2 step enrolement: SMS + Privacy Idea App

Question
1

Hello we are doing currently PoC with IDEA and like it so much!
We are looking to use only Idea Auth app on mobiles.

Only concern is token enrolment process for remote users (by remote I mean those not being visiting our office)

We do not want to send QR codes via eg mail. Also we do not want to allow user use more than 1 auth device (eg use same QR on second mobile)

Thinking about such scenario:

  1. generating single use code / PIN / password (delivered via email or SMS)
  2. generate new token on user Mobile (in Idea auth app) entering entering this PIN from step 1

So basically do not use QR codes but 2 steps enrolment process.
If possible without granting user to WebUI

Would this be possible with IDEA?

2

Yes it is.
You could use the validate-check-enrollment mechanism in version 3.8.x.

3

Thank @cornelinux you for reply.
Are you referring to this feature? New verify enrolment with privacyIDEA 3.7 - YouTube

If so I affraid this doesnt resololve our main aim to do not allow register this token on more then one device?

4

No. This one:

https://privacyidea.readthedocs.io/en/v3.8.1/policies/authentication.html#enroll-via-multichallenge