Token enrollment and self-services
10.2.2.3. Token enrollment (activation) and self-services

After the user has initially installed the Airlock 2FA app, the app does not contain cryptographic key material required for authentication. With enrollment, we denote the process of activating a new Airlock 2FA token and linking it to a user account.

Airlock 2FA apps are enrolled by scanning a QR code from either the browser or a hard copy letter (= activation letter). During the enrollment, the Airlock 2FA app generates cryptographic keys and stores them securely in the smartphone's secure storage.

Note that Airlock 2FA hardware tokens are not enrolled but assigned by the administrator.

Enrollment type
Description
Activation letter
An enrollment QR code is printed on a letter and sent to the user. The user scans the QR code to activate the Airlock 2FA app.
Token migration
The user is authenticated using another 2nd factor (e.g. mTAN) and is then asked to activate the Airlock 2FA app by displaying the enrollment QR code.
Self-service
In the token management self-service, logged-in users can add new app tokens by scanning a QR code.
Table 16: Airlock 2FA enrollment types
Component
Requirement
Comments
Airlock IAM
  • Airlock IAM 7.3 or newer.
  • An Airlock 2FA subscription is required.
For licensing contact: order@airlock.com.

Further information and links