Configure token migration in the JSP-Loginapp

This page explains how to configure Airlock 2FA token migration, so users can enroll Airlock 2FA tokens without an activation letter.

Enrollments and thus activation letters may be valid for at most 90 days. The validity period is configurable.


  • User authentication with Airlock 2FA as a second factor is configured.
  • Another way to authenticate users (e.g. username, password, and mTAN) is configured and used for users to be migrated.
  • The basic Airlock 2FA settings exist.


  1. Go to:
  2. Loginapp >> Self-Service Settings

  3. Create or connect the Airlock 2FA Self-Service.
  4. Go to (or create if necessary):
  5. Loginapp >> Self-Service Settings >> Migration Hint Page Settings

  6. Add a new target authentication type Airlock 2FA Credential Migration.
  7. Configure the latter according to your needs or use it with default values.
  8. Make sure that the user has been authenticated in a strong way before migration to Airlock 2FA is possible.

  9. Activate the configuration.
  10. Token migration is now ready to use.

How to verify

  • Log into the IAM Adminapp as administrator with corresponding access rights.
  • Create a new user or use an existing one and make sure the user can be authenticated without using Airlock 2FA (i.e. via username, password and mTAN).
  • Open tab Authentication Methods
  • In section Authentication Method Migration: Select Migrate to Airlock 2FA
  • Provide a due date if required.
  • Click the Save button.
  • Login with the user (Loginapp).
  • The migration process should automatically be started after initial authentication.