Hardware tokens

Token authentication

As a complement to the authentication type “Mobile”, Mideye supports authentication with token cards. Instead of receiving one-time passwords on the mobile phone, the user obtains passwords from a token card.

The customer assigns token cards to users that require this authentication method. Token cards are ordered from Mideye Support. The tokens are fully integrated in the Mideye system. The only difference compared to authentication with the mobile phone is that the user is assigned the token serial number (e.g. AI0123456789, ubbc0123456 or zmub5761949) instead of the mobile number (+46123456789) in the user repository (LDAP directory or internal Mideye database).

Setting Authentication Type in the LDAP repository

For end-user data that is read from an external LDAP repository (LDAP users), the administration is handled via the administrative interface of the LDAP directory. There are two ways to assign token authentication to LDAP users:

Token serial number in the mobile phone field

By registering the user’s token serial number preceded by the prefix “AI” (HID mini tokens) or “ubbc0” (Yubikey) in the mobile phone field (e.g. AI0750123456); the user is automatically assigned the authentication type “Token”. Note that in this case, the “Token Number” parameter in the tab “User” must be specified as the mobile phone field.

Token serial number in a separate field, with authentication type indicated in yet another field.

In addition to a separate field for the token serial number, the LDAP administrator can assign yet another vacant field that indicates which authentication type should be used (1=Password, 2=Mobile, 3=Token, 4=Concatenated, 5=Plus, 6=Touch, 7=Touch-Plus, 8=Touch-Mobile). This field should be specified via the Mideye Configuration Tool, tab “LDAP Servers”, tab “Authentication”, parameter “Authentication Type Attribute”. Also, the box “Read Optional Attributes” should be marked. (This parameter indicates that Mideye will search certain optional parameters, e.g. Authentication Type, from the LDAP directory). In case no authentication method is specified in the LDAP attribute (= the field is empty), the default authentication method is used.

YubiKey token card

Starting from release 4.5.2 Mideye Server supports both YubiKeys provided by Mideye and YubiKeys obtained from third parties.

Yubikey

YubiKey 4 series. Weight 4 grams (YubiKey 4), excepted lifetime 18 years if used on a regular basis.

Yubikeys provided by Mideye

Mideye can dispatch YubiKeys to the customer’s IT department, or ship them directly to the end-user. These YubiKeys comes preconfigured and will authenticate directly against Mideye’s cloud service.

Complete the following steps to set up a token for an end-user:

  1. Obtain the serial number of the YubiKey: This serial number can be found on the back of the token. If the serial number is not visible, attach the YubiKey to a computer and open a text editor. Touch the button on the YubiKey and copy the first 12 characters, e.g ubbc0643451004116861. All tokens dispatched from Mideye will always start with ubbc0.
  2. Add the serial number to the user repository: By default, the Mideye Server will search for token numbers in the ipPhone attribute. Open ADUC and locate the user that should use the token. Open the properties of the user and navigate to the “Telephones” tab. Add the serial number in the IP Phone field.
  3. Change authentication method: The authentication method for the user must be changed to Tokens (if not already the default authentication type). Open Configuration Tool and navigate to “LDAP Servers”. Click “Modify” and select the “Authentication” tab. Check the “Read optional attributes” and add a LDAP attribute to the “Authentication type attribute”. In this example, the LDAP attribute “pager” will be used for “Authentication type attribute”, but can be changed to any other attribute. The attribute chosen must be empty from other data. Save and close to restart Mideye services.
  4. Once again, open ADUC and open the “Telephones” tab for the user. Add the number 3 to the pager field. See section authentication in the configuration guide to see what each number represents in the authentication list.
Add the serial number

Add the serial number

Enable read optional attribute.

Enable read optional attribute.

Add the number 3 to the pager field. 3 will represent token authentication.

Add the number 3 to the pager field. 3 will represent token authentication.

Yubikeys obtained from third parties

Mideye server also supports YubiKeys that have been bought commercially. For example, a YubiKey that is being used for logging on to Facebook, or an end-users private computer, can also be used to login to the corporate network that is protected by Mideye. Be advised that the authentication will be performed directly against Yubicloud, and Mideye can not control the availability of the service.

Complete the following steps to set up a commercial YubiKey for an end-user:

  • Obtain a YubiKey from a reseller. Yubico.com provides all the common YubiKeys. These can be bought here. All YubiKeys should be registered with YubiCloud by default. To verify, visit https://demo.yubico.com and authenticate using the YubiKey. This site also provides information such as YubiKey serial and Yubico provisioned credential identity. If authentication fails, visit https://upload.yubico.com to manually upload the key.
Yubico authentication test page.

Yubico authentication test page.

