16.4. What are possible rollout strategies?¶
There are different ways to enroll tokens to a big number of users. Here are some selected high level ideas, you can do with privacyIDEA.
Using the autoassignment policy you can distribute physical tokens to the users. The users just start using the tokens.
16.4.2. Registration Code¶
If your users are physically not available and spread around the world, you can send a Registration code to the users by postal mail. The registration code is a special token type which can be used by the user to authenticate with 2FA. If used once, the registration token gets deleted and can not be used anymore. While logged in, the user can enroll a token on his own.
16.4.3. Automatic initial synchronization¶
Hardware TOTP tokens may get out of sync due to clock shift. HOTP tokens may get out of sync due to unused key presses. To cope with this you can activate Automatic resync during authentication.
But if you are importing hardware tokens, the clock in the TOTP token may already be out of sync and you do not want the user to authenticate twice, where the first authentication fails.
In this case you can use the following workflow.
In the TOTP token settings you can set the
timeWindow to a very high
value. Note that this timeWindow are the seconds that privacyIDEA will search
for the valid OTP value before and after the current time. E.g. you can
set this to 86400. This way you allow the clock in the TOTP token to have
drifted for a maximum of one day.
As you do not want such a big window for all authentications, you can
automatically reset the
timeWindow. You can achieve this by creating an
condition: * tokentype=TOTP * count_auth_success=1
action=set tokeninfo * key=*timeWindow* * value=*180*
This way with the first successful authentication of a TOTP token the
timeWindow of the TOTP token is set to 180 seconds.