Enrolling mobile phone for OATH

The mobile phone generates an OTP which is used to authenticate the user to the bank server. So a prerequisite of the authentication is to enroll the mobile phone so that the user can be recognized. For the offline OATH authentication, the enrollment of the mobile phone happens as follows:

  1. The user initiates the enrollment by sending an enrollment request to the bank.
  2. The bank obtains a registration code and PIN from IdCloud and returns these details to the user, for example in a QR code or an email.
  3. The user launches the bank app on the device and enters the registration code or scans a QR code.
  4. The bank app passes this code to Mobile Protector SDK that completes the enrollment process with IdCloud. IdCloud returns the encrypted token data to the bank app.
  5. A “success” message is displayed on the bank app if the enrollment is successful.
An overview of the enrollment
An overview of the enrollment

The PIN is the “knowledge factor” the end user must remember. The user enters the PIN in the Mobile Protector SDK to authenticate, sign transactions or to enable biometric factors. The PIN can be changed via the mobile application after the enrollment.

The following sequence diagram shows the details of the enrollment process: