Airlock 2FA configuration hints

This article provides background information and tips for Airlock 2FA configuration.

Connection to Futurae cloud (Futurae server)

Airlock 2FA is based on Futurae's authentication solution and connects to the Futurae cloud unless you have an on-premises installation of it. In both cases, the plugin Futurae Server defines how to connect to it and what service account to use.

  • The Service ID, Auth API Key, and Admin API Key are part of the service subscription.
  • The URLs and timeouts in the Advanced Settings sections do not have to be changed unless you are using a special setup.
  • The Trust and Keystore Settings may be used for enhanced security of the connection to the Futurae cloud. If no trust store is configured, the global web server trust store is used (application parameters).

    • It is essential that the authenticity of the Futurae cloud can be verified. It is therefore mandatory to use HTTPS instead of HTTP and that the configured trust store is limited to trustworthy issuers.

    The communication between Airlock IAM and the Futurae cloud includes digital signatures and timestamps. It is therefore essential that the clock of the Airlock IAM deployments are in synch with global time.

    If the Airlock IAM clock deviates from global time more than 60 seconds, requests are rejected by the Futurae cloud (401 Unauthorized response).

Failed logins counter threshold

The Futurae cloud counts failed authentication attempts. After a certain threshold of failed attempts, accounts will be locked. Because Airlock IAM also locks user accounts after a certain amount of failed login attempts, the lockout thresholds must be chosen with care.

  • Recommendation for lockout thresholds when using Airlock 2FA
  • Make sure the lockout threshold in IAM is smaller than the one in the Futurae cloud.
  • The maximum lockout threshold in the Futurae cloud is 40. Do not choose a higher value in IAM.

The default value for the maximum lockout threshold can be configured in the service settings of the Futurae cloud. The default value is automatically used for new users.

When creating a new Futurae service, a default of 15 is used. Make sure to increase this value if a larger lockout threshold is used in Airlock IAM.

To do so, open the Futurae admin console, select the service account's settings, open the Configuration tab, and set the value for USER DEFAULT MAX ATTEMPTS.