10.2.2.7.1. Service accounts

To use Airlock 2FA, at least one service account in the Futurae cloud service is required.

Service in the Futurae cloud usually represents an environment in your Airlock IAM deployment. Airlock 2FA users and their tokens are managed per service.

Examples:

  • Service Production is used by all productive IAM instances.
  • Service IAT is used by the IAM instances used for acceptance tests.
  • Service Test is used by test IAM instances.
  • Service Devel is used by development IAM instances.
  • The following data is managed per service (list not exhaustive):
  • Airlock 2FA user accounts.
  • All Airlock 2FA tokens of the user accounts.
  • Note that the Airlock 2FA app may contain multiple Airlock 2FA tokens of different services.

  • Service name, icon
  • Service features like automatic account recovery, user verification, and transaction approval log.
  • Service ID and API keys (used by Airlock IAM to access the service).

Service account credentials

To be able to use a service, Airlock IAM needs service account credentials. They consist of a service ID and two API keys as shown in the following example. The three credentials are required to configure Airlock IAM for Airlock 2FA.

  • Example service account credentials:
  • Service ID: 4e076f4c-e1f3-11ea-87d0-0242ac130003
  • Auth API Key: B8aaLuXqdOKo/mpovXp50FRr8oDl2vCAVhOxn+d42Cc=
  • Admin API Key: WIIIVi47Jp3LTU2/ylRSajBfdU0+itPSLde2MSXoFCw=

Security considerations

The service account credentials are sufficient to access the Futurae API for the service. Having access to the service account credentials is therefore equivalent to being able to perform the following critical actions (examples):

  • Lock or remove Airlock 2FA tokens of all users of service (denial of service).
  • Replace Airlock 2FA tokens of all users of service.
  • Put 2nd-factor tokens in mode bypass (no authentication required).

Make sure, that only legitimate individuals have access to the service credentials of productively used services.

Abuse of the service credentials may result in compromising the Airlock 2FA tokens of all users in the corresponding service.