In certain use cases it is desirable and - in terms of security - acceptable to enroll the 2nd authentication factor during or just after self-registration.
- There are two ways to implement this:
- Place an enrollment step directly in the self-registration flow. This is supported by selected authentication factors (e.g. Airlock 2FA Activation Step).
- Prepare the account so that the 2nd factor is enrolled during the first login. This article is about this option.
- To prepare the user account for the enrollment of a 2nd authentication factor during the first login, the authentication method migration concept is used as follows:
- During self-registration, the authentication method to migrate to is stored on the new user account. This is achieved using the non-interactive plugin Set Authentication Method Migration Step.
- During the next login, the user is then asked to enroll the 2nd factor. For this to work, the authentication flow must contain a migration step for the target factor (or the Migration Selection Step if there are multiple options).
Self-registration usually provides only little evidence of the end-user's real identity. Enrolling a second factor based on self-registration can therefore be risky.