To end-users authenticating with Cronto, an activation cryptogram is sent by letter. This type of letter is called the activation letter and is the starting point for activating new devices and apps (from now just called devices).
- There are different ways to reach the activation procedure:
- First Login: The device is activated during the first login of a new user.
- Token Migration: The user already has a 2nd factor and is asked to migrate to Cronto after authentication.
- Add device after login: The user may choose to activate an additional device just after the login process by checking a checkbox in the Cronto authentication step.
- Token management self-services: The user may manage (add, delete, rename, etc.) devices on the token self-management page after login.
- The activation process consists of 2 or 3 steps:
- Step 1: Scan the cryptogram on the activation letter. The Cronto device then displays a numeric code that has to be entered into the web form. Optionally, if the user is already strongly authenticated, the first activation cryptogram could also be displayed in the browser, without a physical letter being needed.
- Step 2: The web page then displays a second cryptogram, which also has to be scanned, resulting in another numeric code to be entered. At this step, the user enters a name for the device, e.g. "my iPhone". This is helpful for communicating with the help desk in cases where more than one device has been registered.
- Step 3 (optional): This step is only required to activate push notifications on the CrontoSign Swiss app. An additional cryptogram is displayed after registration or later during the login process which needs to be scanned with the CrontoSign Swiss app. Since this app is jointly used by several banks, this third cryptogram selects which set of hardcoded URLs in the app will be used to communicate with the server.
After registration is complete, the device can be used for login and transaction signing. In both cases, a cryptogram will be displayed containing some relevant information. The users scan the cryptogram upon which the device displays the information encoded in the cryptogram together with a numeric code. This code has to be entered into the web form to confirm the correctness of the information.