After the user has initially installed the Airlock 2FA app, the app does not contain cryptographic key material required for authentication. With enrollment, we denote the process of activating a new Airlock 2FA token and linking it to a user account.
Airlock 2FA apps are enrolled by scanning a QR code from either the browser or a hard copy letter (= activation letter). During the enrollment, the Airlock 2FA app generates cryptographic keys and stores them securely in the smartphone's secure storage.
Note that Airlock 2FA hardware tokens are not enrolled but assigned by the administrator.
Enrollment type | Description |
---|---|
Activation letter | An enrollment QR code is printed on a letter and sent to the user. The user scans the QR code to activate the Airlock 2FA app. Using an activation letter provides a high level of security, but only if you trust the delivery method (e.g., postal service). If the activation letter is lost or stolen, an unintended third party may be able to illegally enroll their device. To prevent this, you can invalidate the letter. See also Airlock 2FA token management. |
Token migration | The user is authenticated using another 2nd factor (e.g. mTAN) and is then asked to activate the Airlock 2FA app by displaying the enrollment QR code. |
Self-service | In the token management self-service, logged-in users can add new app tokens by scanning a QR code. |
Component | Requirement | Comments |
---|---|---|
Airlock IAM |
| For licensing contact: order@airlock.com. |