Question: Which server will be used to host the soft-token software for mobile phones to download?

Answer: The soft-token software and user provisioning page is hosted on an IIS server. However, Mi-Token can also provide a hosted server for soft-token provision.


Question: Does this server need to be in DMZ?

Answer: Yes it does, and it needs an SSL certificate.


Question: Does the soft-token server need to be a member server of the AD domain supporting Mi-Token or can it be a standalone server?

Answer: It can/should be standalone. This will help maintain the integrity of the solution.


Question: Is the soft-token provisioning server, which provides the users with the soft-token provisioning page, a domain server on the internal network?

Answer: Yes.


Question: Is there any relationship of the standalone DMZ server (hosted by Mi-Token) that stores the software for cell phones to download and the soft-token provisioning server?

Answer: Yes there is a relationship between the two. Both servers shared a cryptographic secret (the KEK) but do not communicate directly at all. The KEK is used to encrypt the URL that users go to on their mobile phones.


Question: How is a specific URL for a specific user to download the software established on the DMZ server? Is this URL one-time URL?

Answer: This URL is generated by the internal server by encrypting the Token secret using the KEK. The URL is indeed one-time and also has a time window for the user to activate the token (the internal server also embeds the current time into the URL).