Prepare self-registered account for 2nd-factor enrollment
In certain use cases it is desirable and - in terms of security - acceptable to enroll the 2nd authentication factor during or just after self-registration.
There are two ways to implement this:
- Place an enrollment step directly in the self-registration flow. This is supported by selected authentication factors (e.g. Airlock 2FA Activation Step).
- Prepare the account so that the 2nd factor is enrolled during the first login. This article is about this option.
To prepare the user account for the enrollment of a 2nd authentication factor during the first login, the authentication method migration concept is used as follows:
- During self-registration, the authentication method to migrate to is stored on the new user account. This is achieved using the non-interactive plugin Set Authentication Method Migration Step.
- During the next login, the user is then asked to enroll the 2nd factor. For this to work, the authentication flow must contain a migration step for the target factor (or the Migration Selection Step if there are multiple options).
Risk
Self-registration usually provides only little evidence of the end-user's real identity. Enrolling a second factor based on self-registration can therefore be risky.
Configuration
- Go to:
Loginapp >> Self-Registration >> select a flow - To the list of flow steps, create a Set Authentication Method Migration Step plugin and place it before the final User Persisting Step. Then edit the plugin as follows:
- In property Authentication Method, select the method (e.g. AIRLOCK_2FA) of the authentication factor to enroll.
- Optionally, in property Migration Deadline, set a deadline after which the user is forced to enroll the 2nd factor. Up to until the deadline – depending on the authentication flow configuration – the user may be allowed to skip the enrollment.
- Make sure that the corresponding auth flow(s) honor the auth method migration information: Make sure to add a migration step for the target factor (or the Migration Selection Step if there are multiple options).
Further information and links
Internal links:
- See Authentication methods in IAM for more information about authentication methods supported in Airlock IAM.
- See Step-Up authentication for more information about on-demand access control.