Configure On-Premise TOTP Tokens (Software/Hardware)

Archived Documentation

This page documents Mideye Server version 5, which is no longer actively maintained. For current documentation, see Mideye Server v6.

Overview

On-premise TOTP tokens provide MFA when users don’t have network connectivity. Unlike Mideye+ push notifications, TOTP codes are generated locally on the user’s device and don’t require internet access.

Token types:

Type	Description	Use Case
Software token	Authenticator app (Google, Microsoft)	Users with smartphones
Hardware token	Physical TOTP device	High-security or no-smartphone users

Authentication type: 11 (On prem)

---

With Mideye Server 6.0 comes the feature of using on-premise tokens. A user in either the database or LDAP can have an on-premise token connected to its account. The token generates a TOTP that can be used as the second factor in an authentication. It can be used as the primary second factor, if the user has On prem (auth type 11) set. It can also be used as fallback to Touch-Plus (auth type 7) and Touch-Mobile (auth type 8), when the user is out of network coverage.

On-premise TOTP tokens are available in two versions:
– software token (authenticator TOTP app on users mobile phone)
– hardware token (a physical TOTP token)

If an installation has two or more Mideye Servers they need to use the same database, otherwise the authenticator registered on the primary Mideye Server won’t work on the secondary. Also, after upgrading from Mideye Server 5.6.2 and prior to Mideye Server 6.0 and beyond, the keystore needs to be copied from the primary server to the secondary servers(s). There are more information regarding installation and upgrade in the installation guides for Windows and Linux.

Configuration in Mideye Server

Webadmin and self-service portal uses the same login page and also the same RADIUS client, defined in the Mideye Server. The role of the user logging in determines what resources they get access to, like the self-service portal for a user or the webadmin interface for an administrator. For ldap users the role is determined by the rules in RADIUS translation, based on groups defined in the ldap. If a user has no RADIUS translation value it is treated as a normal user and gets access to the self-service portal.

Administrating the on-premise TOTP software tokens

The seed can be distributed to the users authenticator app with the help of an administrator in the webadmin interface or as an end user in the self-service portal that can be protected with another authentication type.

As an administrator

As an administrator all of the administration is done via the Mideye Servers webadmin interface.

Register an authenticator app

1. Log in to the Mideye Webadmin portal
2. Go to Users -> On-premise tokens
3. Go to Actions -> Register authenticator
4. Enter the username of the user who will receive the TOTP seed
5. A green box will indicate that the user have been found, otherwise click on “Verify user name” to verify it.
6. When the OTP has been verified click “Continue”.
7. Use an authenticator app on the users mobile phone to scan the QR code
8. When the QR code has been scanned, enter an OTP from the authenticator app into into the verification box
9. If the OTP isn’t automatically verified, click the “Verify OTP” button
10. When OTP is verified, click on Continue. The Continue button must be clicked while the OTP is valid in the authenticator app. If the valid OTP has changed to a new one this one must be entered to be able to click Continue. This is to ensure that the seed has been registered correctly.
11. The authenticator app will now be ready for use and the user will be added to the list of On-premise tokens

Verify a users authenticator

1. Log in to the Mideye Webadmin portal
2. Go to Users -> On-premise tokens
3. Locate the user and on the right hand side click Token operations -> Verify OTP
4. Enter the OTP from the users authenticator to verify that it’s working

Unregister an authenticator

1. Log in to the Mideye Webadmin portal
2. Go to Users -> On-premise tokens
3. Locate the user and on the right hand side click Token operations -> Unregister authenticator
4. Verify that it is the correct user and click Delete
5. Note that the actual user in the database or LDAP is not deleted, only the authenticator seed is removed

As a user

As a user all of the administration is done via the Mideye Servers webadmin interface.

Register an authenticator app

1. Login to the self-service portal of the Mideye Server
2. For registering an authenticator app select Authenticator and then click on “Start OTP registration”
3. Use an authenticator app on your mobile phone to scan the QR code
4. Enter a code from the authenticator app into into the verification box
5. If the code isn’t automatically verified, click the “Verify code” button
6. When the code have been verified, click the Finish button Note! The Finish button must be clicked while the code is valid. If the code has expired and a different code is shown in the authentication app on the mobile phone step 4-6 must be repeated.
7. The authenticator app should now be verified. An option is shown to verify the app again. There is also a button to unregister the authenticator app if needed.

Verify an authenticator app

1. Login to the self-service portal of the Mideye Server
2. Enter the OTP from the authenticator app to verify that it’s working

Unregister an authenticator app

1. Login to the self-service portal of the Mideye Server
2. Click on Unregister Authenticator
3. Ckick OK
4. Note that this will NOT remove the presenting of OTPs in the authenticator app, however, these OTPs will not be valid for authentication.

Administrating the on-premise TOTP hardware tokens

The TOTP tokens will be delivered with a pskc file containing the credentials for the tokens and a transport key. The pskc file and the transport key must be uploaded to the Mideye Server before they can be deployed to the user.

Note

These TOTP tokens differs from the hardware tokens that Mideye deliver as a service and they are not interchangeable.

Import pskc file and transport key

1. Log in to the Mideye Webadmin portal as an administrator
2. Go to Users -> On-premise tokens
3. Go to Actions -> Import hardware tokens from a PSKC file
4. Click on Choose File and upload the pskc file
5. Enter the transport secret and click Import
6. The TOTP hardware token will now show up in the On-Premise Tokens list and can now be assigned to a user

As an administrator

Assign a TOTP hardware token

1. Log in to the Mideye Webadmin portal as an administrator
2. Go to Users -> On-premise tokens
3. Compare the serial number on the back of the token to the serial number in the On-premise Tokens list
4. Enter the username and verify it
5. Click Assign
6. The username will now show up next to the Serial number in the On-premise Tokens list
7. It is now possible to verify that the TOTP hardware token Is working
8. When the correct token is found click on Token operations -> Assign token to user

Verifying the TOTP hardware token

1. Log in to the Mideye Webadmin portal as an administrator
2. Go to Users -> On-premise tokens
3. Find the user that should be verified and click Token operations -> Verify OTP for that user
4. Enter the OTP and verify it

Unassign a TOTP hardware token

1. Log in to the Mideye Webadmin portal as an administrator
2. Go to Users -> On-premise tokens
3. Find the user that should be unassigned from a token and click Token operations -> Unassign token from user
4. Verify that it is the correct user and click Unassign
5. The user is now unassigned from the token as shown in the On-premise Token list

Disable a TOTP hardware token

1. Log in to the Mideye Webadmin portal as an administrator
2. Go to Users -> On-premise tokens
3. Find the token that should be disabled and click Token operations -> Disable token
4. Pick the choice that corresponds to why the token will be disabled and click Disable
5. The State of the token will now reflect the reason given