Check out the demo configuration - it contains a pre-configured selection step for device tokens.
It also provides the configuration to manage device tokens in the Adminapp using a Generic Token Controller plugin.
The Loginapp REST API must be configured as follows:
- ●For device token registration:
- ●Loginapp >> REST Settings >> User Token Settings >> Device Registration Settings
- ●Authentication Flow if device token authentication is used as the first factor:
- ●Loginapp >> Authentication Flows >> <Application without device token authentication> >> Authentication Flow
- ●First Step: a username password step
- ●Second Step: e.g. MTAN
- ●Add "tags" and "skip" conditions to meet your requirements.
- ●Loginapp >> Authentication Flows >> <Application with device token authentication> >> Authentication Flow
- ●First Step: device token step
- ●Second Step: e.g. MTAN
- ●Add "tags" and "skip" conditions to meet your requirements.
- ●Authentication flow if device token authentication is used as 2nd factor:
- ●Loginapp >> Authentication Flows >> <some application> >> Authentication Flow
- ●First Step: a username password step
- ●Second Step: "Selection" (selects between 2nd factor and Device Tokens if available)
- ●Available Option 1: the 2nd factor of your choice (e.g. MTAN)
- ●Available Option 2:
- ●Name: "DEVICE_TOKEN"
- ●Steps: "Device Token Authentication"
- ●Condition: "Has Device Token"
- ●Add "tags" and "skip" conditions to meet your requirements.
The Adminapp may be configured to enable device token management (e.g. for the help desk):
- ●Adminapp >> Users >> Authentication Tokens (Credentials)
- ●Add a Generic Token Controller with the following properties:
- ●ID: DEVICE_TOKEN (unless a different identifier has been configured in the Device Registration Settings in the Loginapp.
- ●User Interface: Default Token Controller UI with the following elements (as required):
- ●Text Message: Device ID (Value "data.id")
- ●Text Message or input field: Device Label (Value: "data.attributes.label")
- ●Text Message or input field: Device Serial (Value: "data.attributes.serial")
- ●Text Message: "Enabled?" (Value: "data.attributes.enabled")
- ●Text Message: "First used" (Value: "data.attributes.firstUsage")
- ●Text Message: "Latest used" (Value: "data.attributes.latestUsage")
- ●Text Message: "Total usages" (Value: "data.attributes.totalUsages")
- ●Text Message: "Valid from" (Value: "data.attributes.validFrom")
- ●Text Message: "Valid to" (Value: "data.attributes.validTo")
- ●Button: "Enable" with remote action
- ●POST on "/users/{{userId}}/tokens/generic/DEVICE_TOKEN/{{data.id}}/enable/"
- ●On success "update element"
- ●Visible if: data.attributes.enabled === false
- ●Button: "Disable" with remote action
- ●DELET on "/users/{{userId}}/tokens/generic/DEVICE_TOKEN/{{data.id}}/enable/"
- ●On success "update element"
- ●Visible if: data.attributes.enabled === true
- ●Token Endpoint: "Generic Token Endpoint" with a "Token Based Generic Repository Config"
- ●In the ”Token Based Attribute Mapping" use the following mapping:
- ●Serial ID: "serial"
- ●Enabled: "enabled"
- ●Activation Date: "activationDate"
- ●Valid From: "validFrom"
- ●Valid To: "validTo"
- ●Generation Date: "generationDate"
- ●First Usage Date: "firstUsage"
- ●Latest Usage Date: "latesUsage
- ●Total Usages: "totalUsages"
- ●Generic Data Element1: "label"
This results in a Adminapp UI as in the following example (showing only one device token - supporting multiple):
The configuration models the following authentication process:
- ●Always start with username + password check
- ●Always allow 2nd factor (e.g. MTAN)
- ●If at least one device token has been registered: offer device token as an alternative to other 2nd factors.