Skip to content

Token Card Authentication Guide

As a complement to using a phone as a second authentication factor, Mideye also supports authentication with token cards. Instead of receiving one-time passwords on a mobile phone, users obtain one-time passwords from a token card.

Customers assign token cards to users who require this authentication method. Token cards are ordered from Mideye Support, and YubiKeys can also be obtained from third parties. These tokens are fully integrated into the Mideye system. The only difference compared to authentication with a mobile phone is that the user is assigned the token serial number (e.g., AI0123456789, ubbco123456, or zmub5761949) instead of a mobile number (e.g., +46123456789) in the user repository (LDAP directory or internal Mideye database).

Note

These token-cards differ from the On-premise TOTP hard ware tokens and are not interchangeable.

Setting Authentication Type in the LDAP Repository

For end-user data read from an external LDAP repository (LDAP users), administration is handled via the administrative interface of the LDAP directory. There are two ways to assign token authentication to LDAP users:

Token Serial Number in the Mobile Phone Field

By registering the user’s token serial number, preceded by the prefix AI (for HID mini tokens) or ubbco (for YubiKey), in the mobile phone field (e.g., AI0750123456), the user is automatically assigned the authentication type Token. Note that in this case, the Token Number parameter in the User tab must be specified as the mobile phone field.

Token Serial Number in a Separate Field with Authentication Type Indicated in Another Field.

In addition to a separate field for the token serial number, the LDAP administrator can assign another vacant field that indicates which authentication type should be used:

  • 1 = Password
  • 2 = Mobile
  • 3 = Token
  • 4 = Concatenated
  • 5 = Plus
  • 6 = Touch
  • 7 = Touch-Plus
  • 8 = Touch-Mobile

This field should be specified via the Mideye Configuration Tool under the LDAP Servers tab, in the Authentication section, using the parameter Authentication Type Attribute. Also, ensure the Read Optional Attributes box is checked. This parameter indicates that Mideye will search for certain optional parameters (e.g., Authentication Type) from the LDAP directory. If no authentication method is specified in the LDAP attribute (i.e., the field is empty), the default authentication method is used.

HID Mini Token Card


HID mini token. Weight 16 gram, expected lifetime 6 years if used on a regular basis.

Follow these steps to set up an HID token for an end-user:

  1. Obtain the serial number of the HID token: The serial number can be found on the back of the token. All tokens dispatched from Mideye will always start with the prefix AI.

  2. Add the serial number to the user repository: By default, the Mideye Server searches for token numbers in the ipPhone attribute. Open Active Directory Users and Computers (ADUC) and locate the user who will use the token. Open the properties of the user and navigate to the Telephones tab. Add the serial number in the IP Phone field.

  3. Change the Authentication Method: The authentication method for the user must be changed to Token (if not already the default). Open Web gui and navigate to LDAP Profiles. Edit the LDAP Profile and Check the Read Optional Attributes under the Authentication tab, and add an LDAP attribute to the Authentication Type Attribute field. Most commonly used attribute for this is pager. But it can be any attribute that is empty of other data. Save and close to restart Mideye services.

  4. Assign the Authentication Type in the User’s Properties: Open ADUC again and navigate to the Telephones tab for the user. Add the number 3 to the Pager field. Refer to the Authentication types section in the Reference Guide to see what each number represents.

  5. Add the number 3 to the pager field. 3 will represent token authentication.

Enable read option attribute

Re-synchronisation of HID Mini tokens cards

Token cards provide one-time passwords in a sequence unique to each token (time and event synchronous). If more than ten one-time passwords are generated without being entered for central verification in the token server, the token card will become out of sync with the server and must be re-synchronized. The token card can be automatically re-synchronized within a window of 100 by entering a new one-time password for verification. If the token card is out of sync by more than 100 one-time passwords, it must be manually re-synchronized by Mideye Support. For manual re-synchronization, the token card serial number and the counter value must be provided.

Token Card Serial Number

The serial number (10 digits) is printed on the label on the back of the token card (e.g., S/N 0123456789). If the printed serial number is not readable, it can also be obtained from the token display:

  1. Generate a New One-Time Password: Press and release the button to generate a new one-time password.

  2. Access the Serial Number Display: When the one-time password is displayed, press and hold the button again until the following alternating strings appear:

    • ע= SN
    • 1= XXXXX
    • 2= YYYYY

  3. Record the Serial Number: The serial number consists of the five digits XXXXX after the digit 1, followed by the five digits YYYYY after the digit 2. AIXXXXXYYYYY

Token Card Clock Value

To obtain the clock value:

  1. Access the Serial Number Display: Follow steps 1 and 2 from the Token Card Serial Number section.

  2. Access the Clock Value Display: When the serial number is displayed, release the button. Press and hold the button again until the following alternating strings appear:

    • ע SN
    • 1 XXXXX
    • 2 YYYYY

  3. Record the Clock Value: The clock value consists of the five digits XXXXX after 1, followed by the five digits YYYYY after 2.

Token Card Counter Value

  1. Access the Serial Number Display: Follow steps 1 and 2 from the Token Card Serial Number section.
  2. Access the Clock Value Display: When the serial number is displayed, release the button, Press and hold the button again until the clock value is displayed, as described in the Token Card Clock Value section.

  3. Access the Counter Value Display: When the clock value is displayed, release the button. Press and hold the button again until the following alternating strings appear:

    • ע Count
    • 1 XXXXX
    • 2 YYYYY

The counter value consists of the five digits XXXXX after 1, followed by the five digits YYYYY after 2.

Note

Older token cards are only event-synchronous and do not have a clock value.