Mideye+ & Touch Accept

Introduction

Users with smartphones can choose to download the Mideye+ app. This enables login also when the phone is not reachable via the mobile network. There is no extra charge using the Mideye+ app and it does not need to be used by the entire organization.

Installation and activating Mideye+ app

The following section will describe how to download and activate the Mideye+ app.

Downloading the Mideye+ app

Mideye+ can be downloaded for both Android and iPhone users. For iPhone users, download the app here or by searching for Mideye+ directly in the App Store. iOS 9.0 or later is required.

Android users can download the Mideye+ app here or search for it directly in Google Play.

Activating the Mideye+ app using iPhone

Once downloaded and installed, open the Mideye+ app. First time opening the Mideye+ app, the message “Mideye+ Would Like to Send You Notification” pops up. Click “Allow” to allow the app to send notifications each time an authentication attempt is made.

The activation consists of 3 steps:

  • Enter the phone number in international format e.g +46735084555 and press “Next” in the top right corner.
Enter phone number in international format.

Enter the phone number in international format.

  • Make an authentication attempt to the corporate resource (e.g Anyconnect, Citrix-portal etc) that is protected with Mideye.
Logon to a resource protected by Mideye.

Logon to a resource protected by Mideye.

  • Once the SMS is received, open the message and click the link. A redirect to the Mideye+ app will take place with the text “Mideye+ activated”.
Click the link in the SMS

Click the link in the SMS

Mideye+ is now activated

Mideye+ is now activated

Activating the Mideye+ app using Android

Once downloaded and installed, open the Mideye+ app. First time opening the Mideye+, the app will ask for permissions. Make sure to click “Allow” to allow the app to send notifications each time an authentication attempt is made.

Allow Mideye+ to make and manage phone calls

Allow Mideye+ to send and view SMS messages

Agree to terms

The activation consists of 2 steps:

  • Enter the phone number in international format e.g +46701234567 and press “Next”.
Enter phone number in internal format

Enter phone number in international format

Start the activation of the app

Start the activation of the app

  • Make an authentication attempt to the corporate resource (e.g Anyconnect, Citrix-portal etc) that is protected with Mideye.

Logon to a resource protected by Mideye.

  • Once the text message is received the activation of Mideye+ will automatically finish.
Activation finished

Mideye+ is now activated

Using Mideye+

When Mideye+ is activated, the app can be used to authenticate when logging on to a protected resource that is using Mideye two-factor authentication. Instead of receiving traditional text-messages containing an OTP, Mideye will send the OTP using data traffic and the OTP will be presented in the phone as a notification.

Mideye+ OTP notification

Mideye+ OTP notification

Sending data OTP instead of traditional text messages have a big advantage when end-users do not have any network coverage, but still have internet access.

Offline manual challenge

Mideye+ also works as a token card and can be used when both network coverage and internet access is missing. When end users try to authenticate, and the phone does not have any coverage, Mideye will instead present the user with the message “Phone not reachable, please sign xxxxxx”.

Message presented to enduser when logging on lacking covarage

The message presented to the end-user when logging on lacking coverage. In this example, Cisco Anyconnect.

To sign, open the Mideye+ app and click “Manual signature at the bottom of the screen”

Enter the challenge and click sign

Enter the challenge and click sign.

Enter the OTP generated in the Mideye+ app at the login site.

Enter the OTP presented in the Mideye+

Enter the OTP presented in the Mideye+

Troubleshooting Mideye+

Offline signing of challenge

If manual signing does not work, but instead the end-user is presented with a failed authentication, it is likely because the RADIUS timeout of the RADIUS client is set to less than 35 seconds. Refer to the section “Troubleshooting RADIUS client” in the Configuration guide.

User is not receiving any notifications when using Mideye+

For Mideye+ to function correctly it is important that the end-user accepts that Mideye+ can present notifications. This question is presented to the end-user only once after installing the app. If the user accidentally pressed “Deny” instead of “Allow”, no notifications with OTP will be shown during authentication. To manually fix this follow the instructions below:

Iphone users

  1. Tap the “Settings” icon.
  2. Scroll down and tap “Notifications”
  3. Tap Mideye+ in the “Notification style”
  4. Enable “Allow Notifications”
Enable notifications

Enable notifications

Android users

Enabling notifications vary depending on what version of Android is being used. Refer to each manufacturer’s manual for details.

Android is not presenting any notifications while the phone is in battery saving mode

If the phone is low on battery and the end-user enables battery saving mode, Mideye+ must be excluded to still be able to present notifications when authenticating. The example below shows how to achieve this using a Samsung phone. For other phones, refer to the manual from the manufacturer.

  1. Open “Settings”
  2. Open “Battery” and navigate to “Unmonitored Apps”
  3. Click “Add apps” and select Mideye+ followed by “Done”
Add Mideye+ to unmonitored apps

Add Mideye+ to unmonitored apps

Touch Accept

To further ease the authentication process, Touch Accept can be used to simply allow or deny an authentication attempt. This function can be enabled from the Mideye configuration tool and does only affect those users that have Mideye+ installed on their cellphones. Also, Touch Accept does not use Challenge Respons when authenticating, which enables two-factor authentication on applications and services that do not have support for traditional two-factor authentication.

Enabling Touch Accept

Open the Mideye configuration tool and navigate to “LDAP Servers”. Select the LDAP-server that is being used, and click modify. Select the tab “Authentication” and change the “Default authentication type” to 6, 7 or 8 depending if there should be a fallback available to traditional OTP. Fallbacks are only efficient if the authentication service supports challenge-response. In those cases, if for any reason Touch accept would fail, a normal OTP will be sent to the phone. If the authentication service does not have any support for challenge-response, authentication type 6 will be the only option.

Change the authentication type to 6,7 or 8 to enable Touch Accept.

Change the authentication type to 6, 7 or 8 to enable Touch Accept.

Click “Save” followed by “Close” to restart the services.

To verify if the configuration is working, simply perform an authentication attempt to any Mideye enabled service. Now, instead of receiving an OTP to the Mideye+ app, a question to allow or deny the login will be presented. Since authentication type 8 (Touch-mobile) was selected in the previous step, an OTP will be sent if Touch should fail.

Login using Touch Accept

Login using Touch Accept.