  • Obtain the serial number of the YubiKey: This serial number can be found on the back of the token. If the serial number is not visible, copy the YubiKey serial number from https://demo.yubico.com. Mideye requires the prefix zmub followed by the serial number, e.g zmub5761949
  • Add the serial number to the user repository: By default, the Mideye Server will search for token numbers in the ipPhone attribute. Open ADUC and locate the user that should use the token. Open the properties of the user and navigate to the “Telephones” tab. Add the serial number in the IP Phone field.
Add the serial number in the IP iPhone field

Add the serial number in the IP iPhone field

  • Change authentication method: The authentication method for the user must be changed to Tokens (if not already the default authentication type). Open Configuration Tool and navigate to “LDAP Servers”. Click “Modify” and select the “Authentication” tab. Check the “Read optional attributes” and add an LDAP attribute to the “Authentication type attribute”. In this example, LDAP attribute “pager” will be used for “Authentication type attribute”, but can be changed to any other attribute. The attribute chosen must be empty from other data. Save and close to restart Mideye services.
  • Once again, open ADUC and open the “Telephones” tab for the user. Add the number 3 to the pager field. See section authentication in the configuration guide to see what each number represents in the authentication list.
Add the serial number in the IP iPhone field

Add the number 3 to the pager field. 3 will represent token authentication.

HID Mini token card

HID mini token

HID mini token. Weight 16 gram, expected lifetime 6 years if used on a regular basis.

Complete the following steps to set up a HID token for an end-user:

  1. Obtain the serial number of the HID token: This serial number can be found on the back of the token. All tokens dispatched from Mideye will always start with AI.
  2. Add the serial number to the user repository: By default, the Mideye Server will search for token numbers in the ipPhone attribute. Open ADUC and locate the user that should use the token. Open the properties of the user and navigate to the “Telephones” tab. Add the serial number in the IP Phone field.
  3. Change authentication method: The authentication method for the user must be changed to Tokens (if not already the default authentication type). Open Configuration Tool and navigate to “LDAP Servers”. Click “Modify” and select the “Authentication” tab. Check the “Read optional attributes” and add a LDAP attribute to the “Authentication type attribute”. In this example, LDAP attribute “pager” will be used for “Authentication type attribute”, but can be changed to any other attribute. The attribute chosen must be empty from other data. Save and close to restart Mideye services.
  4. Once again, open ADUC and open the “Telephones” tab for the user. Add the number 3 to the pager field. See section authentication in the configuration guide to see what each number represents in the authentication list.
Add the serial number

Add the serial numberEnable read optional attribute.

Add the number 3 to the pager field. 3 will represent token authentication.

Add the number 3 to the pager field. 3 will represent token authentication.

Re-synchronisation of HID Mini tokens cards

The token cards provide one-time passwords in a sequence that is unique for each token (time and event synchronous). In case more than ten one-time passwords have been generated from the token card without being entered for central verification in the token server, the token card will come out of synch with the server, and must be resynchronised. The token card can be automatically re-synchronised within a window of 100 by entering a new one-time password for verification. If the token card is out of sync by more than 100 one-time passwords, it must be manually re-synchronised by Mideye support. For manual re-synchronisation, the token card serial number and the counter value must be provided.

Token card serial number

The serial number (10 digits) is printed on the label on the back of the token card (e.g. S/N 0123456789). If the printed serial number is not readable, it can also be obtained from the token display:

  • Generate a new one-time password, release the button.
  • When the one-time password is displayed, press and hold the button again until the following appears on the display (three alternating strings):
    • ע= SN
    • 1= XXXXX
    • 2= YYYYY

The serial number consists of the five digits XXXXX after the digit 1, followed by the five digits YYYYY after the digit 2.

Token card clock value

  • The clock value is obtained as follows:
  • Generate a new one-time password, release the button when the one-time password is displayed, press and hold the button again until the following appears on the display (three alternating strings):
    • ע SN
    • 1 XXXXX
    • 2 YYYYY

This is the serial number of the token.

  • When the serial number is displayed, release the button, press it again, and hold it until the following appears on the display (3 alternating strings):
    • ע Clock
    • 1 XXXXX
    • 2 YYYYY

The clock value consists of the five digits XXXXX after the digit 1, followed by the five digits YYYYY after the digit 2.

Token card counter value

The counter value is obtained as follows:

  • Generate a new one-time password, release the button.
  • When the one-time password is displayed, press and hold the button again until the following appears on the display (three alternating strings):
    • ע SN
    • 1 XXXXX
    • 2 YYYY

This is the serial number of the token.

  • When the serial number is displayed, release the button, press it again, and hold it until the following appears on the display (3 alternating strings):
    • ע Clock
    • 1 XXXXX
    • 2 YYYYY

This is the token clock value.

  • When the clock value is displayed, release the button, press it again, and hold it until the following appears on the display (3 alternating strings):
    • ע Count
    • 1 XXXXX
    • 2 YYYYY

The counter value consists of the five digits XXXXX after the digit 1, followed by the five digits YYYYY after the digit 2.

Note: Older token cards are only event-synchronous and do not have a clock value.