If you need to deploy a huge number of OTP tokens to your end users, this is often a tricky challenge. The two factor authentication with these enrolled tokens may only be as secure as the enrollment process itself. Often a simple password is not enough to let the user enroll or assign a token as second factor. If an attacker gets hold on the users password, the attacker easily can enroll a token for himself also getting access with two factors.
In this case the user has to be identified securely with an additional step. Sending a postal letter with a registration code may help. Thus the user can only enroll a two-factor OTP token, if he knows the password and has phyiscal access to the letter box where he will find the registration code.
privacyIDEA provides the possibility to use such a registration code enabling you to secure the automated deployment process with a huge number of users.
NetKnights helps you planning your authentication infrastructure and designing workflows, that fit your requirements.