Goal of this Workflow
Enables users without a verified mobile phone numberĀ to register for mTAN/SMS authentication.
Involves an IAK (initial activation key) that is usually sent or handed to the user in paper form (the IAK letter).
Security Advisory
The mobile phone number used for authentication must be authentic, i.e. it must be verified that it really belongs to the user in question. This is normally not the case for mobile phone numbers stored in the user's profile in a directory.
The Airlock IAM self-service process ensures that:
- The user is in possession of the mobile phone (by sending an OTP to the phone).
- The phone belongs to the user in question (by sending an IAK letter to the postal address or handing it to the user personally).
Never use mobile phone numbers for authentication when you cannot guarantee that they belong to the user in question!