Flow conditions on first device usage

First Usage of Device is a condition that will return true when a particular device is used for the first time.

• This condition has the following properties:
• The condition evaluates the device used in the most recent authentication step.
• For users with multiple authentication devices, the most recently used device is evaluated in the condition.
• The condition cannot be used in self-registration flows since self-registration is not considered device usage.

To use this condition, a device usage repository must be configured. The device usage repository is used to store how often and when a device has successfully been used for authentication.

• The repository can be configured under:
• Loginapp >> Device Usage Repository Config (section Advanced Settings)
• Transaction Approval >> Device Usage Repository Config (section Advanced Settings)

• Supported IAM flows:
• Authentication Flows
• Public Self-Services
• Protected Self-Services
• Transaction Approval

The First Usage of Device condition only supports Airlock 2FA devices.

We recommend configuring flows to first use the device for authentication and then evaluate a selection using the condition. In this order, which device is evaluated in the condition is always clear.

If Airlock 2FA should be configured for passwordless authentication, we recommend using the First Usage of Device condition to secure the authentication flow.

• Without a First Usage of Device condition, a user can use an activation letter to activate a new device without proper authentication. Anyone could use such an activation letter to gain access to the account of the user.
• With a First Usage of Device condition, new 2FA authentication devices are detected. This can be used to enforce an additional, one-time user authentication step. This way, registering a new Airlock 2FA device requires an activation letter plus user authentication in Airlock IAM.

• Internal links:
• Introduction and usage of Flow selection and conditions