As an Administrator of AAf, admin should be able to add MFA for direct smartphone enrollment url as well.

Currently, the product (AAf 6.2) support direct smartphone enrollment without the need of user to go to the self-enrollment portal.
User can be provided the url https://<aafserver>/smartphone/enroll, which user opens on their smartphone (iOS, android) browser. The browser provide option to select either install NetIQ Auth app or enroll.
User already has the app installed on their device and click on enroll. NetIQ auth app opens up and user is only asked to enter username & password. (in the back-end, there is no event, only a predefined chain is triggered to conduct only username/password authentication)

A vulnerability on this is that a compromised user credential can be used to enroll a smartphone which doesn't belong to the real user. This could lead to a major breach.

Attaching smartphone enroll process to a specific event (Authenticator management) and updating the NetIQ Auth app to support another factor field pop up will rectify this issue and give more reasons to customer to use NetIQ Auth app and utilize push notification capability.


  • When requiring to enroll 10K+ users we need to make the process available inside and outside(4G) the network. But to ensure validation that the user is who they say they are the enrol process needs to protect externally via a MFA token (ie SMS or email token).