Next steps”- On-Premises vs Cloud MFA — Compare deployment models
- Authentication Flows — Step-by-step TOTP authentication sequence
- Authentication Types — On-prem (type 11) and fallback types
- Data Residency — Where your data stays in each mode