Airlock 2FA token management configuration

This page explains how to configure Airlock 2FA in order to manage Airlock 2FA tokens and to generate and use activation and hardware token shipment letters.

Both activation and hardware token shipment letter generation are part of the Airlock 2FA token controller in the user administration (Adminapp). There is no batch generation in the service container.

Airlock 2FA token management and activation letters

The Airlock 2FA Token Controller configuration specifies how Airlock 2FA tokens are managed.

The activation letter generation is also configured in the token controller: It defines, how letters are generated (e.g. using Word templates), where they are stored and how long activation letters are valid.

As the Renderer plugin, Airlock IAM provides the Word to PDF Renderer: it takes Word templates as input and creates PDF files. Example Word template files are provided with Airlock IAM.


  • A basic IAM configuration for the administration of users (Adminapp) must exist.
  • The basic Airlock 2FA settings exist.


  1. Go to:
  2. Adminapp >> Users >> Authentication Tokens >> Airlock 2FA Token Controller (create if necessary)

  3. Connect the Airlock 2FA Settings if necessary.
  4. Configure the Activation Letter settings to enable printing activation letters to enroll smartphone apps. Select the appropriate plugin for either immediate printing (direct) or to use a Service Container task (batch).
    • Airlock 2FA Device Activation Letter (Direct) will directly create the letter and store it in the configured Output Directory.
    • Airlock 2FA Device Activation Letter Order (Batch) will order the letter. A corresponding task in the Service Container is required for generating the ordered letters.
  5. Configure the Shipment Letter settings to enable printing hardware token shipment letters.
  6. If required, allow assigning hardware tokens to multiple users, check the configuration option Share Hardware Tokens Among Users.
  7. Review or adapt access control settings in the IAM Adminapp.
    Go to: Adminapp >> Access Control (section Authentication Token Management)
  8. Activate the configuration.
  9. Activation letters can now be generated in the Adminapp.

How to verify

  • Log into the IAM Adminapp as an administrator with corresponding access rights.
  • Create a new user or use an existing one.
  • If the user does not have the tab Airlock 2FA: Open the Authentication Methods tab and add Airlock 2FA as the new authentication method.
  • Open the Airlock 2FA tab.
  • Press the Create activation letter button (if configured above) and open the generated PDF file.
  • Install the Airlock 2FA app and scan the QR code.
  • In the Adminapp's Airlock 2FA tab of the user, you should now see the activated app.