Transaction with Airlock 2FA
20.1.7. Transaction approval with Airlock 2FA

The following example illustrates the transaction approval of an e-banking system that uses Airlock IAM for authentication and transaction approval with Airlock 2FA.

The offline QR code and the mobile-only variants are not shown in this example.

Flow diagram

Airlock2FA-TransactionApproval
(1)
  • User authentication and identity propagation:
  • The user authenticates with Airlock 2FA.
  • The AuthTokenID is sent to the e-banking application as part of the identity propagation.
  • The e-banking application stores the AuthTokenID in its session. It is used to select the appropriate Airlock 2FA token during transaction approval.
(2)
  • Transaction approval decision:
  • The user interacts with the e-banking application and starts a transaction (e.g. enters a payment).
  • The e-banking application decides that approval is necessary for the transaction and thus starts the transaction approval process.
(3)
  • User identifying step:
  • The e-banking application calls the Airlock IAM transaction approval REST API and identifies the end-user.
  • If the user is valid and not locked, Airlock IAM asks the e-banking application to provide transaction data to be verified.
(4)
  • Parameter Step:
  • The e-banking application sends transaction data to Airlock IAM. It also sends the AuthTokenID (optional).
  • If no AuthTokenID is sent, Airlock IAM will ask the e-banking application to select one of several available Airlock 2FA tokens (not shown in the diagram).
  • IAM verifies the transaction data and asks the e-banking application to poll for the result.
(5)
  • Approval step:
  • Airlock IAM formats the transaction data using the configured message provider.
  • Airlock IAM sends the transaction data via the Futurae cloud to the user's smartphone (Airlock 2FA app).
  • The e-banking application starts polling for the result.
  • The user verifies the transaction data on the smartphone and presses the Approve button.
  • Airlock IAM gets the result from the Futurae cloud and returns the OK to the e-banking application.
During step (5), the e-banking application may choose to show a QR code and accept an OTP code entered by the user (offline scenario). For simplicity, this is not shown in the diagram.

Configuration

The configuration is the same as in mTAN example except that the last step is an Airlock 2FA step:

TransactionApprovalConigScreenshot

REST call sequence

The following REST call sequence shows how to use the transaction approval API from a REST client's point of view.

For simplicity, in this example:

  • authentication information (e.g. Basic Auth header) and other HTTP headers are not shown.
  • the user's Airlock 2FA app is online and therefore capable to do One-Touch.

Step 1 - HTTP Request - User identifying step (Step 3 in above diagram)

copy
POST https://internal-iam-host.com/auth-transaction-approval/rest/transaction-approval/user/identify/
{
    "username" : "jdoe"
}

Step 1 - HTTP Response - User identifying step (Step 3 in above diagram)

copy
HTTP/1.1 200 OK

{
    "meta": {
        "type": "jsonapi.metadata.document",
        "timestamp": "2020-03-17T11:05:12.408+01:00"
    },
    "data": {
        "type": "transaction-approval.session",
        "id": "121849797510425576",
        "attributes": {
            "nextStep": "PARAMETERS_REQUIRED"
        }
    }
}

Step 2 - HTTP Request - Send transaction details (Step 4 in above diagram)

copy
POST https://internal-iam-host.com/auth-transaction-approval/rest/transaction-approval/parameters/
{
    "authTokenId" : "123456abcdef", 
    "messageParameters" : 
    {
    	"accountNumber" : "0123456",
    	"amount" : "9999",
    	"currency" : "CHF"
    }
}

Step 2 - HTTP Response - Send transaction details (Step 4 in above diagram)

copy
HTTP/1.1 200 OK

{
    "meta": {
        "type": "jsonapi.metadata.document",
        "timestamp": "2020-03-17T11:05:15.185+01:00"
    },
    "data": {
        "type": "transaction-approval.session",
        "id": "121849797510425576",
        "attributes": {
            "nextStep": "AIRLOCK_2FA_POLLING_OR_OTP_REQUIRED"
        }
    }
}

Start polling for the result:

Step 3 - HTTP Request - Polling in approval step (Step 5 in above diagram)

copy
POST https://internal-iam-host.com/auth-transaction-approval/rest/transaction-approval/airlock-2fa/status/poll/

Step 3 - HTTP Response - Polling in approval step (Step 5 in the above diagram)

copy
HTTP/1.1 200 OK

{
    "meta": {
        "type": "jsonapi.metadata.document",
        "timestamp": "2020-03-17T11:05:19.251+01:00"
    },
    "data": {
        "type": "transaction-approval.session",
        "id": "121849797510425576",
        "attributes": {
            "nextStep": "AIRLOCK_2FA_POLLING_OR_OTP_REQUIRED"
        }
    }
}

Keep polling until approved or denied.