Selection of authentication method (mixing multiple token-types)

Airlock IAM supports many different token types (MTAN, OTP, CrontoSign, Matrixcards, etc.). Token types can be mixed, i.e. be used at the same time, in different ways.

This page lists the different ways to mix authentication token types.

Most of the listed auth method selection methods are applicable forĀ second authentication steps, because the user has to be known.

Some of them are ready to work with the "Main Authenticator", others are not. If using a selection method not compatible with the "Main Authenticator", use the "Meta Authenticator" plugin instead.

Types of authentication token selection

Some of the listed plugins may require special licensing. If a plugin is not available in the ConfigEditor, check the box "Show unlicensed Plugins" in order to find out if it was missing because of licensing. If interested to upgrade the license, please contact

The table is valid for the Loginapp (JSP) (form-based authentication) and does not apply to the Loginapp REST UI. See separate documentation for the latter.

The following table lists the most important plugins that allow selecting an authentication token type from a set of configured types:



As first step?

As the second step?

Auth Method Based Authenticator Selector

Choose authentication method on the active authentication method stored in the user's profile. The Adminapp allows setting the active authentication method (also via the REST API).

This is the by far most frequently used method and supported in conjunction with the "Main Authenticator".

Note: The "Meta Authenticator" also implements this type of selection.


Role-Based Authenticator Selector

Chooses authenticator methods based on the user's roles (or group membership).

This is useful, if the user schema is given by an external system (e.g. a user directory) which cannot be extended to contain an "authentication method" attribute.

Used for example with Active Directory.


Selection Authenticator

Let the user choose the authentication method (at login time). See Selection Authenticator: User chooses 2nd Factor


Credential Based Authenticator Selector

Choose authentication method based on user input as response to the active authentication method challenge.

Example (configuration example):

  • User's active authentication method is MTAN/SMS
  • Instead of entering the SMS token, the user enters for example "OTP" to switch to OTP authentication

User-Based Authenticator Selector

The authentication method is chosen based on the username (regular expression).

Example: All users ending with "" use a hardware OTP token. All others use MTAN/SMS.