This article explains on a conceptual level how Airlock 2FA Passcode authentication works. It also provides some detailed information on correct use and configuration.
Goal
- Understand Passcode authentication in general.
- Understand the interaction between involved components.
- Learn details about prerequisites and limitations of Passcode.
All following procedures are exemplary and will vary according to your setup or needs.
Initial thoughts
Authentication with passcode is intended as an offline alternative to its counterpart One-Touch. The latter two require the smartphone to be able to connect to the Futurae cloud whereas passcode authentication works completely offline.
Authentication with passcode is also possible with OTP hardware tokens.
Passcode authentication is based on time-based OTPs (one-time passwords) that are generated every 30 seconds. They are displayed in the Airlock 2FA app and must be manually entered by the user.
Time-based OTPs are not challenge-response based and offer therefore less security than One-Touch authentication. Disable passcode authentication in the Airlock 2FA configuration if it does not meet your security needs.
Prerequisites
- User account exists in IAM.
- The user has Airlock 2FA enabled as a possible authentication method.
- Passcode authentication is enabled in the Airlock 2FA configuration.
- The user has installed the Airlock 2FA app on the smartphone or has an appropriate Airlock 2FA hardware token.
Passcode authentication flow
The following flow chart shows the use of passcode as the main authentication factor, i.e. if all other Airlock 2FA factors are disabled in the configuration. This should be offered as an offline fall-back to One-Touch.
| (1) | The user is identified by IAM (e.g. by entering username and password in the browser). | |
If multiple Airlock 2FA apps or hardware tokens have been activated for the user, a selection page is shown. | ||
| (2) | IAM asks the user to enter a passcode. | |
| (3) | The user opens the Airlock 2FA app and types the passcode into the browser's input field. The smartphone must be unlocked - this may involve a PIN, fingerprint, or face recognition (depending on the smartphone's capabilities and setup). Alternatively, the user uses an OTP hardware token. | |
| (4) | IAM verifies the passcode with the Futurae cloud to complete authentication. | |
| (5) | IAM automatically redirects the user's browser to the intended target application or service. |
Limitations
The following limitations apply when using passcode authentication:
- Only Template 2.0 JSP templates are provided for Airlock 2FA.
- Note that passcodes from any app assigned to the user are accepted for login. There is no binding of the authentication process to a specific app instance.