If you have set up self-service console (see wiki; https://wiki.deepnetsecurity.com/display/DualShield6/Setting+up+the+Self+Service+Console ) an end user will be able to activate their own devicepass token
This is particularly useful if you are using device fingerprinting to protect OWA, as the end-user will still need to gain access to their email in order to activate the token, therefore this gives the end user a limited time period, to access their email where they will receive an activation link.