17.2.2.6.2. Configuration

Check out the demo configuration - it contains a pre-configured selection step for device tokens.

It also provides the configuration to manage device tokens in the Adminapp using a Generic Token Controller plugin.

The Loginapp REST API must be configured as follows:

  • For device token registration:
    • Loginapp >> REST Settings >> User Token Settings >> Device Registration Settings
  • Authentication Flow if device token authentication is used as the first factor:
    • Loginapp >> Authentication Flows >> <Application without device token authentication> >> Authentication Flow
      • First Step: a username password step
      • Second Step: e.g. MTAN
      • Add "tags" and "skip" conditions to meet your requirements.
    • Loginapp >> Authentication Flows >> <Application with device token authentication> >> Authentication Flow
      • First Step: device token step
      • Second Step: e.g. MTAN
      • Add "tags" and "skip" conditions to meet your requirements.
  • Authentication flow if device token authentication is used as 2nd factor:
    • Loginapp >> Authentication Flows >> <some application> >> Authentication Flow
    • First Step: a username password step
    • Second Step: "Selection" (selects between 2nd factor and Device Tokens if available)
      • Available Option 1: the 2nd factor of your choice (e.g. MTAN)
      • Available Option 2: 
        • Name: "DEVICE_TOKEN"
        • Steps: "Device Token Authentication"
        • Condition: "Has Device Token"
    • Add "tags" and "skip" conditions to meet your requirements.

The Adminapp may be configured to enable device token management (e.g. for the help desk):

  • Adminapp >> Users >> Authentication Tokens (Credentials)
  • Add a Generic Token Controller with the following properties:
    • ID: DEVICE_TOKEN (unless a different identifier has been configured in the Device Registration Settings in the Loginapp.
    • User Interface: Default Token Controller UI with the following elements (as required):
      • Text Message: Device ID (Value "data.id")
      • Text Message or input field: Device Label (Value: "data.attributes.label")
      • Text Message or input field: Device Serial (Value: "data.attributes.serial")
      • Text Message: "Enabled?" (Value: "data.attributes.enabled")
      • Text Message: "First used" (Value: "data.attributes.firstUsage") 
      • Text Message: "Latest used" (Value: "data.attributes.latestUsage") 
      • Text Message: "Total usages" (Value: "data.attributes.totalUsages")
      • Text Message: "Valid from" (Value: "data.attributes.validFrom")
      • Text Message: "Valid to" (Value: "data.attributes.validTo")
      • Button: "Enable" with remote action 
        • POST on "/users/{{userId}}/tokens/generic/DEVICE_TOKEN/{{data.id}}/enable/"
        • On success "update element"
        • Visible if: data.attributes.enabled === false
      • Button: "Disable" with remote action 
        • DELET on  "/users/{{userId}}/tokens/generic/DEVICE_TOKEN/{{data.id}}/enable/"
        • On success "update element"
        • Visible if: data.attributes.enabled === true
    • Token Endpoint: "Generic Token Endpoint" with a "Token Based Generic Repository Config"
      • In the ”Token Based Attribute Mapping" use the following mapping:
        • Serial ID: "serial"
        • Enabled: "enabled"
        • Activation Date: "activationDate"
        • Valid From: "validFrom"
        • Valid To: "validTo"
        • Generation Date: "generationDate"
        • First Usage Date: "firstUsage"
        • Latest Usage Date: "latesUsage
        • Total Usages: "totalUsages"
        • Generic Data Element1: "label"

This results in a Adminapp UI as in the following example (showing only one device token - supporting multiple):

61714413.png

The configuration models the following authentication process:

  • Always start with username + password check
  • Always allow 2nd factor (e.g. MTAN)
  • If at least one device token has been registered: offer device token as an alternative to other 2nd factors.