Token enrollment
After downloading the Airlock 2FA app from the app store, it does not contain any cryptographic key material required for authentication. The end-user must first enroll the app. Enrollment is the process of activating a new Airlock 2FA token on the app and linking the token to an end-user account. During this process, the Airlock 2FA app generates the necessary cryptographic keys and stores them securely in the smartphone's secure storage.
In addition to the Airlock 2FA app, Airlock 2FA also supports hardware tokens for authentication and transaction approval. Note that hardware tokens are not enrolled but assigned to an end-user by the administrator. For more information, see Hardware token management for Airlock 2FA.
End-users can enroll the Airlock 2FA app by:
- either scanning a QR code from the browser or a hard copy activation letter, or
- manually entering a 16-digit activation code, which is provided verbally to the end-user by a representative of your organization (e.g., help desk or counter staff). This method provides an alternative to scanning a QR code, if an end-user's smartphone does not have a camera, the camera is broken, or the end-user does not want the app to access the camera.
The Airlock 2FA app can be enrolled on different occasions: After receiving an activation letter, when prompted to migrate to Airlock 2FA during authentication, in a self-registration process, or via protected self-services. The table below shows the two enrollment methods in combination with the possible enrollment occasions.
Enrollment method | Enrollment occasion | Description |
|---|---|---|
QR code (default) | Activation letter | An enrollment QR code is printed on a letter and sent to the user. The user scans the QR code to activate the Airlock 2FA app. Risk Using an activation letter provides a high level of security, but only if you trust the delivery method (e.g., postal service). If the activation letter is lost or stolen, an unintended third party may be able to illegally enroll their device. To prevent this, you can invalidate the letter. See also Airlock 2FA token management. |
Authentication (migration to 2FA token) | During the authentication flow, the end-user is prompted to migrate to Airlock 2FA, and asked to activate the Airlock 2FA app by scanning the displayed enrollment QR code. | |
Self-registration | During the self-registration flow, the end-user is prompted to select an additional authentication method. If the end-user chooses Airlock 2FA, they are asked to activate the Airlock 2FA app by scanning the displayed enrollment QR code. | |
Protected self-service | In the protected token management self-service, logged-in end-users can add a new 2FA app token with the Airlock 2FA Device Management feature. After clicking the Activate Airlock 2FA device button, the end-user scans the displayed QR code to enroll a new device. | |
16-digit activation code (alternative method if scanning a QR code is no option) | Activation letter | Enrolling the Airlock 2FA app by scanning a QR code is the default. However, scanning a QR code is not possible if an end-user's smartphone does not have a camera, the camera is broken, or the end-user does not want the app to access the camera. In this case, the end-user may either call your help desk or go to your counter. Your staff will provide the end-user with the 16-digit code to activate the 2FA app. Risk There is a risk that the 16-digit activation code could be given to an unintended third party, allowing that person to illegally enroll their device. Before providing the activation code, your organization's representative should therefore verify that the end-user is who they say they are. The help desk or counter staff obtains the code from the details view for this end-user in the Adminapp. For more information, see Airlock 2FA token management. Notice It is not possible to enroll the Airlock 2FA app with the activation code during self-registration: An end-user account must exist to generate the 16-digit activation code. This is not the case until self-registration is complete. |
Authentication (migration to 2FA token) | ||
Protected self-service |