Prepare self-registered account for 2nd-factor enrollment

In certain use cases it is desirable and - in terms of security - acceptable to enroll the 2nd authentication factor during or just after self-registration.

  • There are two ways to implement this:
  • Place an enrollment step directly in the self-registration flow. This is supported by selected authentication factors (e.g. Airlock 2FA Activation Step).
  • Prepare the account so that the 2nd factor is enrolled during the first login. This article is about this option.
  1. To prepare the user account for the enrollment of a 2nd authentication factor during the first login, the authentication method migration concept is used as follows:
  2. During self-registration, the authentication method to migrate to is stored on the new user account. This is achieved using the non-interactive plugin Set Authentication Method Migration Step.
  3. During the next login, the user is then asked to enroll the 2nd factor. For this to work, the authentication flow must contain a migration step for the target factor (or the Migration Selection Step if there are multiple options).

Self-registration usually provides only little evidence of the end-user's real identity. Enrolling a second factor based on self-registration can therefore be risky.

Configuration

  1. Go to:
    Loginapp >> Self-Registration >> select a flow
  2. To the list of flow steps, create a Set Authentication Method Migration Step plugin and place it before the final User Persisting Step. Then edit the plugin as follows:
  3. In property Authentication Method, select the method (e.g. AIRLOCK_2FA) of the authentication factor to enroll.
  4. Optionally, in property Migration Deadline, set a deadline after which the user is forced to enroll the 2nd factor. Up to until the deadline – depending on the authentication flow configuration – the user may be allowed to skip the enrollment.
  5. Make sure that the corresponding auth flow(s) honor the auth method migration information: Make sure to add a migration step for the target factor (or the Migration Selection Step if there are multiple options).