Mideye Authentication Glossary: Key Terms
A quick reference for terms used throughout the Mideye Server documentation. Each definition includes a link to the relevant concept page for more detail.
Access-Accept
Section titled “Access-Accept”A RADIUS packet sent from the server to the client indicating that the user’s credentials are valid and access should be granted. See What is RADIUS?.
Access-Challenge
Section titled “Access-Challenge”A RADIUS packet sent from the server to the client requesting additional information from the user — typically a one-time password. This is the mechanism that enables multi-factor authentication over RADIUS. See What is RADIUS?.
Access-Reject
Section titled “Access-Reject”A RADIUS packet sent from the server to the client indicating that the user’s credentials are invalid and access should be denied. See What is RADIUS?.
Access-Request
Section titled “Access-Request”A RADIUS packet sent from the client (VPN, firewall, etc.) to the server containing the user’s credentials for validation. See What is RADIUS?.
Air-Gapped
Section titled “Air-Gapped”A network or environment that is physically isolated from the internet and external networks. Mideye Server supports air-gapped MFA using on-premise TOTP tokens. See Air-Gapped Authentication.
Assisted Login
Section titled “Assisted Login”An authentication type (type 9) where a designated approver must authorize another user’s login via a push notification in the Mideye+ app. Used for shared environments, help desks, and dual-control scenarios. See Assisted Login.
Calling Station
Section titled “Calling Station”The RADIUS attribute (Calling-Station-Id) that identifies the source of an authentication request — typically the user’s IP address, MAC address, or phone number. Used in Mideye Shield static filter rules.
Challenge-Response
Section titled “Challenge-Response”A two-step authentication dialogue used in RADIUS. The server sends an Access-Challenge asking for additional information (e.g., an OTP), and the client sends a second Access-Request with the response. Authentication types 2, 3, 5, and 11 use challenge-response. See Authentication Flows.
Computer Interface to Message Distribution version 2. A protocol used by some telecom operators for SMS delivery. Mideye Switch supports CIMD2 for SMS routing.
CoA (Change of Authorization)
Section titled “CoA (Change of Authorization)”A RADIUS extension (RFC 5176) that allows the server to dynamically change a user’s session attributes or disconnect a session after authentication. Used for session management in Mideye Server.
Concatenated
Section titled “Concatenated”An authentication type (type 4) where the user’s password and OTP from an HID Mini Token are entered together in a single step (e.g., password123456). Does not require challenge-response support. See Authentication Types.
The Digital Operational Resilience Act (EU 2022/2554). An EU regulation requiring financial entities to implement strong authentication and operational resilience. See Compliance & Regulatory Frameworks.
EMI/UCP
Section titled “EMI/UCP”A protocol used by telecom operators for SMS delivery. Mideye Switch supports EMI/UCP alongside SMPP and CIMD2.
Entra ID
Section titled “Entra ID”Microsoft Entra ID (formerly Azure Active Directory). A cloud-based identity service. Mideye Server integrates with Entra ID for user lookup via the Microsoft Graph API. See Directory Integration.
Federation Profile
Section titled “Federation Profile”An Assisted Login profile type that supports multiple approvers across organizational boundaries. Used for cross-organization authentication scenarios. See Assisted Login.
Fraud Score
Section titled “Fraud Score”A numeric assessment of how likely a source IP address is associated with malicious activity. Assigned by Mideye Shield based on threat intelligence data. See Mideye Shield.
The General Data Protection Regulation (EU 2016/679). Requires appropriate technical measures to protect personal data. MFA is widely considered a baseline technical measure. See Compliance & Regulatory Frameworks.
HMAC-based One-Time Password (RFC 4226). A one-time password algorithm where each code is generated from a secret seed and an incrementing counter. Used with hardware tokens. See Authentication Types.
Magic Link
Section titled “Magic Link”A passwordless authentication method where the user receives an SMS with a clickable link or a push notification. Tapping the link or notification opens an approval page. Used for web application MFA via REST API. See Magic Link Authentication.
Mideye Application Service. A cloud service running in Europe-based cloud infrastructure that hosts Magic Link approval pages and manages RADIUS sessions. See System Architecture.
Mideye+
Section titled “Mideye+”The Mideye mobile authenticator app for iOS and Android. Supports push authentication (Touch), offline TOTP codes, biometric unlock, and Assisted Login approvals. See System Architecture.
