Mideye MFA: 11 Authentication Methods
Mideye Server supports eleven authentication types, each combining a static password with a different second-factor method. This page explains what each type does, when to use it, and how they relate to each other.
Quick comparison
Section titled “Quick comparison”| # | Type | Second factor | Challenge-response? | Internet required? | Fallback chain |
|---|---|---|---|---|---|
| 1 | Password | None (single factor) | No | No | — |
| 2 | Mobile | SMS OTP or Mideye+ push OTP | Yes | Yes | Plus (5) |
| 3 | Token | Hardware token OTP (YubiKey, HID) | Yes | Yes (Yubicloud) | — |
| 4 | Concatenated | HID Mini Token OTP (appended to password) | No | Yes (Yubicloud) | — |
| 5 | Plus | Manual OTP from Mideye+ app | Yes | No (generated locally) | — |
| 6 | Touch | Push notification → approve/reject | No | Yes | Magic Link SMS |
| 7 | Touch-Plus | Push → Plus → On-prem TOTP | No | Yes (degrades gracefully) | Plus (5) or On-prem (11) |
| 8 | Touch-Mobile | Push → encrypted SMS → Plus/On-prem | No | Yes (degrades gracefully) | Mobile (2), Plus (5), On-prem (11) |
| 9 | Assisted Login | Approver push notification | No | Yes | Magic Link SMS to approver |
| 10 | Shared Account | User-provided phone/token for OTP | Yes | Yes | — |
| 11 | On-prem | TOTP/HOTP from authenticator app or hardware token | Yes | No | — |
Password-only
Section titled “Password-only”Type 1 — Password
Section titled “Type 1 — Password”The user is authenticated with a static password only. No second factor.
This is single-factor authentication — not MFA. Use it only for low-risk scenarios or as a temporary configuration during initial deployment. Most compliance frameworks (NIS2, GDPR, PCI DSS) require a second factor for remote access.
OTP-based (code entry)
Section titled “OTP-based (code entry)”Type 2 — Mobile
Section titled “Type 2 — Mobile”Password plus a one-time password delivered in real-time. Users with the Mideye+ app receive OTPs via data push (mobile data or Wi-Fi). Users without Mideye+ receive OTPs via SMS. Falls back to Plus (type 5) if the phone is unreachable.
Requires RADIUS challenge-response support on the VPN/firewall.
Type 3 — Token
Section titled “Type 3 — Token”Password plus a one-time password from a hardware token (YubiKey or HID Mini Token). The password and OTP are entered in two separate steps via RADIUS challenge-response.
Type 4 — Concatenated
Section titled “Type 4 — Concatenated”Password plus a hardware token OTP entered as a single string — the OTP is appended directly to the password. For example, if the password is Sd43Erg7 and the OTP is 28592434, the user enters Sd43Erg728592434.
Only supported with HID Mini Token. Does not require challenge-response support — useful for VPNs that don’t support two-step RADIUS dialogues.
Type 5 — Plus
Section titled “Type 5 — Plus”Password plus a manually generated OTP from the Mideye+ app. The user signs a challenge displayed on screen by opening the Mideye+ app and reading the resulting code. Requires Mideye+ activation.
Primarily used as a fallback from Touch (type 6) and Touch-Plus (type 7) when push delivery fails. Can also be used as a standalone type. Requires challenge-response support.
Type 11 — On-prem
Section titled “Type 11 — On-prem”Password plus a TOTP or HOTP code from an authenticator app (Mideye+, Google Authenticator, Microsoft Authenticator, etc.) or a TOTP/HOTP hardware token. The code is validated entirely on the local Mideye Server — no internet connection required.
TOTP seeds are distributed via QR code in the Web Admin GUI or the Self-Service Portal. Requires challenge-response support.
Push-based (no code entry)
Section titled “Push-based (no code entry)”Type 6 — Touch
Section titled “Type 6 — Touch”Password plus a push notification sent to the Mideye+ app. The user taps Approve or Reject — no code entry needed. Does not require challenge-response support on the VPN/firewall.
Users without Mideye+ activated receive a Magic Link via SMS instead, letting them approve the login by clicking a link.
Type 7 — Touch-Plus
Section titled “Type 7 — Touch-Plus”Uses Touch (type 6) as the primary method, with automatic fallback:
- Touch push → if the phone is reachable via data push
- On-prem TOTP → if the user has an on-premise token registered
- Plus → manual OTP from Mideye+ app
This provides the best combination of user experience and resilience. If internet connectivity is lost, authentication degrades gracefully to locally-validated TOTP codes.
Type 8 — Touch-Mobile
Section titled “Type 8 — Touch-Mobile”Uses Touch (type 6) as the primary method, with a deeper fallback chain:
- Touch push → if the phone is reachable via data push
- Encrypted SMS to Mideye+ app → if push fails but the network is available
- On-prem TOTP → if the user has an on-premise token registered
- Plus → manual OTP from Mideye+ app
Touch-Mobile is designed for environments where maximum delivery reliability matters.
Delegated and special-purpose
Section titled “Delegated and special-purpose”Type 9 — Assisted Login
Section titled “Type 9 — Assisted Login”Password plus approval from a designated person. After the user’s password is validated, Mideye sends a push notification to the approver’s Mideye+ app. The approver reviews and taps Accept or Reject.
Used for shared workstations, help desk scenarios, and dual-control environments. See Assisted Login for details.
Type 10 — Shared Account
Section titled “Type 10 — Shared Account”Password plus a second factor tied to a phone number or token that the user provides at login time. After entering their password, the user is prompted for a phone number or token serial number. Mideye looks up the pre-registered number in the directory (otherMobile in AD, Mobile in other LDAP repositories) and uses it for OTP delivery.
Used for shared or generic accounts where multiple people authenticate with the same username but different phones or tokens.
Which type should I use?
Section titled “Which type should I use?”| Scenario | Recommended type |
|---|---|
| Standard VPN/remote access | Touch-Plus (7) — push with TOTP fallback |
| Maximum delivery reliability | Touch-Mobile (8) — push → SMS → TOTP |
| Air-gapped / no internet | On-prem (11) — local TOTP only |
| VPN doesn’t support challenge-response | Touch (6) — push, no challenge-response needed |
| Hardware tokens only | Token (3) or Concatenated (4) |
| Supervised/shared workstations | Assisted Login (9) — approver-based |
| Shared/generic accounts | Shared Account (10) — per-login phone/token |
| Legacy SMS-only | Mobile (2) — SMS OTP |
| Temporary/low-risk | Password (1) — single factor (not recommended) |
Authentication types are assigned per user or per directory group. You can mix types across your user base — different groups can use different methods concurrently.
Next steps
Section titled “Next steps”- Authentication Flows — See how each type works step by step with sequence diagrams
- System Architecture — Understand the components behind each authentication type
- Air-Gapped Authentication — MFA without internet connectivity
- Directory Integration — Assign types via LDAP/AD groups