Activation letter enrollment
This article explains on a conceptual level how Airlock 2FA devices/tokens are enrolled using activation letters with QR code and 16-digit activation code sent to the user by the service provider.
Enrollment by QR code is the default. The 16-digit activation code provides an alternative method if an end-user's smartphone does not have a working camera or the user prefers to not give the app camera access. Activation via the digit code is disabled by default. To enable this option, see Enabling the 16-digit activation code.
Goal
- Understand what device/token enrollment is in general.
- Understand how activation letters work.
- Learn details about prerequisites and limitations of activation letters.
All following procedures are exemplary and will vary according to your setup or needs.
Introduction
Airlock 2FA devices/tokens are enrolled by scanning a QR code or manually entering a 16-digit activation code (if enabled) from either the browser or a printed letter (= activation letter).
It is essential that the QR-/activation code is only used by the legitimate user. Thus, you must ensure that the code is only revealed to the intended user.
Using an activation letter provides high security but only if you trust in the used delivery method (e.g., postal service). If the activation letter is lost or stolen, an unintended third party may be able to illegally enroll their device. To prevent this, you can invalidate the letter. See also Airlock 2FA token management.
Prerequisites
- A user account exists in IAM with a communication channel that is trustworthy for sending activation letters (e.g. address for physical mail).
Enrollment via activation letter
The following sequence diagram shows how an activation letter is used to enroll an Airlock 2FA device/token.
- (1)
An administrator or helpdesk generates an activation letter using the IAM Adminapp (or REST API). IAM creates an enrollment in the Futurae cloud and generates a letter (PDF).
- (2)
The activation letter is sent in hardcopy to the user (e.g., using a trusted postal service).
- (3)
The user receives the activation letter and - by following its instructions - installs the Airlock 2FA app.
- (4)
The user scans the QR code or manually enters the 16-digit activation code (if enabled) to enroll the 2FA device. The app connects to the Futurae cloud for enrollment.
Note that this step does not involve Airlock IAM. The enrollment is therefore possible regardless of the status of the IAM account (e.g., locked account).- (5)
The enrolled device is now stored in the Airlock 2FA app and ready for use.
Enrollments and thus activation letters may be valid for at most 90 days. The validity period is configurable.
If the activation letter gets lost or is stolen before the end of the validity period, an unintended third party may be able to illegally enroll their device. To prevent this, you can invalidate the letter. See also Airlock 2FA token management.