Using theĀ Device Token feature, a REST client (e.g. mobile app) can authenticate itself using public-key cryptography without user interaction. The feature can be used as the first or second factor.
It is thought for the following scenario:
- Initial authentication: The HTTP client authenticates using username, password, and a 2nd factor (e.g. MTAN).
- Device Token registration: The HTTP client generates a key pair and associates the public key with the user account.
- Following logins: Dependent on the configuration, HTTP clients authenticate either using the device token step as the first factor or using username, password, and device token step as the second factor.
The device token authentication step does not require user interaction - it only requires access to the private key on the "device" (e.g. mobile app).
Multiple "device tokens" can be associated with the user account and device tokens can be managed in the IAM Adminapp using a generic token controller.
