Hardware Tokens

Mideye Server 6.0 introduces the ability to use on-premise tokens. Users, whether stored in the database or LDAP, can now link an on-premise token to their account. This token generates a Time-based One-Time Password (TOTP), serving as a second factor for authentication. It can act as the primary second factor when the user is configured with On-premise (authentication type 11). Additionally, it can serve as a fallback for Touch-Plus (authentication type 7) and Touch-Mobile (authentication type 8) when the user is outside network coverage.

On-premise TOTP tokens are available in two versions:

software token (authenticator TOTP app on users mobile phone)
hardware token (a physical TOTP token)

If an installation involves two or more Mideye Servers, they must use the same database. Otherwise, authenticators registered on the primary Mideye Server will not function on the secondary servers. Additionally, after upgrading from Mideye Server version 5.6.2 to 6.0 or later, the keystore must be copied from the primary server to the secondary server(s).

For more detailed information on installation and upgrade procedures, refer to the installation guides for Windows and Linux.

Info

The TOTP software and hardware tokens are time sensitive, therefore it is important that the clock of the underlying server OS for Mideye Server is correct. Consider connecting the server to an NTP server to sync the clock.

Configuration in Mideye Server¶

Webadmin and self-service portal uses the same login page and also the same RADIUS client, defined in the Mideye Server. The role of the user logging in determines what resources they get access to, like the self-service portal for a user or the webadmin interface for an administrator. For ldap users the role is determined by the rules in RADIUS translation, based on groups defined in the ldap. If a user has no RADIUS translation value it is treated as a normal user and gets access to the self-service portal.

Enable the self-service portal¶

Enable the self-service portal by editing the application-prod.yml file found in:

Linux: /opt/mideyeserver6/config/application-prod.yml
Windows: C:\Program Files (x86)\Mideye Server 6\config\application-prod.yml

Add the line use-self-service-portal: true in the application section as seen in the example below.

application:
    switch-host: primary.mideye.com
    switch-backup-host: secondary.mideye.com
    switch-port: xxxxx
    log-path: C:\Program Files (x86)\Mideye Server 6\log
    use-self-service-portal: true

Restart the Mideye Server service.

Enable separate self-service portal¶

To enable the separate self-service portal on a different port, specify the following in the elements in the application-prod.yml file:

application:
    self-service-proxy:
        enabled: true
        http-port: xxxx
        ssl-port: xxx

Simply specify which http-port: or ssl-port: port number the self service portal should run on, and restart the Mideye Server 6 service afterwards.

If there is a wish to use the default self-signed certificated that is created with the Mideye Server, specify the bypass-ssl-validation: true flag in the application-prod.yml so it looks like this:

application:
    self-service-proxy:
        enabled: true
        http-port: xxxx
        ssl-port: xxx
        bypass-ssl-validation: true

Administrating the on-premise TOTP software tokens¶

The seed can be distributed to the users authenticator app with the help of an administrator in the webadmin interface or as an end user in the self-service portal that can be protected with another authentication type.

As an administrator¶

As an administrator all of the administration is done via the Mideye Servers webadmin interface.

Register an authenticator app¶

Log in to the Mideye Webadmin portal.
Go to Users and Tokens -> Mideye Users.
Edit the user that will be registered for the TOTP authenticator.
Go to Tokens in the top menu.
Choose Register authenticator.
Let the user scan the QR code presented on screen with the Mideye+ app (Open Mideye+ -> choose the menu in top right corner -> choose Authenticator -> choose the + sign to scan the QR code).
The TOTP seed is now added to the Mideye+ app.
Enter the TOTP from the Mideye+ app into the verifiction box in the Webadmin portal.
If the TOTP is verified finalize the registration by clicking Register. The registration must be done while the TOTP is valid in the app. If the TOTP has expired and cycled to the next TOTP repeat step 8.
The TOTP authenticator function in the Mideye+ app will now be ready for use.

Verify a users authenticator¶

Log in to the Mideye Webadmin portal.
Go to Users and Tokens.
Locate the user and click edit on the right hand side.
Go to Tokens in the top menu.
Choose Verify OTP
Enter the OTP from the users authenticator to verify that it’s working.

Unregister an authenticator¶

Log in to the Mideye Webadmin portal.
Go to Users and Tokens.
Locate the user and click edit on the right hand side.
Click Unregister authenticator.
Click Unregister.
Note that the actual user in the database or LDAP is not deleted, only the authenticator seed is removed.

As a user¶

As a user the self-administration is done via the Mideye Servers Self-service Portal.

Register an authenticator app¶

Login to the self-service portal of the Mideye Server.
To register an authenticator app select Register Authenticator.
Use the Mideye+ app on your mobile phone to scan QR code presented on screen with the Mideye+ app (Open Mideye+ -> choose the menu in top right corner -> choose Authenticator -> choose the + sign to scan the QR code).
The TOTP seed is now added to the Mideye+ app.
Enter the TOTP from the Mideye+ app into the verifiction box.
If the TOTP is verified finalize the registration by clicking Register. The registration must be done while the TOTP is valid in the app. If the TOTP has expired and cycled to the next TOTP repeat step 8.
The TOTP authenticator function in the Mideye+ app will now be ready for use.

Verify an authenticator app¶

Login to the self-service portal of the Mideye Server.
Choose Verify OTP.
Open the Mideye+ app -> choose the menu in top right corner -> choose Authenticator.
Enter the TOTP from the Mideye+ app to verify that it’s working.

