We would like to adopt the self-rollout of a token into our IDM. To do this, we use the Rest API.
Since the user does not have a token yet, he would have to authenticate himself against the authentication userstorage. But in general we don’t want the user to be able to log in with only one factor to create his second factor (security condition). So the authentication privacyidea is our default configuration for logging in to the WebUI. The login against the authentication privacyidea works only with second factor (even if the user has no token yet). [Here I am not sure if this is the default config or has been overwritten by us].
Therefore we are looking for the possibility to log in with only one factor and roll out an initial token in case the user does not have a “first” token yet.
Our idea was to use the conditions of the policies.
There is a condition that can check the token. But it is not possible to check if there is a token at all. Because this aborts with the error that there is no object.
We would like to have the same for the deactivation/locking of tokens in addition to the rollout, so that the users can deactivate the tokens themselves in a timely manner using a factor.
Does anyone have a solution for this?
Previous idea:
Allow the IDM portal servers to generally use 1FA auth and request a 2FA for certain actions each time. → However, I don’t think this is the best option, because if the portal is hacked, it could be bypassed.
The same applies to a system account for rolling out new tokens on the server.