Token migration is an end-user self-service and part of the authentication process. It requires an established authentication method prior to the token migration. The established (old) token is used to authenticate the user, then the end-user is asked to enroll the (new) token of a different type.
Users are marked for migration using the Adminapp or the Adminapp REST API.
Token migration is configurable as optional or mandatory. In addition, a grace period can be set which allows the end-user to freely postpone his migration within the defined period.
With these features, end-users can easily be migrated to a new second factor without activation letters and administrative effort.
If Airlock 2FA is used as the second factor in strong authentication, it is necessary to authenticate the end-user in a strong way before migration.
While it is possible to enroll Airlock 2FA just based on username and password, the security risks of such a setup must be considered thoroughly.
Note that there are different types of Airlock 2FA enrollment:
- Enrollment using activation letters
- Migration from another 2nd factor to Airlock 2FA as a self-service.