One-Touch authentication

This article explains on a conceptual level how Airlock 2FA One-Touch authentication works. It also provides important detail information for correct use and configuration.

Goal

Understand One-Touch authentication in general.
Understand the interaction between involved components.
Learn details about prerequisites and limitations of One-Touch.

All following procedures are exemplary and will vary according to your setup or needs.

Initial thoughts

One-Touch authentication combines usability with high security. It relies on pushing information to the user's smartphone and signing it using cryptographic key material stored in the mobile phone's secure storage.

The user confirms the authentication by opening the Airlock 2FA app from the push notification and then pressing the Approve button. This step may be combined with additional fingerprint scanning, face recognition, or a PIN, depending on the capabilities and setup of the smartphone.

Airlock 2FA also supports other types of authentication. Please inform yourself about the authentication capabilities and compare them with respect to your requirements. For further information, see Authentication factors.

Prerequisites

User account exists in IAM.

The user has Airlock 2FA enabled as a possible authentication method.

One-Touch is enabled in the Airlock 2FA configuration.

The user has installed the Airlock 2FA app on the smartphone.

The user's smartphone is connected to the internet and is able to connect to the Futurae cloud.

One-Touch authentication flow

The following flow chart shows how One-Touch authentication works in general:

(1)		The user is identified by IAM (e.g. by entering username and password in the browser).
		If multiple Airlock 2FA apps or hardware tokens have been activated for the user, a selection page is shown. Depending on the users selection, the user is later being guided to the next authentication step: i.e. from hardware token to offline QR code OR from One-Touch to Airlock 2FA app.
(2)		IAM initiates One-Touch by showing a corresponding page in the browser and starting the authentication on the Futurae cloud.
(3)		The Futurae cloud sends a push message to the Airlock 2FA app.
(4)		The Airlock 2FA app asks the user to approve (or deny) the authentication step. The smartphone must be unlocked. Depending on the smartphone capabilities and setup, this may involve a PIN, fingerprint or face recognition.
		In this step, the user may alternatively enter the displayed Passcode - a time-based OTP code (if enabled in the configuration).
(5)		The Airlock 2FA app sends the user's decision (approval, denial) to the Futurae cloud. The Futurae cloud receives this authentication result and forwards it to Airlock IAM.
(6)		IAM automatically redirects the user's browser to the intended target application or service.

Limitations

The following limitations apply when using One-Touch authentication:

Only Template 2.0 JSP templates are provided for Airlock 2FA.

Further information and links

This Airlock 2FA factor may also be used for transaction approval and to verify user self-services.