10.2.2.3.1. Activation letter enrollment

This article explains on a conceptual level how Airlock 2FA tokens are enrolled using activation letters sent to the user by the service provider.

Goal

  • Understand what token enrollment is in general.
  • Understand how activation letters work.
  • Learn details about prerequisites and limitations of activation letters.

All following procedures are exemplary and will vary according to your setup or needs.

Initial thoughts

Airlock 2FA apps are enrolled by scanning a QR code from either the browser or a hardcopy letter (= activation letter).

It is essential that the QR code is only scanned by the legitimate user. Thus, you must ensure that the QR code is only revealed to the intended user.

Using an activation letter provides high security but only if you trust in the used delivery method (e.g. postal service).

Prerequisites

  • A user account exists in IAM with a communication channel that is trustworthy for sending activation letters (e.g. address for physical mail).

Enrollment via activation letter

The following flow chart shows how an activation letter is used to enroll an Airlock 2FA app.

UC-ActivationLetter
(1)
An administrator or helpdesk generates an activation letter using the IAM Adminapp (or REST API). IAM creates an enrollment in the Futurae cloud and generates a letter (PDF).
(2)
The activation letter is sent in hardcopy to the user (e.g. using a trusted postal service).
(3)
The user receives the activation letter and - by following its instructions - installs the Airlock 2FA app.
(4)
The user scans the QR code on the letter to enroll the app. The app connects to the Futurae cloud for enrollment.
Note that this step does not involve Airlock IAM. The enrollment is therefore possible regardless of the status of the IAM account (e.g. locked account).
(5)
The enrolled app is now stored in the Airlock 2FA app and ready for use.

Enrollments and thus activation letters may be valid for at most 90 days. The validity period is configurable.