This article explains on a conceptual level how Airlock 2FA One-Touch authentication works. It also provides important detail information for correct use and configuration.
Goal
- Understand One-Touch authentication in general.
- Understand the interaction between involved components.
- Learn details about prerequisites and limitations of One-Touch.
All following procedures are exemplary and will vary according to your setup or needs.
Initial thoughts
One-Touch authentication combines usability with high security. It relies on pushing information to the user's smartphone and signing it using cryptographic key material stored in the mobile phone's secure storage.
The user confirms the authentication by opening the Airlock 2FA app from the push notification and then pressing the Approve button. This step may be combined with additional fingerprint scanning, face recognition, or a PIN, depending on the capabilities and setup of the smartphone.
Airlock 2FA also supports other types of authentication. Please inform yourself about the authentication capabilities and compare them with respect to your requirements. For further information, see Authentication factors.
Prerequisites
- User account exists in IAM.
- The user has Airlock 2FA enabled as a possible authentication method.
- One-Touch is enabled in the Airlock 2FA configuration.
- The user has installed the Airlock 2FA app on the smartphone.
- The user's smartphone is connected to the internet and is able to connect to the Futurae cloud.
One-Touch authentication flow
The following flow chart shows how One-Touch authentication works in general:
(1) | The user is identified by IAM (e.g. by entering username and password in the browser). | |
If multiple Airlock 2FA apps or hardware tokens have been activated for the user, a selection page is shown. Depending on the users selection, the user is later being guided to the next authentication step: i.e. from hardware token to offline QR code OR from One-Touch to Airlock 2FA app. | ||
(2) | IAM initiates One-Touch by showing a corresponding page in the browser and starting the authentication on the Futurae cloud. | |
(3) | The Futurae cloud sends a push message to the Airlock 2FA app. | |
(4) | The Airlock 2FA app asks the user to approve (or deny) the authentication step. The smartphone must be unlocked. Depending on the smartphone capabilities and setup, this may involve a PIN, fingerprint or face recognition. | |
| ||
(5) | The Airlock 2FA app sends the user's decision (approval, denial) to the Futurae cloud. The Futurae cloud receives this authentication result and forwards it to Airlock IAM. | |
(6) | IAM automatically redirects the user's browser to the intended target application or service. |
Further information and links
- Airlock 2FA One-Touch login - REST flow example
- This Airlock 2FA factor may also be used for transaction approval and to verify user self-services.