Using Device Tokens to authenticate mobile apps

Device Tokens allow to bind a mobile app (or other REST clients) to an IAM account and use the involved device token as a non-user-interactive first or second authentication factor.

It is thought for the following scenario:

  1. Initial authentication: The HTTP client authenticates using username, password, and a 2nd factor (e.g. MTAN).
  2. Device Token registration: The HTTP client generates a key pair and associates the public key with the user account.
  3. Following logins: Dependent on the configuration, HTTP clients authenticate either using the device token step as the first factor or using username, password, and device token step as the second factor.