Touch-AcceptCloud
The user's Mideye+ app rings; one tap on Approve completes the logon. SMS magic-link fallback for users without the app installed. Reduces phishing risk, since there is no one-time code to trick out of the user.
A native credential provider DLL that adds Mideye two-factor authentication at the Windows logon screen itself, on every Remote Desktop session and console logon. Drops in alongside your existing Mideye deployment with no backend changes.
Why the logon screen
Your Mideye Authentication Service already covers VPN, RADIUS-protected apps, ADFS, and RDS. The credential provider extends that protection to the Windows logon screen itself, on every host where users RDP in or sit down at the console. The user types their Windows password as usual; Mideye then prompts for a Touch-Accept on the Mideye+ app, an SMS magic link, or a hardware-token OTP. Windows finishes the logon only when MFA succeeds. No other tile, no fallback, no shortcut.
Stolen credentials are the leading vector for ransomware on Windows fleets. The credential provider intercepts every RDP and console logon, regardless of which application the user is heading for.
Talks to the same Mideye Authentication API or on-prem Mideye Server you already use. A signed MSI lays down two COM DLLs and a configuration tool. No second backend, no new identity store, no AD schema changes.
On-prem mode talks to a local Mideye Server over a static Bearer token. Hardware-token OTP, no internet egress required.
Authentication methods
The credential provider chooses based on what's configured per user, so there is no method picker for the user to fumble.
The user's Mideye+ app rings; one tap on Approve completes the logon. SMS magic-link fallback for users without the app installed. Reduces phishing risk, since there is no one-time code to trick out of the user.
One-time codes from HID and YubiKey hardware tokens. Press the button or tap the key, type the code, in. The only method that also works fully air-gapped.
Four-eyes approval: the user requests; an approver on a separate phone confirms. Approvers can be local SAM users, AD domain users, or external phone-only contacts with no Windows account on the host.
Deployment modes
Same MSI, same configuration tool, same docs. A single registry value (Mode) picks the backend.
Mode In on-prem mode, Touch-Accept and Assisted Login are force-disabled at startup, since the local Mideye Server has no corresponding endpoints.
Safe defaults
Built to keep secrets away from non-admin eyes, keep PII out of the logs, and make a bad deploy harmless.
A misconfigured deploy is silently inactive, not lockout-causing. Activation refuses without at least one configured Break-Glass principal.
API credentials live in a registry key readable only by SYSTEM and Administrators, and are never written to logs or exports. They never leave the host.
Phone numbers and token serials are masked in every log line, including in debug mode. Break-Glass logons are audited individually via Windows Event Log.
Deployment
Pilot install on a single host: wizard, license, install, configure.
msiexec /qn for SCCM, scripted rollouts, and custom orchestration. Per-host JSON config applied separately.
Software Installation policy plus a startup script that applies the per-OU JSON config. Built for AD-joined fleets.
Documentation
What each piece does: install, registry config, cloud / air-gapped, login schedule, Break-Glass, per-user overrides, approvers, customisation.
Read the overviewZero to MFA on RDP in ~10 minutes: install, paste Client ID and Secret, add Break-Glass, activate, enforce on RDP.
Open the quickstartHow the credential provider DLL plugs into Windows LogonUI; the MFA decision ladder; cloud and on-prem flow diagrams.
See the architectureFAQ
Install the signed Mideye Credential Provider MSI on every Windows host where RDP terminates, paste the Client ID and Secret from your Mideye Authentication Service, configure at least one Break-Glass principal, then activate. The Mideye tile replaces the default Windows password tile and prompts for a second factor on every RDP and console logon. Install and configuration take about 15 minutes per host.
Yes. In on-prem mode it talks to a local Mideye Server with a static Bearer token and supports hardware-token OTP only, no internet egress required. Cloud mode uses outbound HTTPS to the Mideye Authentication API and adds Touch-Accept and Assisted Login. A single registry value picks the mode per machine.
Windows Server 2019, 2022, and 2025, plus Windows 10 (22H2) and Windows 11 (23H2 or later) desktops. x64 only. Both Active Directory domain-joined hosts and workgroup / standalone hosts are supported. Entra-ID-only joined machines are not currently tested or supported.
It is in early access. Everything described on this page is implemented and documented, and we are running supervised pilot deployments ahead of the 1.0 release. Contact us to join the early-access programme and we will plan the rollout with you.
Run the 10-minute quickstart on a test VM, or talk to us about an early-access pilot in your environment.
We use cookies and analytics to improve your experience and understand how our site is used. Privacy Policy