Self-migration to mTAN/SMS

Goal of this workflow

Mark users that should change the authentication method from another 2nd factor to mTAN/SMS and let them migrate at the next login (or by a specific point in time).

Outline of workflow

The workflow is the same as the mTAN/SMS registration workflow with the following differences:

  • the user is strongly authenticated
  • no IAK is involved.
  1. Worflow:
  2. The user logs in using existing credentials (e.g. username, password, and OTP)
  3. The user is asked to migrate to mTAN/SMS.
  4. The user is asked to enter the mobile phone number.
  5. The user gets an OTP code on the mobile phone.
  6. The user enters OTP code (but no IAK code since already strongly authenticated).

Security Advisory

The migration process assumes that it is OK to register the mobile phone number used for later authentication on a session authenticated by the existing credentials. In other words, the authenticity of the mobile phone number cannot be stronger than the existing authentication scheme before the migration.

Therefore, never use this workflow if the authentication scheme is weak.

Preparation

To use this workflow, the following pre-conditions must be met:

  • The user can be authenticated in a strong way.
  • The next authentication method of the user is set to mTAN/SMS and no mobile phone number is stored for the user.
    • Adminapp - menu Users, tab Authentication Methods, mTAN migration

Screen flow

The following sample screenshots have been taken in the JSP-Loginapp but are similar in the Loginapp REST API.

  1. Login in using strong authentication (no screenshots).
  2. The user is asked to migrate:
    3. 59333268.png
  3. The user chooses the option Migrate Now.
  4. The user enters the mobile phone number (no screenshot - see registration process for an example).
  5. The user enters the OTP code:
    6. 59333271.png
  6. The active authentication method of the user is now mTAN/SMS.

Further information and links:

  • Configuration in the Loginapp REST UI: In the authentication flow, use an Auth-Method Migration option (see also demo configuration):
    • Target Auth Method: MTAN
    • Steps in sub-flow: mTAN Token Registration Step, mTAN Verification Step, Apply Changes Step
  • Configuration in the JSP-Loginapp: mTAN/SMS self-service configuration in the JSP-Loginapp