Token migration is an end-user self-service and part of the authentication process. It requires an established authentication method before the token migration. The established (old) token is used to authenticate the user, then the end-user is asked to enroll the (new) token of a different type.
Users are marked for migration using the Adminapp or the Adminapp REST API.
Token migration is configurable as optional or mandatory. In addition, a grace period can be set which allows the end-user to freely postpone his migration within the defined period.
With these features, end-users can easily be migrated to a new second factor without activation letters and administrative effort.
If Airlock 2FA is used as the second factor in strong authentication, it is necessary to authenticate the end-user in a strong way before migration.
While it is possible to enroll Airlock 2FA just based on username and password, the security risks of such a setup must be considered thoroughly.
Note that there are different types of Airlock 2FA enrollment:
- Enrollment using activation letters
- Migration from another 2nd factor to Airlock 2FA as a self-service.