This article shows an example of how to assign and manage Airlock 2FA hardware tokens for a user.
Please refer to Token management (Airlock 2FA) for general Airlock 2FA token management examples.
This article shows an example of how to assign and manage Airlock 2FA hardware tokens for a user.
Please refer to Token management (Airlock 2FA) for general Airlock 2FA token management examples.
All following procedures are exemplary and will vary according to your setup or needs.
The following examples use the Airlock IAM Adminapp. A REST API for all administrative actions of the Airlock IAM Adminapp is available.
To assign a hardware token to a user, the following steps must be performed in the Airlock 2FA tab of the selected user.
The Airlock IAM Token Controller plugin may be configured to allow assigning a hardware token to multiple users of the same service. If configured to allow that, even hardware tokens that are already assigned to a user will be listed.
If the token at hand cannot be found in the list of assignable tokens, this may have one of the following reasons:
Hardware tokens are ready to use directly after the assignment process. In other words: Assigned hardware tokens can be used as the second authentication factor by the legitimate user or even on behalf of a user immediately after the assignment.
There are several ways to hand over the device to a user. The IAM Adminapp directly supports printing shipment letters.
Hardware token shipment letters can be directly generated from the IAM Adminapp by pressing the Create shipment letter button. Shipment letters typically contain a text, the recipient address, the token serial number, and optionally the activation code.
A hardware token may be assigned to multiple users (this requires special configuration of the Airlock 2FA Token Controller). If this is the case, the shipment letter may only contain information about the one user that the letter was printed or generated for.
The following screenshot shows two hardware tokens in the Airlock 2FA tab on the user detail page: a QR code token and an OTP token:
Possible actions: | |
Unassign | Unassigns the hardware token from the user in a way that it can be reassigned again. It will show up again when selecting hardware tokens for assignment. This is the right thing to do if a token has been assigned by accident or if the token has been returned to the administrator. |
Unassigned hardware tokens can no longer be used by the end-user and reassigning requires knowledge of the serial number. This action cannot be undone. | |
Archive | Archives the hardware token, i.e. permanently removes the hardware token from usage. It will not be among the set of assignable tokens after archiving. Take this action if the token was stolen, has been lost, or is damaged. |
The token will no longer be usable by the end-user and reassigning will not be possible. Unarchiving hardware tokens involves contacting Airlock support. This action cannot be undone. | |
Create shipment letter | Creates a shipment letter to send the token to the user. |
Synchronize | Synchronize OTP hardware tokens: use this if the internal clock of the OTP hardware token is out of synch with the current time and therefore OTP tokens are no more accepted. This may be necessary for OTP hardware tokens that have not been used for a long time. |