Check out the Demo Configuration in the Config Editor - it contains a pre-configured selection step for device tokens.
It also provides the configuration to manage device tokens in the Adminapp using a Generic Token Controller plugin.
The Loginapp REST API must be configured as follows:
- For device token registration:
- Loginapp >> Session-less REST Endpoints >> User Token Settings >> Device Registration Settings
- Authentication Flow if device token authentication is used as the first factor:
- Loginapp >> Applications and Authentication >> <an application without device token authentication> >> Authentication Flow
- First step: a username password step
- Second step: e.g. MTAN
- Add tags and skip conditions to meet your requirements.
- Loginapp >> Authentication Flows >> <an application with device token authentication> >> Authentication Flow
- First step: device token step
- Second step: e.g. MTAN
- Add tags and skip conditions to meet your requirements.
- Authentication flow if device token authentication is used as 2nd factor:
- Loginapp >> Applications and Authentication >> <an application> >> Authentication Flow
- First step: a username password step
- Second step: Selection Step (selects between 2nd factor and device tokens if available)
- Available option 1: the 2nd factor of your choice (e.g. MTAN)
- Available option 2:
- Name:
DEVICE_TOKEN
- Steps: Device Token Authentication Step
- Condition: Has Device Token
- Add tags and skip conditions to meet your requirements.
- The Adminapp may be configured to enable device token management (e.g. for the helpdesk):
- Adminapp >> Users >> Authentication Tokens (Credentials)
- Add a Generic Token Controller with the following properties:
- ID: DEVICE_TOKEN (unless a different identifier has been configured in the Device Registration Settings in the Loginapp.
- User Interface: Default Token Controller UI with the following elements (as required):
- Text Message: Device ID (Value "data.id")
- Text Message or input field: Device Label (Value: "data.attributes.label")
- Text Message or input field: Device Serial (Value: "data.attributes.serial")
- Text Message: "Enabled?" (Value: "data.attributes.enabled")
- Text Message: "First used" (Value: "data.attributes.firstUsage")
- Text Message: "Latest used" (Value: "data.attributes.latestUsage")
- Text Message: "Total usages" (Value: "data.attributes.totalUsages")
- Text Message: "Valid from" (Value: "data.attributes.validFrom")
- Text Message: "Valid to" (Value: "data.attributes.validTo")
- Button: "Enable" with remote action
- POST on "/users/{{userId}}/tokens/generic/DEVICE_TOKEN/{{data.id}}/enable/"
- On success "update element"
- Visible if: data.attributes.enabled === false
- Button: "Disable" with remote action
- DELET on "/users/{{userId}}/tokens/generic/DEVICE_TOKEN/{{data.id}}/enable/"
- On success "update element"
- Visible if: data.attributes.enabled === true
- Token Endpoint: "Generic Token Endpoint" with a "Token Based Generic Repository Config"
- In the ”Token Based Attribute Mapping" use the following mapping:
- Serial ID: "serial"
- Enabled: "enabled"
- Activation Date: "activationDate"
- Valid From: "validFrom"
- Valid To: "validTo"
- Generation Date: "generationDate"
- First Usage Date: "firstUsage"
- Latest Usage Date: "latesUsage
- Total Usages: "totalUsages"
- Generic Data Element1: "label"
This results in an Adminapp UI as in the following example (showing only one device token - supporting multiple):

The configuration models the following authentication process:
- Always start with username + password check
- Always allow 2nd factor (e.g. MTAN)
- If at least one device token has been registered: offer device token as an alternative to other 2nd factors.