Offline QR code auth
10.2.2.2.3. Offline QR code authentication

This article explains on a conceptual level how Airlock 2FA offline QR code authentication works. It also provides important detail information for correct use and configuration.

Goal

  • Understand offline QR code authentication in general.
  • Understand the interaction between involved components.
  • Learn details about prerequisites and limitations of offline QR code authentication.

All following procedures are exemplary and will vary according to your setup or needs.

Initial thoughts

Offline QR code authentication involves scanning a QR code image and typing in a verification code (OTP). The main use-cases are:

  • Offline alternative to One-Touch authentication using mobile apps.
  • Login with hardware tokens.
  • Transaction approval with hardware tokens.
  • Offline transaction approval with the Airlock 2FA app.

In all these cases there is no communication to or from the device over the internet; thus "offline QR code".

Airlock 2FA also supports other types of authentication. Please inform yourself about the authentication capabilities and compare them with respect to your requirements. For further information, see 10.2.2.2. Authentication factors.

Prerequisites

  • User account exists in IAM.
  • The user has Airlock 2FA enabled as a possible authentication method.
  • Offline QR code login is enabled in the Airlock 2FA configuration.
  • The user has installed the Airlock 2FA app on the smartphone or has an appropriate Airlock 2FA hardware token.
  • The Airlock 2FA app or hardware token has been enrolled for the user's account.

Offline QR code authentication flow

The following flow chart shows how offline QR code authentication works in general:

UC-OfflineQRCode
(1)
The user is identified by IAM (e.g. by entering username and password in the browser).
If multiple Airlock 2FA apps or hardware tokens have been activated for the user, a selection page is shown.
(2)
IAM starts the authentication process by getting a QR code image bearing a challenge from the Futurae cloud.
(3)
Airlock IAM displays the QR code on the authentication login page.
(4)
The user
  • scans the QR code with the hardware token or the app.
  • reviews the displayed information (e.g. in transaction approval).
  • enters the displayed verification code in the browser.
(5)
IAM sends the code to the Futurae cloud for verification.
(6)
IAM automatically redirects the user's browser to the intended target application or service.

Limitations

The following limitations apply when using offline QR code authentication:

  • Only Template 2.0 JSP templates are provided for Airlock 2FA.
  • QR code authentication as offline fallback using a mobile app is only supported in the Loginapp REST UI (and not in the JSP-Loginapp).

Further information and links

  • This Airlock 2FA factor may also be used for transaction approval and to verify user self-services.