Use case

Usernameless QR code authentication

This article explains on a conceptual level how Airlock 2FA Usernameless QR Code authentication works. It also provides important detailed information for correct use and configuration.

Goal

  • Understand usernameless QR code authentication in general.
  • Understand the interaction between involved components.
  • Learn details about the prerequisites and limitations of the usernameless QR code feature.

All following procedures are exemplary and will vary according to your setup or needs.

Initial thoughts

Usernameless QR Code authentication provides a great user experience in that it does not require the user to enter (and remember) a user ID. Requiring the user to scan a QR code and approve the login on the mobile phone – normally involving biometrics – provides reasonable protection against 2FA fatigue.

Usernameless authentication may be combined with additional fingerprint scanning, face recognition, or a PIN, depending on the capabilities and setup of the smartphone and the used authenticator app.

Airlock 2FA also supports other types of authentication. Please inform yourself about the authentication capabilities and compare them with respect to your requirements. For further information, see Authentication factors.

This Airlock 2FA factor may also be used for transaction approval and to verify user self-services.

Prerequisites

  • User account exists in IAM.
  • The user has Airlock 2FA enabled as a possible authentication method.
  • The authenticator app supports Usernameless QR code login.
  • The user has installed an authenticator app supporting usernameless QR code authentication.
  • The user's smartphone is connected to the internet and is able to connect to the Futurae cloud.

Note that the app used to authenticate needs to be able to handle usernameless QR code login.

The Airlock 2FA App will be updated to support the feature. The release is expected in summer 2024.

If using a custom or white label app, ensure the used Futurae SDK supports usernameless QR login.

Note that usernameless QR code login always involves displaying and scanning a QR code. Therefore, two devices - one displaying the QR code and one scanning the QR code - are required.

Usernameless QR code authentication flow

The following flow chart shows how usernameless QR code authentication works in general:

UC-UsernamelessQRCode-DrawIO

(1)

The authentication process is started.

(2)

IAM starts an authentication session with the Futurae cloud and retrieves a QR code challenge suitable for usernameless authentication. Note that the QR code is anonymous, i.e., it is not bound to a user account.

The QR Code is displayed in the user's browser.

(3)

The web browser starts polling for the user's authentication decision at the Future cloud.

Note that Airlock IAM may return a new QR code while polling. QR codes are refreshed for security reasons from time to time (depending on the configured timeout).

(4)

The end user scans the QR code with the Airlock 2FA app (or other authenticator app) and is asked to approve (or deny) the authentication step.

The smartphone must be unlocked. Depending on the smartphone's capabilities and setup and the used app this may involve a PIN, fingerprint, or face recognition.

  • If the user has multiple accounts for accessing the service, the user must choose which account to log in.

(5)

Airlock IAM gets the confirmation of the successful login and the user's ID from the Futurae cloud.

(6)

IAM automatically redirects the user's browser to the intended target application or service.

Optional goto target after a timeout

The QR code shown in the web browser is refreshed for security reasons from time to time. It is possible to configure an overall timeout by specifying the maximum number of QR code refreshes to display.

After the overall timeout, the browser can be redirected to another step by configuring an internal goto target. Like this, a message or an alternative way to authenticate may be displayed to the user.

The internal goto target is not shown in the above diagram.