Authentication methods in IAM

Airlock IAM supports many authentication methods that may be combined into authentication flows.

Note that Airlock IAM also provides authentication method-related user self-services - such as token migration and token self-management facilities - and token management features.

An authentication method can support one or multiple authentication factors.

  • Examples:
  • Authentication method mTAN supports OTP as the only factor.
  • Authentication method Airlock 2FA supports the following factors: Push, OTP, QR-Code, and challenge-response.

In general, strong authentication requires the combination of at least two different categories of authentication factors.

  • Factor categories:
  • Possession – something that a person proves to have. This could be a physical or virtual possession such as a hardware OTP token, a certificate USB stick, or a smartphone.
  • Knowledge – something that a person knows. This could be a username/password combination, the correct answer to a challenge, etc.
  • Inherent – some physical attribute that is associated with a person. This could be a fingerprint, iris scan or a voice sample, etc.

Methods

Factor(s)

Comment

  • Password
  • Usage
  • for weak authentication
  • as 1st factor in multi-factor authentication
  • Push (One-Touch)
  • OTP (Passcode)
  • QR-Code with (mobile app and hardware tokens)
  • Challenge-response (mobile-only)
  • Usage
  • 2nd factor
  • passwordless
  • transaction approval
  • approval step in self-services
  • Requirements
  • Smartphone or hardware token
  • Airlock 2FA app or custom app.
  • Airlock 2FA service subscription
  • OTP via SMS
  • Usage
  • 2nd factor
  • transaction approval
  • Requirements
  • SMS gateway supported by Airlock IAM (or custom plugin).
  • Users need a mobile phone or similar SMS receiver
  • Other information
  • Not allowed as 2nd factor for banks under PSD2 regulation.
  • Possession of the FIDO Authenticator
  • PIN, fingerprint, etc. depending on FIDO Authenticator
  • Supports Windows Hello and others
  • Usage
  • 2nd factor
  • Passwordless (FIDO2 only)
  • Requirements
  • Users need FIDO Authenticator hardware keys or FIDO-enabled mobile apps.
  • Push
  • QR-Code
  • Usage
  • 2nd factor
  • transaction approval
  • Requirements
  • Smartphone or hardware token
  • Cronto app or custom app
  • Cronto license
  • OTP
  • Usage
  • 2nd factor
  • Requirements
  • OATH compatible OTP generator (app or hardware device)
  • Other information
  • No self-service for registration
  • OTP
  • Usage
  • 2nd factor
  • Requirements
  • OneSpan OTP hardware devices
  • OneSpan license
  • Other information
  • Limited self-services
  • OTP
  • Usage
  • 2nd factor
  • Requirements
  • 3rd party authentication server with RADIUS server interface.
  • Other information
  • Typically used to check OTPs but challenge-response is also possible.
  • No self-services available.
  • OTP
  • Usage
  • 2nd factor
  • Requirements
  • RSA OTP hardware tokens
  • RSA server with RADIUS server interface
  • RSA license
  • Other information
  • No self-services available.
  • Challenge-response
  • Usage
  • 2nd factor
  • Requirements
  • Printed matrix card/TAN list (produced by Airlock IAM).