Skip to content

Token-Cards

Warning

Mideye Server 5 is no longer updated, and new installations are not supported. Only existing Mideye Server 5 installations and upgrades are supported. Please use Mideye Server 6 for new installations and continued support.

As a complement to using the phone as a second authentication factor, Mideye also supports authentication with token cards. Instead of receiving one-time passwords on the mobile phone, the user obtains one-time passwords from the token card.

The customer assigns token cards to users that require this authentication method. Token cards are ordered from Mideye Support, Yubikeys can also be obtained from third parties. The tokens are fully integrated into the Mideye system. The only difference compared to authentication with the mobile phone is that the user is assigned the token serial number (e.g. AI0123456789, ubbc0123456 or zmub5761949) instead of the mobile number (+46123456789) in the user repository (LDAP directory or internal Mideye database).

Note

These token-cards differ from the On-premise TOTP hard ware tokens and are not interchangeable.

Setting Authentication Type in the LDAP repository

For end-user data that is read from an external LDAP repository (LDAP users), the administration is handled via the administrative interface of the LDAP directory. There are two ways to assign token authentication to LDAP users:

Token serial number in the mobile phone field

By registering the user’s token serial number preceded by the prefix “AI (HID mini tokens) or ubbc0 (Yubikey)” in the mobile phone field (e.g. AI0750123456); the user is automatically assigned the authentication type. Token. Note that in this case, the ‘Token Number’ parameter in the tab ‘User’ must be specified as the mobile phone field.

Token serial number in a separate field, with authentication type indicated in yet another field.

In addition to a separate field for the token serial number, the LDAP administrator can assign yet another vacant field that indicates which authentication type should be used (1=Password, 2=Mobile, 3=Token, 4=Concatenated, 5=Plus, 6=Touch, 7=Touch-Plus, 8=Touch-Mobile). This field should be specified via the Mideye Configuration Tool, tab ‘LDAP Servers’, tab ‘Authentication’, parameter ‘Authentication Type Attribute’. Also, the box ‘Read Optional Attributes’ should be marked. (This parameter indicates that Mideye will search certain optional parameters, e.g. Authentication Type, from the LDAP directory). In case no authentication method is specified in the LDAP attribute (= the field is empty), the default authentication method is used.

HID Mini token card


HID mini token. Weight 16 gram, expected lifetime 6 years if used on a regular basis.

Complete the following steps to set up an HID token for an end-user:

  1. Obtain the serial number of the HID token: This serial number can be found on the back of the token. All tokens dispatched from Mideye will always start with AI.
  2. Add the serial number to the user repository: By default, the Mideye Server will search for token numbers in the ipPhone attribute. Open ADUC and locate the user that should use the token. Open the properties of the user and navigate to the “Telephones” tab. Add the serial number in the IP Phone field.
  3. Change authentication method: The authentication method for the user must be changed to Tokens (if not already the default authentication type). Open Configuration Tool and navigate to “LDAP Servers”. Click “Modify” and select the “Authentication” tab. Check the “Read optional attributes” and add an LDAP attribute to the “Authentication type attribute”. In this example, the LDAP attribute “pager” will be used for the “Authentication type attribute”, but can be changed to any other attribute. The attribute chosen must be empty from other data. Save and close to restart Mideye services.
  4. Once again, open ADUC and open the “Telephones” tab for the user. Add the number 3 to the pager field. See section Authentication types in the Reference guide to see what each number represents in the authentication list.

Add the number 3 to the pager field. 3 will represent token authentication.

Enable read option attribute

Re-synchronisation of HID Mini tokens cards

The token cards provide one-time passwords in a sequence that is unique for each token (time and event synchronous). In case more than ten one-time passwords have been generated from the token card without being entered for central verification in the token server, the token card will come out of synch with the server, and must be re-synchronized. The token card can be automatically re-synchronized within a window of 100 by entering a new one-time password for verification. If the token card is out of sync by more than 100 one-time passwords, it must be manually re-synchronized by Mideye support. For manual re-synchronization, the token card serial number and the counter value must be provided.

Token card serial number

The serial number (10 digits) is printed on the label on the back of the token card (e.g. S/N 0123456789). If the printed serial number is not readable, it can also be obtained from the token display:

  • Generate a new one-time password, release the button.
  • When the one-time password is displayed, press and hold the button again until the following appears on the display (three alternating strings):
  • ע= SN
  • 1= XXXXX
  • 2= YYYYY

The serial number consists of the five digits XXXXX after the digit 1, followed by the five digits YYYYY after the digit 2.

Token card clock value

  • The clock value is obtained as follows:
  • Generate a new one-time password, release the button when the one-time password is displayed, press and hold the button again until the following appears on the display (three alternating strings):
  • ע SN
  • 1 XXXXX
  • 2 YYYYY

This is the serial number of the token.

  • When the serial number is displayed, release the button, press it again, and hold it until the following appears on the display (3 alternating strings):
  • ע Clock
  • 1 XXXXX
  • 2 YYYYY

The clock value consists of the five digits XXXXX after the digit 1, followed by the five digits YYYYY after the digit 2.

Token card counter value

The counter value is obtained as follows:

  • Generate a new one-time password, release the button.
  • When the one-time password is displayed, press and hold the button again until the following appears on the display (three alternating strings):
  • ע SN
  • 1 XXXXX
  • 2 YYYY

This is the serial number of the token.

  • When the serial number is displayed, release the button, press it again, and hold it until the following appears on the display (3 alternating strings):
  • ע Clock
  • 1 XXXXX
  • 2 YYYYY

This is the token clock value.

  • When the clock value is displayed, release the button, press it again, and hold it until the following appears on the display (3 alternating strings):
  • ע Count
  • 1 XXXXX
  • 2 YYYYY

The counter value consists of the five digits XXXXX after the digit 1, followed by the five digits YYYYY after the digit 2.

Note: Older token cards are only event-synchronous and do not have a clock value.