Unregister an authenticator app¶

Login to the self-service portal of the Mideye Server.
Click on Unregister Authenticator.
Ckick Unregister.
Note that this will NOT remove the presenting of OTPs in the Mideye+ app, however, these OTPs will not be valid for authentication and can be deleted locally in the app.

Administrating the on-premise TOTP hardware tokens¶

The TOTP tokens will be delivered with a pskc file containing the credentials for the tokens and a transport key. The pskc file and the transport key must be uploaded to the Mideye Server before they can be deployed to the user.

Note

These TOTP tokens differs from the hardware tokens that Mideye deliver as a service and they are not interchangeable.

Import pskc file and transport key¶

Log in to the Mideye Webadmin portal as an administrator.
Go to Users and Tokens -> Hardware Tokens.
Go to Actions -> Import hardware tokens from a PSKC file.
Choose the three dots to upload the pskc file.
Enter the transport secret and choose Import.
The TOTP hardware token will now show up in the Hardware Tokens list and can now be assigned to a user.

As an administrator¶

Assign a TOTP hardware token¶

Log in to the Mideye Webadmin portal as an administrator.
Go to Users and Tokens -> Mideye Users.
Edit the user that will be registered for the TOTP Hardware Token.
Go to Tokens in the top menu.
Choose Assign token to user.
Click the drop-down list to choose a serial number from the imported hardware tokens list.
Verify that the serial number on the back of the Hardware Token matches the serial number chosen from the Hardware Token list.
Choose Assign.
The TOTP Hardware Token is now assigned to the user.

Verifying the TOTP hardware token¶

Log in to the Mideye Webadmin portal as an administrator.
Go to Users and Tokens -> Mideye Users.
Edit the user that should be verified.
Go to Tokens in the top menu.
Choose Token Operations -> Verify OTP.
Enter the OTP from the Hardware Token to verify it.

Unassign a TOTP hardware token¶

Log in to the Mideye Webadmin portal as an administrator.
Go to Users and Tokens -> Mideye Users.
Edit the user that should be verified.
Go to Tokens in the top menu.
Choose Token Operations -> Unassign token from user.
Choose Unassign.

Revoke a TOTP hardware token¶

Log in to the Mideye Webadmin portal as an administrator.
Go to Users and Tokens -> Mideye Users.
Edit the user that should have the token revoked.
Go to Tokens in the top menu.
Choose Token Operations for the correct hardware token.
Choose Change Token State.
Pick the choice that corresponds to why the token will be revoked and Save Changes.
The State of the token will now reflect the reason given.

Reactivate a revoced TOTP Hardware Token¶

Log in to the Mideye Webadmin portal as an administrator.
Go to Users and Tokens -> Mideye Users.
Edit the user that should have the token revoked.
Go to Tokens in the top menu.
Choose Token Operations for the correct hardware token.
Choose Change Token State.
Pick Valid and then choose Save Changes.
The State of the token will now reflect the reason given.

As a user¶

As a user the self-administration is done via the Mideye Servers Self-service Portal.

Register an authenticator app¶

Login to the self-service portal of the Mideye Server.
To register a Hardware Token select Assign Token To User.
Enter the serial number which is found at the back of the TOTP Hardware Token.
Press the button to display a OTP on the hardware token.
Choose the Assign button to finalize the procedure.
The TOTP Hardware Token is now ready for use.

Configure LDAP repository TOTP seeds¶

To setup LDAP repository TOTP seeds, it is required to have access to the LDAP repository as a user who is able to edit and save the permission changes that are needed to be made on the LDAP bind account.

It is also crucial to decide in what type of attribute the seeds should be stored in. The requirement is to store seeds in attributes that support 120 characters or more, and supports unicode.

Once this has been established, proceed with the steps below to configure the LDAP repository TOTP seeds.

Add permissions to LDAP bind account¶

To be able to add TOTP seeds to the LDAP repository, the LDAP bind account which is specified in the 'LDAP Profile' requires 'Read and Write' permission for the specific attribute. In this example, the LDAP bind account will receive permissions to read and write to the following attribute: msDS-cloudExtensionAttribute1

Open the Server Manager
Click on Tools → Active Directory Users and Computers
Right click on the Domain → Properties
Go to Security → Advanced
Click on Add → Select Principal
Select the LDAP bind account and click on OK
In the Applies to: field select Descendant msDS-CloudExtensions objects
Scroll all the way down and click on Clear All
Scroll up and find the attribute msDS-cloudExtensionAttribute1
Click on the check boxes for both Read msDS-cloudExtensionAttribute1 and Write msDS-cloudExtensionAttribute1
Click on OK → Apply → OK

With this the LDAP bind account should now have sufficient permissions to both read and write to the specified attribute.

Verify in the Mideye Server¶

To verify that the LDAP bind account can write in the specified attribute, follow the steps below:

Open the Mideye Dashboard
Click on Directory Settings → LDAP Profiles
Click on the Edit button on the profile that is used
Click on User Attribute
Scroll down until TOTP Secret Cipher Attribute field is visible
Enter msDS-cloudExtensionAttribute1 in the field
Click on Verify and provide the Username of a user that exists on the AD connected to the profile
Click on Verify

With this a text saying Successfully verified LDAP attribute should appear, verifying that the LDAP bind account is able to read and write to that attribute.