Login with one-time passwords (OTPs) delivered in real time via the mobile network.
The user enters login credentials.
The user initiates login by entering user name and password.
The login credentials are forwarded via a RADIUS request to the Mideye
Server.
The Mideye Server verifies login credentials against a user repository
(e.g. Active Directory), and the user's mobile phone number is retrieved.
The Mideye server generates a random session-specific OTP (one-time
password).
The one-time password is sent to the user's phone.
The OTP is forwarded via a secured Internet connection to the central
Mideye service.
The Mideye service performs a handshake with the mobile phone and the
OTP is displayed to the user.
When the handshake with the mobile phone is finished, the Mideye
Server sends a RADIUS access challenge to prompt the user for an OTP.
The user enters the OTP for verification.
The OTP is entered by the user and forwarded to the Mideye Server as a
response to the access challenge.
The Mideye Server verifies the OTP.
Access granted
After verifying that the correct OTP has been entered, the Mideye
Server returns an access accept.
The user is granted access to the protected service.
Login with smartphone
Users with smartphones (Android, iPhone, Windows Phone) can choose to download the Mideye+ app. This
enables login also when the phone is not reachable via the mobile network.
After downloading and starting the Mideye + app, the user is prompted
to enter the mobile number.
The mobile phone contacts the Mideye central service to register the
phone number as pending for Mideye+ activation.
Activation of Mideye+, step 2
The user initiates login to the protected service.
The login triggers an activation SMS which sent to the mobile phone,
whereby the Mideye+ app contacts the Mideye central service to finalise the activation.
The user is marked as activated for Mideye+ in the central service,
and future logins proceed according to the Mideye+ schema.
Login with network coverage.
The user initiates login by entering user name and password.
The login credentials are forwarded via a RADIUS request to the Mideye
Server.
The Mideye Server verifies login credentials against a user repository
(e.g. Active Directory), and the user's mobile phone number is retrieved.
The Mideye server generates a random session-specific OTP (one-time
password).
The one-time password is sent to the user's phone.
The OTP is forwarded via a secured Internet connection to the central
Mideye service.
The Mideye service identifies the phone number as belonging to a
Mideye+ user and encrypts the password with the corresponding app key. The handshake is
performed with the mobile phone / app, and the OTP is displayed to the user.
When the handshake with the mobile phone is finished, the Mideye
Server sends a RADIUS access challenge to prompt the user for an OTP.
The user enters the OTP for verification.
The OTP is entered by the user and forwarded to the Mideye Server as a
response to the access challenge.
The Mideye Server verifies the OTP.
Access granted.
After verifying that the correct OTP has been entered, the Mideye
Server returns an access accept.
The user is granted access to the protected service.
Login outside of network coverage.
The user initiates login by entering user name and password.
The login credentials are forwarded via a RADIUS request to the Mideye
Server.
The Mideye Server verifies login credentials against a user repository
(e.g. Active Directory), and the user's mobile phone number is retrieved.
The Mideye server generates a random session-specific OTP (one-time
password).
Delivery attempt to mobile phone
The OTP is forwarded via a secured Internet connection to the central
Mideye service.
The Mideye service identifies the phone number as belonging to a
Mideye+ user and tries to establish contact with the phone via the mobile network. When this
fails, the central service responds back to the Mideye Server that the phone is out of
reach.
The Mideye Server generates a random challenge and returns this with
the RADIUS access challenge to prompt the user for a response.
The user is prompted for a response to an access challenge.
Since the phone is not reachable via the mobile network, the user is
instead requested to manually sign an access challenge with the Mideye+ app.
The user manually starts the Mideye+ app on the phone and enters the
challenge.
The user signs the challenge on the phone.
The user manually starts the app on the phone and enters the challenge
from the login screen. The challenge is signed with the secret key associated with the app,
and a session-specific one-time password is calculated.
A response to the challenge is generated by the Mideye+ app.
The Mideye+ app responds to the access challenge with a one-time
password.
The OTP is manually entered by the user and forwarded to the Mideye
Server as a response to the access challenge.
The Mideye Server forwards the challenge-response pair to the central
Mideye service for verification.
Access granted.
After the central service has successfully verified the
challenge-response pair, the Mideye Server returns an access accept.
The user is granted access to the protected service.
Login with token card
Users that cannot use a mobile phone for login can instead obtain one-time passwords (OTPs) from a
token card.
Token card logistics service.
For users that are unable to use a mobile phone for login, a token
card can be sent from the Mideye central service.
The serial number of the token card is registered in the user’s entry
in the user repository.
Login with token card.
The user initiates login by entering user name and password.
The login credentials are forwarded via a RADIUS request to the Mideye
Server.
The Mideye Server verifies login credentials against a user repository
(e.g. Active Directory), and the serial number of the user’s token card is retrieved.
The Mideye server responds with a RADIUS access challenge to prompt
the user of a one-time password.
User generates a one-time password from the token card.
By pressing the button on the token card, the user generates an event-
and time-synchronous one-time password.
The user enters the OTP for verification.
The OTP is entered by the user and forwarded to the Mideye Server as a
response to the access challenge.
The Mideye Server forwards the OTP along with the serial number of the
token card for verification in the central Mideye Service.
Access granted.
After the central service has successfully verified the one-time
password, the Mideye Server returns an access accept.
The user is granted access to the protected service.