Offline Authentication

Air-Gapped Mode

Multi-factor authentication for isolated and classified networks

Air-gapped mode allows Mideye Server to operate in fully isolated networks without any connection to the internet or Mideye's central infrastructure.

Designed for classified environments, critical infrastructure, and high-security data centers where network isolation is mandatory. This on-premises multi-factor authentication solution enables secure authentication entirely on-site using passwords and locally-provisioned hardware TOTP tokens.

When Should You Use Air-Gapped Mode?

Classified Networks

Government, defense, and intelligence environments requiring complete network isolation.

Critical Infrastructure

Power plants, water treatment, industrial control systems where internet access is prohibited.

Isolated Data Centers

Secure processing environments with no external network connectivity.

Compliance Requirements

Regulatory frameworks requiring authentication without cloud dependencies.

How Does Air-Gapped Mode Work?

Fully On-Premises

Mideye Server runs entirely within your isolated network. No external connections required during normal operation.

Password Active Directory or local database
TOTP Hardware tokens or authenticator apps

How Do You Enable Air-Gapped Mode?

Air-gapped mode is configured during initial Mideye Server setup through the Install Wizard:

  1. During the Switch Configuration step, click "Show Advanced Settings"
  2. Check the Air-Gapped Mode checkbox
  3. The Switch connection fields become optional
  4. Complete the remaining setup steps
⚠️ Important

Air-gapped mode is a permanent configuration choice made during setup. Switching between connected and air-gapped mode after initial deployment requires reinstallation.

What Authentication Methods Work in Air-Gapped Mode?

In air-gapped mode, authentication methods are limited to those that work without external connectivity:

Password Authentication

Validates against Active Directory or local Mideye user database. Standard first factor for all users.

TOTP (Time-based One-Time Password)

Hardware tokens (YubiKey, HID) or authenticator apps (Google Authenticator, Microsoft Authenticator). Tokens are provisioned locally and work offline.

What Features Are Not Available in Air-Gapped Mode?

The following features require connectivity to Mideye's central infrastructure and are disabled in air-gapped mode:

SMS One-Time Password Requires connection to SMS gateway
Mideye+ Push Notifications Requires connection to push notification service
Magic Link Requires email delivery and external link validation
Mideye Shield Requires threat intelligence from central service

How Do You Provision Tokens in Air-Gapped Environments?

In air-gapped environments, TOTP tokens must be provisioned through one of these methods:

Hardware Tokens

Pre-programmed OATH TOTP hardware tokens can be imported via PSKC files. Seeds are loaded during deployment without network access.

Learn about hardware tokens →

Authenticator Apps

TOTP secrets can be provisioned to authenticator apps via QR code displayed locally. The provisioning happens inside the isolated network.

Operational Considerations

Software Updates

Updates must be transferred via secure media (USB, approved file transfer). Download packages from our downloads page on a connected system and transfer to your air-gapped environment.

License Management

Air-gapped deployments use offline license activation. Contact our support team for offline licensing arrangements.

Time Synchronization

TOTP authentication requires accurate time. Ensure your isolated network has a reliable NTP source or GPS-synchronized time server.

Critical Infrastructure Compliance

Air-gapped deployment addresses security requirements for critical infrastructure and zero-trust supply chain security.

🇪🇺 NIS2 & Swedish Cybersäkerhetslagen — Supply Chain Security

Requirement: Essential entities (critical infrastructure) must manage supply chain risks in their security measures.

How air-gapped mode addresses this: Zero external dependencies for authentication. No cloud services, no third-party authentication providers, no internet connectivity required. Eliminates supply chain attack surface for authentication infrastructure.

NIS2 Directive → | Cybersäkerhetslagen →

🏦 DORA Article 11 — Third-Party Risk Management

Requirement: "Policies to identify, monitor, and manage third-party dependencies and concentrations."

How air-gapped mode addresses this: Eliminates runtime dependencies on external authentication providers (no Apple, Google, or SMS carrier dependencies). Authentication is 100% under your control with no third-party service concentration risk.

DORA Regulation →

🔒 ISO/IEC 27001:2022 — Network Segmentation

Supports network segmentation best practices for high-security environments (industrial control systems, classified networks, operational technology).

How air-gapped mode addresses this: Authentication infrastructure remains entirely within your security perimeter. No breach of network segmentation policies for authentication purposes.

Use case: Air-gapped mode is specifically designed for critical infrastructure (energy, water, transportation), classified environments, industrial control systems (ICS/SCADA), and organizations with strict network isolation policies. For standard deployments, our hybrid architecture provides Swedish data sovereignty with operational flexibility. See our compliance hub for framework mappings.

Ready for Air-Gapped Deployment?

Contact our team to discuss your isolated environment requirements and plan your deployment.

Request Air-Gapped Demo →