Kobil AST is usually used as a second factor, after the user's username and password have been verified.

The login looks slightly different in case the push notification feature is enabled. We describe the login with and without push notifications. By default, push notifications are disabled.

Login without push notifications

If the user has more than one activated device, the first login step consists in selecting the device to which the login request should be sent.

This might look like this:


After a device is selected, a login request is sent to the app on that device. If the user has only one active device, the selection step can be skipped (configuration option).

While the user has time to enter the PIN on the app and confirm the login request, a "waiting" message is shown in the web browser, while in the background the SSMS is regularly polled to check if the login has been performed in the meantime.

After the login is confirmed on the app, the Airlock IAM Loginapp will notice this event within a couple seconds and automatically login the user. No further interaction with the web browser is needed.

Login with push notifications

The push notification feature can be enabled using the property 'Enable Push Notifications' in the "KobilAstAuthenticator".

When enabled, the behavior is as follows:

  • Case 1: no device is online
  • Each device receives a push notification. The message of the push notification is configurable, but typically contains a text that asks the user to start the Kobil App on her device. In the browser the message 'Please be patient, user information will be verified.' is displayed until a user's device comes online and is used to log in. Otherwise, after a (configurable) timeout is reached, the login fails.

  • Case 2: at least one device is online
  • In this case, no push notifications are sent. Instead, each online device receives a login challenge and the message 'Please be patient, user information will be verified.' is displayed. Either the user logs in using one of the devices that received the login challenge, or a (configurable) timeout is reached and the login fails.