On-Premises MFA Server Architecture Overview
Mideye’s on-premises multi-factor authentication (MFA) system consists of four main components that work together:
- Mideye Server — runs on your infrastructure, handles all authentication logic
- Mideye Switch — Mideye-operated service that routes SMS and token requests
- Mideye Cloud — cloud services for Magic Link, push delivery, and threat intelligence
- Mideye+ app — authenticator app on the user’s phone
This page explains what each component does, how they connect, and what network access you need. For step-by-step authentication sequences, see Authentication Flows. For data location and compliance, see Data Residency.
System overview
Section titled “System overview”Components
Section titled “Components”Mideye Server
Section titled “Mideye Server”The central authentication engine. It runs entirely on your infrastructure and handles all authentication logic, user management, and policy enforcement.
| Function | Description |
|---|---|
| RADIUS listener | Accepts Access-Request packets from VPNs, firewalls, and network equipment. Supports PAP and MSCHAPv2. |
| Magic Link API | REST endpoint for web applications that need MFA without RADIUS. |
| User lookup | Resolves users from LDAP/AD, Microsoft Entra ID, or the local Mideye database. |
| OTP generation | Generates one-time passwords and coordinates delivery via Mideye Switch. |
| Token validation | Validates OTPs from SMS, push, hardware tokens, and on-premise TOTP. |
| Self-Service Portal | Web portal where users register TOTP apps and manage hardware tokens. |
| Web Admin GUI | HTTPS management interface for RADIUS clients, LDAP profiles, policies, and logs. |
| Audit logging | Records every authentication attempt for compliance and troubleshooting. |
Mideye Switch
Section titled “Mideye Switch”A message routing and delivery service operated by Mideye. The Switch handles SMS delivery, token validation, and routes push/authentication requests through the cloud services in AKS.
| Function | Description |
|---|---|
| SMS delivery | Routes OTP messages to telecom providers (SMPP, CIMD2, EMI/UCP). |
| Push / Touch routing | Routes push notifications and authentication requests to the Plus services in the cloud. |
| Token validation | Validates hardware tokens via Yubicloud (YubiKey) and HID token servers. |
| Magic Link SMS | Sends the Magic Link SMS (the link itself points to MAS, not the Switch). |
| Plus activation SMS | Sends encrypted activation SMS for Mideye+ app registration. |
What the Switch does NOT do:
- Does not store user credentials, passwords, or authentication policies
- Does not make authentication decisions — that is always the Mideye Server
- Only routes messages and manages delivery
Dual-environment redundancy
Section titled “Dual-environment redundancy”Mideye operates two completely independent Switch environments in separate Swedish data centers:
| Environment | Hostname | Data center |
|---|---|---|
| Primary | primary.mideye.com | Swedish DC 1 |
| Secondary | secondary.mideye.com | Swedish DC 2 |
The two environments are fully standalone — separate infrastructure, separate databases, separate network paths.
How failover works:
- New customers connect to the Secondary Switch first to verify the backup path.
- After verification, the Primary Switch is enabled.
- In production, the Server connects to Primary by default. If Primary is unreachable, traffic automatically routes to Secondary.
- After a configurable duration (default: 10 minutes), the Server retries Primary.
- All communication uses TLS 1.3 — the Server initiates all connections (outbound only).
- If both switches are unreachable, on-premise TOTP tokens still work. MAS and Shield remain available as they don’t depend on the Switch.
