Configure TOTP Tokens for Mideye On-Premise

Mideye Server 6 supports on-premise TOTP tokens as a second authentication factor. A user in the database or LDAP can have an on-premise token connected to their account. The token generates a TOTP code that serves as the second factor.

Available in two versions:

• Software token — authenticator TOTP app on the user’s phone (e.g., Mideye+)
• Hardware token — a physical TOTP device

Authentication type support:

Auth type	Role of TOTP
11 (On-prem)	Primary second factor
7 (Touch-Plus)	Fallback when out of coverage
8 (Touch-Mobile)	Fallback when out of coverage

Clock synchronization

TOTP tokens are time-sensitive. Ensure the Mideye Server OS clock is correct. Connect the server to an NTP server.

Multi-server deployments

If using two or more Mideye Servers, they must share the same database. After upgrading from Mideye Server 5.6.2 or earlier, copy the keystore from the primary server to all secondary servers.

---

Self-Service Portal

The Web Admin and Self-Service Portal share the same login page and RADIUS client. The user’s role determines which interface they access — administrators see the Web Admin, regular users see the Self-Service Portal.

For LDAP users, the role is determined by RADIUS Translation rules based on LDAP group membership. Users without a RADIUS Translation value are treated as regular users and access the Self-Service Portal.

Enable the Self-Service Portal

Edit application-prod.yml:

• Linux: /opt/mideyeserver6/config/application-prod.yml
• Windows: C:\Program Files (x86)\Mideye Server 6\config\application-prod.yml

Add use-self-service-portal: true:

application:
    switch-host: primary.mideye.com
    switch-backup-host: secondary.mideye.com
    switch-port: xxxxx
    log-path: C:\Program Files (x86)\Mideye Server 6\log
    use-self-service-portal: true

Restart the Mideye Server service.

Separate Self-Service Portal port

To run the Self-Service Portal on a different port:

application:
    self-service-proxy:
        enabled: true
        http-port: xxxx
        ssl-port: xxx

To use the default self-signed certificate:

application:
    self-service-proxy:
        enabled: true
        http-port: xxxx
        ssl-port: xxx
        bypass-ssl-validation: true

Restart the service after changes.

---

Software tokens (authenticator apps)

The TOTP seed can be distributed via the Web Admin (by an administrator) or via the Self-Service Portal (by the end user).

Administrator workflow

Register an authenticator app

1. Log in to the Web Admin portal.
2. Go to Users and Tokens → Mideye Users.
3. Edit the user → Tokens tab.
4. Choose Register authenticator.
5. Have the user scan the QR code with the Mideye+ app:
   • Open Mideye+ → menu (top right) → Authenticator → tap + to scan.
6. Enter the TOTP from the app into the verification box.
7. Click Register while the TOTP is still valid. If it expired, re-enter the new code.

Verify a user’s authenticator

1. Edit the user → Tokens tab.
2. Choose Verify OTP.
3. Enter the OTP from the user’s authenticator app.

Unregister an authenticator

1. Edit the user → Tokens tab.
2. Click Unregister authenticator → Unregister.

Note

Only the authenticator seed is removed. The user account is not deleted.

User self-service workflow

Register

1. Log in to the Self-Service Portal.
2. Select Register Authenticator.
3. Scan the QR code with the Mideye+ app.
4. Enter the TOTP and click Register.

Verify

1. Log in to the Self-Service Portal.
2. Choose Verify OTP and enter the code from the app.

Unregister

1. Log in to the Self-Service Portal.
2. Click Unregister Authenticator → Unregister.

Note

This does not remove the OTP display from the Mideye+ app. The codes will no longer be valid for authentication and can be deleted locally in the app.

---

Hardware tokens (TOTP)

TOTP hardware tokens are delivered with a PSKC file containing the token credentials and a transport key. Both must be uploaded to the Mideye Server before tokens can be assigned to users.

Note

These TOTP tokens differ from the HID tokens delivered as a service and are not interchangeable. See HID Token Setup.

Import PSKC file

1. Log in to the Web Admin as an administrator.
2. Go to Users and Tokens → Hardware Tokens.
3. Actions → Import hardware tokens from a PSKC file.
4. Upload the PSKC file and enter the transport secret.
5. Click Import. The tokens appear in the Hardware Tokens list.

Administrator workflow

Assign a token

1. Go to Users and Tokens → Mideye Users.
2. Edit the user → Tokens tab.
3. Choose Assign token to user.
4. Select the serial number from the dropdown. Verify it matches the physical token.
5. Click Assign.

Verify a token

1. Edit the user → Tokens tab.
2. Token Operations → Verify OTP.
3. Enter the OTP from the hardware token.

Unassign a token

1. Edit the user → Tokens tab.
2. Token Operations → Unassign token from user → Unassign.

Revoke a token

1. Edit the user → Tokens tab.
2. Token Operations → Change Token State.
3. Select the reason and Save Changes.

Reactivate a revoked token

1. Edit the user → Tokens tab.
2. Token Operations → Change Token State.
3. Select Valid → Save Changes.

User self-service workflow

1. Log in to the Self-Service Portal.
2. Select Assign Token To User.
3. Enter the serial number from the back of the token.
4. Press the token button to generate an OTP.
5. Click Assign.

---

Configure LDAP repository TOTP seeds

To store TOTP seeds in an LDAP attribute (instead of the Mideye database), the LDAP bind account needs read/write permissions on the chosen attribute. The attribute must support 120+ characters and Unicode.

Add permissions to the LDAP bind account

1. Open Server Manager → Tools → Active Directory Users and Computers.
2. Right-click the Domain → Properties → Security → Advanced.
3. Click Add → Select Principal → select the LDAP bind account.
4. Set Applies to: Descendant msDS-CloudExtensions objects.
5. Click Clear All, then enable:
   • Read msDS-cloudExtensionAttribute1
   • Write msDS-cloudExtensionAttribute1
6. Click OK → Apply → OK.

Verify in Mideye Server

1. Open the Mideye Dashboard → Directory Settings → LDAP Profiles.
2. Edit the profile → User Attribute tab.
3. In the TOTP Secret Cipher Attribute field, enter msDS-cloudExtensionAttribute1.
4. Click Verify, enter a username, and click Verify.

A message “Successfully verified LDAP attribute” confirms the setup.

---

Related links

• Authentication Types — All authentication types including Type 11 (On-prem)
• HID Token Setup — HID Mini Token card provisioning
• YubiKey Administration — YubiKey provisioning guide
• Hardware Tokens — GUI reference for hardware token management
• Application Configuration — Full application-prod.yml reference