10.2.2.5. Transaction approval

The following flow diagram shows how transaction approval with Airlock 2FA works in general. The offline QR code and the mobile-only variants are not shown.

For more information, refer to the general transaction approval documentation.

Flow diagram

Airlock2FA-TransactionApproval
(1)
  • User authentication and identity propagation:
  • The user authenticates with Airlock 2FA.
  • The AuthTokenID is sent to the e-banking application as part of the identity propagation.
  • The e-banking application stores the AuthTokenID in its session. It is used to select the appropriate Airlock 2FA token during transaction approval.
(2)
  • Transaction approval decision:
  • The user interacts with the e-banking application and starts a transaction (e.g. enters a payment).
  • The e-banking application decides that approval is necessary for the transaction and thus starts the transaction approval process.
(3)
  • User identifying step:
  • The e-banking application calls the Airlock IAM transaction approval REST API and identifies the end-user.
  • If the user is valid and not locked, Airlock IAM asks the e-banking application to provide transaction data to be verified.
(4)
  • Parameter Step:
  • The e-banking application sends transaction data to Airlock IAM. It also sends the AuthTokenID (optional).
  • If no AuthTokenID is sent, Airlock IAM will ask the e-banking application to select one of several available Airlock 2FA tokens (not shown in the diagram).
  • IAM verifies the transaction data and asks the e-banking application to poll for the result.
(5)
  • Approval step:
  • Airlock IAM formats the transaction data using the configured message provider.
  • Airlock IAM sends the transaction data via the Futurae cloud to the user's smartphone (Airlock 2FA app).
  • The e-banking application starts polling for the result.
  • The user verifies the transaction data on the smartphone and presses the Approve button.
  • Airlock IAM gets the result from the Futurae cloud and returns the OK to the e-banking application.
During step (5), the e-banking application may choose to show a QR code and accept an OTP code entered by the user (offline scenario). For simplicity, this is not shown in the diagram.