Mideye Cloud services
Section titled “Mideye Cloud services”Several services run in Europe-based cloud infrastructure, separate from the Switch:
| Service | Accessed by | Purpose |
|---|---|---|
| MAS (Mideye Application Service) | Server | Magic Link approval pages, RADIUS session management |
| Mideye Shield | Server | Threat intelligence — IP reputation and brute-force detection |
| Push Service | Switch + App | Push notifications via Apple APNs and Google FCM |
| Plus Activation | Switch + App | Activation and deactivation of Mideye+ app instances |
Mideye+ mobile app
Section titled “Mideye+ mobile app”The authenticator app for iOS and Android. It replaces SMS-based OTPs with push notifications and offline TOTP codes.
| Feature | Description |
|---|---|
| Push authentication (Touch) | One-tap approve/reject for login requests. |
| TOTP codes | Time-based codes generated locally. Work offline. |
| Biometric unlock | Face ID, Touch ID, or fingerprint to protect the app. |
| Assisted Login | Approvers receive push notifications to approve logins for other users. |
The app communicates with the Plus services in Mideye Cloud. User credentials never leave the Mideye Server — the app only receives challenges and sends approve/reject responses.
Technology stack
Section titled “Technology stack”Mideye Server 6 is built as a Java application using Spring Boot for the backend and React JS for the frontend.
The latest release (version 6.6+) runs on Adoptium Temurin OpenJDK 25 JRE, which is bundled with the installation package — no separate Java installation is required. Earlier versions (6.5 and below) used Java Runtime Environment 17.
The server runs as a background service, handling RADIUS requests on one or multiple ports. Configuration and administration are performed through the Web Admin GUI, with changes saved in real-time — no server restarts required.
Connections between components
Section titled “Connections between components”Server to Switch
Section titled “Server to Switch”All communication uses TLS 1.3. The Server initiates all connections — the Switch never connects inbound to your network.
| Message | Purpose |
|---|---|
OTP | Send an SMS OTP to a phone number |
PLUS | Send a Mideye+ cryptographic challenge |
TOUCH | Request a Touch push notification |
MAGIC_LINK | Send a Magic Link SMS |
TOKEN_COUPLE_PLUS | Couple a hardware token to a Mideye+ registration |
PLUS_CLIENT_INFO | Check if a phone has Mideye+ activated |
PING | Health check |
Server to Mideye Cloud
Section titled “Server to Mideye Cloud”| Service | Protocol | Purpose |
|---|---|---|
| MAS | HTTPS long-polling | Magic Link sessions, RADIUS session events |
| Mideye Shield | HTTPS REST API | IP reputation and threat data |
Switch to Mideye Cloud
Section titled “Switch to Mideye Cloud”| Service | Protocol | Purpose |
|---|---|---|
| Push Service | HTTPS | Route push notifications to APNs/FCM |
| Plus Verification Service | HTTPS | OTP encryption, activation/deactivation, token coupling |
Firewall requirements
Section titled “Firewall requirements”Your Mideye Server needs outbound access to:
| Destination | Port | Protocol | Purpose |
|---|---|---|---|
primary.mideye.com | Customer-specific TCP port | HTTPS (TLS 1.3) | Switch — SMS, token validation |
secondary.mideye.com | Customer-specific TCP port | HTTPS (TLS 1.3) | Switch failover |
mas.mideyecloud.se / mas.prod.mideye.com | tcp/443 | HTTPS | MAS — Magic Link, RADIUS Sessions |
shield.mideye.com | tcp/443 | HTTPS | Mideye Shield — threat intelligence |
No inbound firewall rules are required. The customer-specific Switch port is assigned by Mideye Support during provisioning.
For a complete list of ports (RADIUS, database, LDAP, admin GUI), see Networking Requirements.
Air-gapped mode
Section titled “Air-gapped mode”For environments with no internet access, Mideye Server can operate without any connection to Mideye Switch or cloud services:
- Authentication is limited to on-premise TOTP tokens only
- Users register TOTP tokens via the Self-Service Portal or admin assignment
- SMS, push, and Magic Link are not available
Air-gapped mode is configured during the Configuration Wizard.
Next steps
Section titled “Next steps”- Authentication Flows — Step-by-step sequences for RADIUS, Magic Link, and push
- Data Residency — Where your data is stored and what leaves your network
- Authentication Types — Detailed reference for all 11 authentication types
- Pre-install Checklist — Plan your deployment