Goal of this Workflow
Enables users without a verified mobile phone number to register for mTAN/SMS authentication.
Involves an IAK (initial activation key) that is usually sent or handed to the user in paper form (the IAK letter).
Security Advisory
The mobile phone number used for authentication must be authentic, i.e. it must be verified that it really belongs to the user in question. This is normally not the case for mobile phone numbers stored in the user's profile in a directory.
The Airlock IAM self-service process ensures that:
- ●The user is in possession of the mobile phone (by sending an OTP to the phone).
- ●The phone belongs to the user in question (by sending an IAK letter to the postal address or handing it to the user personally).
Never use mobile phone numbers for authentication when you cannot guarantee that they belong to the user in question!
Outline of workflow
- 1.Activation Key IAK letter is generated and sent or handed to the user.
- 2.User logs in using username and password.
- 3.The user is asked to enter the mobile phone number.
- 4.The user gets an OTP code on the mobile phone.
- 5.The user enters the OTP code and the IAK code.
Preparation
To use this workflow, the following pre-conditions must be met:
Generating activation key IAK letters
An IAK (initial activation key) is used to strongly authenticate the user's session, so a mobile phone number can be registered. Usually, the IAK letter is sent to the user's postal address.
IAM offers the following ways to generate IAK letters:
- ●Order the letter in the Adminapp (or other process): this sets a flag on the mTAN token. The Token Report Task (using the mTAN IAK Token Report Strategy) in Service Container then creates IAK letters.
- ●Directly generate the IAK letter in the Adminapp.
IAK letters are based on language-dependent Word template. Sample template files can be found in <iam-dir>/instances/common/report-templates/.
Example screen flow
The following sample screenshots have been taken in the JSP-Loginapp but are similar in the Loginapp REST API.
Further information and links:
- ●Configuration in the Loginapp REST UI: In the authentication flow, use a selection and sub-flow as follows (see also demo configuration):
- ●Condition: mTAN as active auth method and no mTAN token available (logical AND).
- ●Steps in sub-flow: mTAN Token Registration Step, mTAN Verification Step, Apply Changes Step
- ●Configuration in the JSP-Loginapp: 17.4.2.6. mTAN/SMS self-service configuration in the JSP-Loginapp