Thanks for your comments.
My apologies, by “failed to scan” I meant “they didn’t scan”. Perhaps they hit “done” or perhaps they just navigated elsewhere. It’s also possible that they scanned with a faulty app, as you noted above.
Also to clarify, our situation is much more like Google’s than an enterprise environment. We are a government-funded organization mandated to offer service to a wide variety of users at other institutions. Many of those users work at universities and will most likely already have the Duo app installed, or maybe one of the common TOTP apps. So they will indeed be coming in with 1.23 million other apps. Requiring the use of the privacyIDEA app is certainly an option but we are already struggling with the issues involved in deploying MFA to such a diverse user base and requiring a specific app makes it more difficult. We lack the funding to send hardware tokens to all users, and we also have to deal with occasional users who do not have a smartphone.
To answer your specific questions with our preferences:
What should happen if the user enters a wrong OTP value during enrollment? Should the dialog ask for a correct value indefinitely?
Yes. Or cancel enrollment after a limited number of attempts.
What should happen with the actually created token object, if the user is not capable of entering a correct OTP value?
It should not be enabled or used until the user can enter a correct OTP.
Actually that brings up another point: if we enable the policy passOnNoToken then PI disallows login if any tokens are present, including disabled tokens. That means we have to use the API flow you give above and delete any token that has not been confirmed. If there was an option to consider only enabled tokens then the API flow would be simpler:
- Create a token, display the QR code then disable it
- Request an OTP.
- Enable the token and test the OTP. If it matches, we’re done.
- OTP didn’t match, disable it again and go to step 2
This would avoid users being locked out of MFA-protected services as soon as they begin the MFA enrollment process.