10.2.2.3.2. Token migration self-service

This article explains how an end-user can enroll an Airlock 2FA app without an activation letter. The end-user is authenticated first and can then enroll an Airlock 2FA app by scanning a QR code displayed in the login application.

The described process can be used to migrate users from an arbitrary second factor (e.g. mTAN) to Airlock 2FA as a second factor. This process is called token migration.

Note that users cannot self-migrate to Airlock 2FA hardware tokens. Hardware tokens are assigned by the administrators and may not be enrolled by the user.

Goal

  • Understand how token migration works in general.
  • Understand how Airlock 2FA token migration works.
  • Learn details about prerequisites and limitations of token migration

All following procedures are exemplary and will vary according to your setup or needs.

Initial thoughts

Token migration is an end-user self-service and part of the authentication process. It requires an established authentication method prior to the token migration. The established (old) token is used to authenticate the user, then the end-user is asked to enroll the (new) token of a different type.

Users are marked for migration using the Adminapp or the Adminapp REST API.

Token migration is configurable as optional or mandatory. In addition, a grace period can be set which allows the end-user to freely postpone his migration within the defined period.

With these features, end-users can easily be migrated to a new second factor without activation letters and administrative effort.

If Airlock 2FA is used as the second factor in strong authentication, it is necessary to authenticate the end-user in a strong way before migration.

While it is possible to enroll Airlock 2FA just based on username and password, the security risks of such a setup must be considered thoroughly.

Note that there are different types of Airlock 2FA enrollment:

  • Enrollment using activation letters
  • Migration from another 2nd factor to Airlock 2FA as a self-service.

Prerequisites

  • User account exists in IAM and users can be authenticated (e.g. username, password, and mTAN).
  • The user's smartphone is connected to the internet and is able to connect to the Futurae cloud.

Token migration (online enrollment)

The following flow chart shows how token migration works.

UC-Migration
(1)
The end-user is authenticated with existing credentials and usually an established second factor (for example username, password, and mTAN).
(2)
The end-user is asked to migrate to Airlock 2FA. Depending on the configuration, migration is optional or mandatory to the user.
(3)
An enrollment QR code is presented to the user.
(4)
The end-user installs the Airlock 2FA app if necessary. The end-user scans the QR code to enroll the app.
(5)
The app connects to the Futurae cloud for enrollment.
(6)
Airlock IAM verifies the enrollment and shows a confirmation page to the end-user.