Token enrollment (activation) and self-services

After the user has initially installed the Airlock 2FA app, the app does not contain cryptographic key material required for authentication. With enrollment, we denote the process of activating a new Airlock 2FA token and linking it to a user account.

Airlock 2FA apps are enrolled by scanning a QR code from either the browser or a hard copy letter (= activation letter). During the enrollment, the Airlock 2FA app generates cryptographic keys and stores them securely in the smartphone's secure storage.

Note that Airlock 2FA hardware tokens are not enrolled but assigned by the administrator.

Table: Airlock 2FA enrollment types

Enrollment type


Activation letter

An enrollment QR code is printed on a letter and sent to the user. The user scans the QR code to activate the Airlock 2FA app.

Token migration

The user is authenticated using another 2nd factor (e.g. mTAN) and is then asked to activate the Airlock 2FA app by displaying the enrollment QR code.


In the token management self-service, logged-in users can add new app tokens by scanning a QR code.




Airlock IAM

  • Airlock IAM 7.3 or newer.
  • An Airlock 2FA subscription is required.

For licensing contact: