Understanding the enrollment PIN workflow

For two-factor authentication for Blue Cedar Gateway enrollment, as described in the Gateway IT Administrator's Guide, the gateway can generate an enrollment PIN and email an enrollment invitation to the end user. The Gateway IT Administrator's Guide section  Customizing the enrollment PIN email describes how to enable this enrollment step and customize the enrollment email.

This article describes what happens during the enrollment workflow.

Workflow

The first time mobile users launch an app that requires enrollment, they are prompted for enrollment username and password, that is, the credentials for the service they are connecting to.  

  1. The gateway generates a PIN code and emails it to the user. The gateway only sends this email one time within a 15-minute period before sending another email to the same enrollee. Each enrollment request gets a unique ID for tracking.
  2. If the user quits the enrollment process or is idle before completing the PIN entry, when they re-launch the app they are asked to provide the PIN that has been emailed.
    • If the new launch is within the 15-minute window from the initial request and email generation, a message appears to tell them "An enrollment PIN has been emailed to email address. Please retrieve the PIN from your email." The gateway does not generate a new PIN or email a new enrollment invitation.
    • If the new launch is more than 15 minutes from the initial enrollment email, another email is set to the user with the same PIN that was originally provided.
  3. If the user enters the PIN incorrectly 10 times, the gateway generates a new PIN and emails it to the user, regardless of the 15-minute expiration window.