mTAN/SMS registration
10.2.4.2.1. Mobile number registration self-service

Goal of this Workflow

Enables users without a verified mobile phone number to register for mTAN/SMS authentication.

Involves an IAK (initial activation key) that is usually sent or handed to the user in paper form (the IAK letter).

Security Advisory

The mobile phone number used for authentication must be authentic, i.e. it must be verified that it really belongs to the user in question. This is normally not the case for mobile phone numbers stored in the user's profile in a directory.

The Airlock IAM self-service process ensures that:

  • The user is in possession of the mobile phone (by sending an OTP to the phone).
  • The phone belongs to the user in question (by sending an IAK letter to the postal address or handing it to the user personally).

Never use mobile phone numbers for authentication when you cannot guarantee that they belong to the user in question!

Outline of workflow

  • 1.
    Activation Key IAK letter is generated and sent or handed to the user.
  • 2.
    User logs in using username and password.
  • 3.
    The user is asked to enter the mobile phone number.
  • 4.
    The user gets an OTP code on the mobile phone.
  • 5.
    The user enters the OTP code and the IAK code.

Preparation

To use this workflow, the following pre-conditions must be met:

  • The user can be pre-authenticated with a username and password, i.e., the user must already have an account with a password.
  • mTAN/SMS self-registration is enabled in the configuration.
  • The active authentication method of the user is mTAN/SMS and there is no mobile phone number registered.
    • 45393263.png
    45393264.png

Generating activation key IAK letters

An IAK (initial activation key) is used to strongly authenticate the user's session, so a mobile phone number can be registered. Usually, the IAK letter is sent to the user's postal address.

IAM offers the following ways to generate IAK letters:

  • Order the letter in the Adminapp (or other process): this sets a flag on the mTAN token. The Token Report Task (using the mTAN IAK Token Report Strategy) in Service Container then creates IAK letters.
  • Directly generate the IAK letter in the Adminapp.

IAK letters are based on language-dependent Word template. Sample template files can be found in <iam-dir>/instances/common/report-templates/.

Example screen flow

The following sample screenshots have been taken in the JSP-Loginapp but are similar in the Loginapp REST API.

  • 1.
    Log in using username and password (no screenshot)
  • 2.
    Enter mobile phone number:
    • 59333257.png
  • 3.
    Enter OTP from mobile and code from IAK letter:
    • 59333260.png
  • 4.
    Confirmation Screen:
    • 59333261.png
  • 5.
    Depending on the configuration the user is then logged in or ready to re-login (no screenshot).

Further information and links:

  • Configuration in the Loginapp REST UI: In the authentication flow, use a selection and sub-flow as follows (see also demo configuration):
    • Condition: mTAN as active auth method and no mTAN token available (logical AND).
    • Steps in sub-flow: mTAN Token Registration Step, mTAN Verification Step, Apply Changes Step
  • Configuration in the JSP-Loginapp: 17.4.2.6. mTAN/SMS self-service configuration in the JSP-Loginapp