Assisted Login: Secure MFA for High-Risk Access
Assisted Login is an authentication type where a designated approver must authorize another user’s login. After the user enters their password, Mideye Server sends a push notification to the approver’s Mideye+ app. The approver reviews the request and taps Accept or Reject. Until the approver responds, the user cannot log in.
This adds a human-in-the-loop verification to the authentication process — a second factor that requires a real person to actively approve each login.
When do you need Assisted Login?
Section titled “When do you need Assisted Login?”Shared and supervised environments
Section titled “Shared and supervised environments”In settings where multiple people share workstations or accounts — manufacturing floors, hospital workstations, retail point-of-sale — Assisted Login ensures a supervisor or team leader approves each session. This creates an audit trail of who authorized which login, even when accounts are shared.
Help desk and IT support
Section titled “Help desk and IT support”When a user calls the help desk because they can’t log in (lost phone, forgotten credentials), the help desk operator can serve as the approver. The user authenticates with their password, the help desk operator verifies their identity through a phone call or in person, and then approves the login via the Mideye+ app.
High-security and dual-control scenarios
Section titled “High-security and dual-control scenarios”Some security policies require dual control — two people must be involved in accessing sensitive systems. Assisted Login implements this at the authentication layer: the user proves their identity with a password, and the approver independently confirms the access is legitimate.
Visitor and contractor access
Section titled “Visitor and contractor access”For temporary users who shouldn’t have their own MFA tokens, an internal employee can serve as the approver. The contractor logs in with their temporary credentials, and the sponsoring employee approves the access.
How Assisted Login works
Section titled “How Assisted Login works”The authentication flow
Section titled “The authentication flow”- The user enters their username and password in the VPN client or network device.
- Mideye Server validates the password against LDAP/AD or the local database.
- Mideye Server sends an approval request to the designated approver(s) via Mideye+ push notification.
- The approver reviews the request in the Mideye+ app. The notification shows who is trying to log in and from where.
- The approver taps Accept or Reject.
- Mideye Server receives the response and issues a RADIUS Access-Accept (if approved) or Access-Reject (if rejected or timed out).
The user waits during steps 3–5. If the approver doesn’t respond within the configured timeout, the login attempt fails.
Fallback delivery
Section titled “Fallback delivery”If the approver’s Mideye+ app isn’t reachable via push (phone offline, notifications disabled), Mideye sends a Magic Link SMS to the approver’s phone. The SMS contains a link to a web page where the approver can approve or reject the request. This ensures the approval workflow works even when push delivery fails.
Profile types
Section titled “Profile types”Mideye supports two types of Assisted Login profiles, designed for different organizational structures.
Normal profiles
Section titled “Normal profiles”A normal Assisted Login profile has a single approver (or a small group of approvers) configured for a set of users. All users in the profile share the same approver pool.
Use case: A team leader approves logins for their team. An IT administrator approves logins for a department.
Configuration:
- One or more approvers are assigned to the profile
- Approvers are Mideye users with the Mideye+ app
- Users are matched to the profile via LDAP group membership or direct assignment
- The approver is looked up from the user directory (e.g., the user’s manager attribute in AD)
Federation profiles
Section titled “Federation profiles”Federation profiles support multi-approver scenarios across organizational boundaries. Multiple identity providers and approver groups can participate in a single authentication flow.
Use case: A contractor from Organization A needs access to Organization B’s VPN. An approver from Organization A verifies the contractor’s identity, and an approver from Organization B authorizes the access.
Federation profiles are more complex to configure but enable cross-organizational trust without sharing user directories.
Challenge questions
Section titled “Challenge questions”For additional verification, Assisted Login profiles can require challenge questions. When the approval request reaches the approver, it includes a question that the approver should ask the user (verbally, over the phone, or in person):
- “What is your employee ID?”
- “What project are you working on?”
- “What is the last four digits of your phone number?”
The approver verifies the answer before tapping Accept. While Mideye doesn’t validate the answer (it’s a human process), the challenge question ensures the approver actively engages with the request rather than blindly approving.
Approver caching and priority
Section titled “Approver caching and priority”When multiple approvers are configured, Mideye Server uses an approver cache to route requests efficiently:
- Approvers who have recently approved requests for a user are prioritized (they’re likely available and familiar with the user).
- If the primary approver doesn’t respond within a configurable window, the request is escalated to the next approver in the list.
- If no approver responds, the login attempt fails.
This ensures fast approval times in practice — the most active approver gets the request first.
Timeouts and session management
Section titled “Timeouts and session management”| Setting | What it controls |
|---|---|
| Approval timeout | How long the user waits for an approver to respond before the login fails |
| Session idle timeout | How long an approved session can be idle before re-authentication is required |
| Session duration | Maximum session length regardless of activity |
These timeouts are configured per Assisted Login profile, allowing different policies for different user groups.
Security considerations
Section titled “Security considerations”The human element
Section titled “The human element”Assisted Login’s strength is that it requires a human to make a judgment call. Automated attacks — credential stuffing, brute force, password spraying — are ineffective because every attempt requires a real person to approve it. Attackers can’t approve their own login requests.
Approver fatigue
Section titled “Approver fatigue”Like any push-based approval system, there’s a risk of approver fatigue — approving requests out of habit without actually verifying the user. Mitigation strategies:
- Use challenge questions to force active engagement
- Limit the number of users per approver
- Monitor the approval logs for patterns (too-fast approvals, unusual hours)
- Rotate approvers to prevent routine
Audit trail
Section titled “Audit trail”Every Assisted Login attempt is logged with:
- Who requested the login
- Which approver was notified
- Whether the login was approved or rejected
- The time between request and approval
- The source IP and the RADIUS client
This creates a complete audit trail for compliance and incident investigation.
Assisted Login vs other MFA methods
Section titled “Assisted Login vs other MFA methods”| Aspect | Assisted Login | Standard MFA (Touch, SMS, TOTP) |
|---|---|---|
| Second factor | Another person’s approval | User’s own device |
| User needs a phone | No — the approver has the phone | Yes |
| Attack resistance | Very high — requires compromising both the user and the approver | High — requires the user’s password and device |
| User friction | Higher — depends on approver availability | Lower — self-service |
| Best for | Shared environments, supervised access, help desk | Individual user authentication |
Next steps
Section titled “Next steps”- Authentication Types — Assisted Login (type 9) and other types
- Authentication Flows — Step-by-step authentication sequences
- What is MFA? — MFA fundamentals
- Directory Integration — How approvers are looked up from LDAP/AD