mTAN/SMS authentication

In mTAN authentication, a one-time password (OTP, also referred to as token code) is sent to the user's mobile phone as an SMS message. The code is then entered into an input field by the user.

Authentication with mTAN can be used as the second step in an authentication scheme.

Note that there are many other use-cases in IAM where OTPs are sent via SMS.

Examples:

Channel verification in self-registration
Channel verification in the password reset self-service
Mobile number management self-service
Mobile number self-registration

Prerequisites

The following requirements must be met in order to make use of mTAN authentication:

Users must have a mobile phone (or another device for receiving SMS messages).
An SMS sending service (SMS gateway) must be available and connected to Airlock IAM.
The user's mobile phone number must be known to Airlock IAM.

It is very important, that the mobile phone number of a user is authentic, i.e. it must be sure, that the number really belongs to the person intended!

Airlock IAM offers self-services that help you to obtain authentic user mobile phone numbers with minimal administrative overhead (mTAN token self-services).

Further information and links

Configuration in the Loginapp REST UI:

Use the plugin mTAN Authentication Step in the authentication flow configuration.
Usage example: Usage examples of REST authentication API

Configuration in the JSP-Loginapp: mTAN/SMS authentication configuration in the JSP-Loginapp
mTAN/SMS self-services (Self-Registration, Self-Migration, Change mobile phone number)