Airlock 2FA / Futurae FAQ

End-user verification

This section provides an overview of the end-user verification setting in Futurae. It answers the question of where and how this setting affects everything. The setting can be configured in the Futurae admin console in the services' settings.

Q: How does the end-user verification setting work for the end user?

A: If enabled, a smartphone unlock action is required for the approval (login/transaction) on the smartphone.

  1. Example:
  2. Unlock the smartphone to be able to open the app. In the app, press the approve button.
  3. Without unlocking the smartphone in advance, a prompt to unlock appears automatically due to the user verification setting.

Q: What are the procedures for end-user verification?

A: The smartphone's unlock mechanism is used: PIN, FaceID, fingerprint, etc.

Q: What happens if no smartphone unlock is configured at all (no PIN required to use the smartphone)?

A: This depends on the app. The Airlock 2FA allows using the app even if no locking mechanism is configured on the smartphone. Other apps may handle this differently.

Q: What can be configured?

A: End-user verification is configurable per Futurae service, so it only affects the end-users of that specific service. The setting Allow User Verification Override may allow end users to override the service's setting and disable user verification for themselves in the app settings. However, this is not available in the Airlock 2FA app.

Q: In which apps is the user verification setting used?

A: The user verification feature is used in the Airlock 2FA app and Futurae white label apps. When using the Futurae SDK, the host app defines the logic to deal with end-user verification. Newer SDK versions may contain new features in terms of end-user verification.

Q: In which use cases is the user verification setting applied?

A: It is applied when using the following authentication types: One-Touch, Online QR-Code, Offline QR-Code, and mobile-only (if respected by the app using the SDK).

Q: Is end-user verification enforced on the server side?

A: No, this is not the case. The backend only stores the information on whether end-user verification is on or off. The app then ensures the expected behavior. The unlock mechanism triggered by the app is provided by the device OS.

Backup and recovery

This section provides information about end-user device backup and recovery in the Futurae account.

Q: Is it true that a device that has been deleted from the IAM user account can no longer be restored via cloud backup?

A: Yes, that's correct, only enrolled devices can be recovered. Once a device is unenrolled, it becomes ineligible for the recovery process. More details about Automatic Account Recovery can be found here in the Futurae knowledge base: Using Automatic Account Recovery.

Q: If an app is uninstalled and then reinstalled on the same device, the user will have two devices stored in the account. Can the device be automatically deleted from the Futurae account when uninstalling the app?

A: No, deletion triggered by an app uninstall is not possible. Neither Android nor iOS platforms provide a mechanism for app developers to know when the app is uninstalled.

Push Notifications

This section provides information about push notifications from the account to the end-users smartphone.

Q: Some push notifications may be approved (or declined) without opening the app (or on a smartwatch) while other notifications require the user to open the app. What is the reason for this?

  1. A: To approve (or decline) a push notification without opening the app, the following two requirements must be met:
  2. The end-user verification setting must be enabled on the Futurae service.
  3. The push message must not contain any extra info (e.g. login ID or transaction information). In other words: If the user needs to read and verify extra information to approve, the app must be opened to approve.

Q: What is the impact of acknowledging a push notification with the fraud button?

A: Fraud is a shortcut to deny the action and the statement that the end-user did not trigger the original action. The Airlock 2FA settings have the option to lock user on fraud.

Q: How long is a push notification valid? Is it possible to set the duration?

A: The push notification is valid for 60 seconds. Offline fallback options (Offline QR-code or Passcode) are also valid for 60 seconds. The validity duration cannot be changed in Airlock IAM.

Q: Is the amount of data for One-Touch limited as for offline QR code (130 bytes extra_info)?

A: No. The total amount of data is limited to 2000 bytes.

Device Name

This section provides information about automatic device naming. Setting a device name may help the end-user to choose the correct device when logging in or managing the devices.

Q: Which name is used for a device if the user does not set one when enrolling the device (or change it later using a self-service)?

A: The app uses the device model identifier which it forms with information from the smartphone (Android or iOS).

  • To be more specific:
  • Android: Android API Build fields brand and model.
  • iOS: The model name.

The above information is stored in the Futurae backend and it is not automatically updated when the information changes on the smartphone.