Airlock 2FA Settings plugin – global shared Airlock 2FA configuration

This article describes how to configure the Airlock 2FA Settings plugin. This plugin configures the central aspects of Airlock 2FA across various parts of Airlock IAM (authentication, self-services, administration, transaction approval, and so on).

  • The plugin specifies the following settings:
  • Connection to Futurae cloud.
  • How to encrypt data in the Airlock IAM database.
  • Several advanced settings like payload encryption and some feature toggles.

All other Airlock 2FA configuration options are configured directly in the Airlock 2FA steps or plugins.


  • An Airlock 2FA subscription is required.
  • An Airlock 2FA Service ID, an Auth API Key, and an Admin API Key are required. It will be obtained together with the subscription.

Configuration of the Airlock 2FA Settings plugin

  1. To configure the plugin, do the following:
  2. Go to:
  3. MAIN SETTINGS >> Authentication Settings >> Airlock 2FA Settings


    Any Airlock 2FA plugin and navigate to the Airlock 2FA Settings.

  4. Configure or connect the Airlock 2FA Database Repository.
  5. Configure or connect the Futurae Server plugin. This plugin specifies how to connect to the Futurae cloud and what service ID to use. The service ID and keys can be obtained from the Futurae admin console.
  6. Make sure to keep the API keys secret. It is recommended using the external secrets feature.

Payload encryption

The payload encryption feature uses a symmetric key to encrypt transaction data transferred between Airlock IAM and the Futurae service. It ensures that no intermediate component, such as a reverse proxy, can read transaction details.

  1. To enable the feature, do the following:
  2. Make sure the feature is enabled in the Futurae service. This may require an extended service subscription.
  3. Configure the symmetric encryption key in Airlock 2FA Settings >> Payload Encryption Key. The key can be obtained in the Futurae admin web application in the service settings under EXTRA INFO KEY.

Note that the used mobile app must support the payload encryption feature because transaction data is also encrypted when transferred from the Futurae service to the app.

Make sure the used SDK or white-label app supports the payload encryption feature.

Bypass feature

The Futurae admin console allows putting user accounts in bypass mode. All authentication and approval attempts for devices of such user accounts are bypassed, i.e., they are reported to be successful without any user interaction.

The feature must be explicitly allowed in the Airlock IAM configuration. For this, go to: Airlock 2FA Settings >> Allow Futurae Bypass Mode

Use this feature with great caution, as it disables Airlock 2FA checks and grants access without any user interaction to devices of accounts marked as bypass.

Because of the obvious and inherent risks, we recommend that this feature is only used to automate tests in non-production environments.