Mideye Shield
Section titled “Mideye Shield”A threat intelligence layer that evaluates authentication requests against IP reputation data, automatically blocks high-risk sources, and sends webhook alerts. See Mideye Shield.
Mideye Switch
Section titled “Mideye Switch”A message routing and delivery service operated by Mideye. Handles SMS delivery, push notification routing, and hardware token validation. Operates from two independent Swedish data centers. See System Architecture.
MSCHAPv2
Section titled “MSCHAPv2”Microsoft Challenge Handshake Authentication Protocol version 2. A RADIUS authentication protocol used in Microsoft environments (NPS, Windows VPN). Mideye Server supports MSCHAPv2. See What is RADIUS?.
Network Access Server. The device that receives the user’s login attempt and forwards it to the RADIUS server — typically a VPN concentrator, firewall, or wireless controller. In Mideye Server, each VPN or firewall is registered as a “RADIUS client.” See What is RADIUS?.
The Network and Information Security Directive (EU 2022/2555). Mandates cybersecurity measures including multi-factor authentication for essential and important entities in the EU. See Compliance & Regulatory Frameworks.
Network Policy Server. Microsoft’s RADIUS server implementation for Windows Server. Mideye Server integrates with NPS as a RADIUS proxy or upstream server. See What is RADIUS?.
Initiative for Open Authentication. An industry collaboration that defines open standards for strong authentication, including TOTP (RFC 6238) and HOTP (RFC 4226).
On-Prem
Section titled “On-Prem”An authentication type (type 11) where the user enters a TOTP or HOTP code from an authenticator app or hardware token. Validated entirely on the local Mideye Server with no internet required. See Air-Gapped Authentication.
Password Authentication Protocol. A RADIUS authentication protocol where the user’s password is sent to the server (hashed with the shared secret). The most common protocol for MFA over RADIUS because it allows the server to read the password and initiate a second-factor challenge. See What is RADIUS?.
An authentication type (type 5) where the user manually signs an access challenge in the Mideye+ app to generate an OTP. Primarily used as a fallback when push notifications (Touch) are unavailable. See Authentication Types.
RADSEC
Section titled “RADSEC”RADIUS over TLS (RFC 6614). Wraps the RADIUS protocol in a TLS tunnel, providing encryption, certificate-based authentication, and TCP reliability. Mideye Server includes a built-in RADSEC listener. See What is RADIUS? What is RADSEC?.
RADIUS
Section titled “RADIUS”Remote Authentication Dial-In User Service (RFC 2865). The standard protocol for authenticating users connecting to VPNs, firewalls, and network infrastructure. Mideye Server is a RADIUS server that adds MFA to the standard RADIUS flow. See What is RADIUS? What is RADSEC?.
Single-Factor Web Authentication. The internal name for the Magic Link REST API endpoint in Mideye Server (/api/sfwa/auth). See Magic Link Authentication.
Short Message Peer-to-Peer. The most common protocol for sending SMS messages through telecom operators. Mideye Switch uses SMPP for OTP and Magic Link SMS delivery.
Token Coupling
Section titled “Token Coupling”The process of linking a hardware token (YubiKey, HID Mini Token) to a user’s Mideye+ app registration. Allows the token and app to share an identity for seamless fallback between authentication types.
Time-based One-Time Password (RFC 6238). A one-time password algorithm where each code is generated from a secret seed and the current time. Codes change every 30 seconds. Used with authenticator apps and some hardware tokens. See Air-Gapped Authentication.
An authentication type (type 6) where the user receives a push notification in the Mideye+ app and taps Approve or Reject. No code entry required. Does not need RADIUS challenge-response support. See Authentication Types.
Touch-Mobile
Section titled “Touch-Mobile”An authentication type (type 8) that tries Touch (push) first, falls back to encrypted SMS to the Mideye+ app if push fails, then falls back to Plus or on-premise TOTP. See Authentication Types.
Touch-Plus
Section titled “Touch-Plus”An authentication type (type 7) that tries Touch (push) first, falls back to Plus or on-premise TOTP if push fails. See Authentication Types.
Vendor-Specific Attribute. A RADIUS attribute type (type 26) that lets vendors include custom data in RADIUS packets. Mideye Server supports configurable VSA dictionaries for RADIUS responses. See What is RADIUS?.
Next steps
Section titled “Next steps”- What is MFA? — Start with the fundamentals
- What is Mideye Server? — Product overview
- System Architecture — Components and connections