Online QR code authentication

This article explains on a conceptual level how Airlock 2FA Online QR Code authentication works. It also provides important detailed information for correct use and configuration.

Goal

Understand Online QR code authentication in general.
Understand the interaction between involved components.
Learn details about the prerequisites and limitations of Online QR codes.

All following procedures are exemplary and will vary according to your setup or needs.

Initial thoughts

Online QR Code authentication combines great user experience with high security. It displays a QR code, which is scanned with the authenticator app. After asking the end-user to accept or decline the authentication attempt, the user is automatically logged in and the user does not have to enter a one-time code or alike.

This step may be combined with additional fingerprint scanning, face recognition, or a PIN, depending on the capabilities and setup of the smartphone and the used authenticator app.

Airlock 2FA also supports other types of authentication. Please inform yourself about the authentication capabilities and compare them with respect to your requirements. For further information, see Authentication factors.

Prerequisites

User account exists in IAM.

The user has Airlock 2FA enabled as a possible authentication method.

Online QR code login is enabled in the Airlock 2FA configuration.

The user has installed the Airlock 2FA app on the smartphone.

The user's smartphone is connected to the internet and is able to connect to the Futurae cloud.

Online QR code authentication flow

The following flow chart shows how online QR code authentication works in general:

(1)	The user is identified by IAM (e.g. by entering username and password in the browser).
(2)	IAM starts an authentication session with the Futurae cloud and retrieves a QR code challenge. Note that no device needs to be selected by the end user.
(3)	Optionally, the Futurae cloud may send a push message to all devices of the user in order to open the app on the mobile phone. Note that this is a feature of the Futurae cloud and needs to be enabled in the Futurae service. It cannot be configured in Airlock IAM.
(4)	The end user scans the QR code with the Airlock 2FA app and is asked to approve (or deny) the authentication step. The smartphone must be unlocked. Depending on the smartphone's capabilities and setup and the used app this may involve a PIN, fingerprint, or face recognition. In this step, the user may alternatively change to an offline authentication factor (Offline QR code or passcode) if enabled in the configuration.
(5)	The Airlock 2FA app sends the user's decision (approval, denial) to the Futurae cloud. The Futurae cloud receives this authentication result and forwards it to Airlock IAM.
(6)	IAM automatically redirects the user's browser to the intended target application or service.

Further information and links

Internal links:
This Airlock 2FA factor may also be used for transaction approval and to verify user self-services.
Airlock 2FA QR code login - REST flow example