This article explains on a conceptual level how Airlock 2FA One-Touch authentication works. It also provides important detail information for correct use and configuration.
Goal
- Understand One-Touch authentication in general.
- Understand the interaction between involved components.
- Learn details about prerequisites and limitations of One-Touch.
All following procedures are exemplary and will vary according to your setup or needs.
Initial thoughts
One-Touch authentication combines excellent usability with high security. It relies on pushing information to the user's smartphone and signing it using cryptographic key material stored in the mobile phone's secure storage.
The user confirms the authentication by opening the Airlock 2FA app from the push notification and then pressing the Approve button. This step may be combined with additional fingerprint scanning, face recognition, or a PIN, depending on the capabilities, and setup of the smartphone and the authenticator app.
Airlock 2FA also supports other types of authentication. Please inform yourself about the authentication capabilities and compare them with respect to your requirements. For further information, see Authentication factors.
Prerequisites
- User account exists in IAM.
- The user has Airlock 2FA enabled as a possible authentication method.
- One-Touch is enabled in the Airlock 2FA configuration.
- The user has installed the Airlock 2FA app on the smartphone.
- The user's smartphone is connected to the internet and is able to connect to the Futurae cloud.
One-Touch authentication flow
The following flow chart shows how One-Touch authentication works in general:
(1) | The user is identified by IAM (e.g., by entering username and password in the browser). |
If multiple Airlock 2FA apps or hardware tokens have been activated for the user, either a selection page is shown or all Airlock 2FA apps receive a push notification simultaneously. The latter happens when the Push-to-All setting is enabled. | |
(2) | IAM initiates One-Touch by showing a corresponding page in the browser and starting the authentication on the Futurae cloud. |
(3) | The Futurae cloud sends a push message to the Airlock 2FA app. |
(4) | The Airlock 2FA app asks the user to approve (or deny) the authentication step. The smartphone must be unlocked. Depending on the smartphone's capabilities and setup, this may involve a PIN, fingerprint, or face recognition.
|
(5) | The Airlock 2FA app sends the user's decision (approval, denial) to the Futurae cloud. The Futurae cloud receives this authentication result and forwards it to Airlock IAM. |
(6) | IAM automatically redirects the user's browser to the intended target application or service. |
Login ID
The One-Touch login ID is an additional authentication element of the One-Touch authentication factor. The login ID is a random ID generated during the One-Touch authentication procedure. The ID is shown to the authenticating user both on the application login page and on the Airlock 2FA app screen (see the next screenshot). This allows the user to verify that the push message in the app corresponds with their login session to the application.
This feature is enabled by default.
 |
One-Touch with multi-numbered challenge
To enhance the security of the One-Touch authentication, you can extend it with the multi-numbered challenge solution. In this case, the user must not only approve the push message on their Airlock 2FA app but also choose the correct number from the list of numbers shown on the app screen. The correct number is the one corresponding with the number shown on the application login page. See also the next screenshot:
 |
Ensure that the SDK or white-label app supports the multi-numbered challenge feature. The Airlock 2FA app supports the feature as of version 1.4.2 (Android)/1.3.0(iOS). If you work with a custom or white-label app, the Futurae SDK version used must be 3.0 or higher.
Note that the feature requires an advanced Airlock 2FA subscription.
Why use the multi-numbered challenge feature?
The multi-numbered challenge feature helps protect against multi-factor authentication (MFA) fatigue attacks. This is a cyberattack where attackers possessing the victim's login credentials for an application repeatedly trigger authentication notifications to the victim’s second-factor device. The goal is to confuse and annoy the victim into approving at least one notification, thereby granting the attacker access to the victim's application account.
By adding a multi-numbered challenge step to the authentication based on push notifications, the user must actively select a number on the authenticator app. This prevents users from instinctively approving a push notification during an MFA attack.
The multi-numbered challenge feature replaces the login ID authentication element described previously. The login ID allows passive behavior: The user can still authenticate even if they do not check the ID. This is not possible with the multi-numbered challenge feature: Here, the user must select the correct number to complete the authentication successfully. This feature therefore provides a higher level of security.
Multi-numbered challenge-based authentication flow
The following flow chart shows how One-Touch authentication with multi-numbered challenge works. This flow equals the One-Touch authentication flow described earlier in this article, with a few additional steps. These additional steps are green in the flow chart below:
(1) | The user is identified by IAM (e.g., by entering username and password in the browser). |
If multiple Airlock 2FA apps or hardware tokens have been activated for the user, either a selection page is shown or all Airlock 2FA apps receive a push notification simultaneously. The latter happens when the Push-to-All setting is enabled. | |
(2) | IAM starts the authentication process on the Futurae cloud. |
(3) | The Futurae cloud responds with a multi-numbered challenge value. IAM initiates the "One-Touch with multi-numbered challenge" process by showing a corresponding page in the browser. This page includes the value of the multi-numbered challenge returned by Futurae. |
(4) | The Futurae cloud sends a push message to the Airlock 2FA app. |
(5) | The Airlock 2FA app asks the user to approve (or deny) the authentication step.
|
(6) | The Airlock 2FA app sends the user's decision (approval, denial) to the Futurae cloud. |
(7) | The Futurae cloud receives this authentication result. When the user approves this first step, Futurae will send a list of (3) numbers to the Airlock 2FA app. |
(8) | The Airlock 2FA app challenges the user to select the correct number. The correct number is the value shown on the login page in the browser. |
(9) | The Airlock 2FA app sends the user's selection to the Futurae cloud. If the user selects the correct number, the Futurae cloud will inform Airlock IAM about the successful authentication. |
(10) | IAM automatically redirects the user's browser to the intended target application or service. |
Configuring One-Touch authentication with multi-numbered challenge
The multi-numbered challenge feature is provided by Futurae. If you want to extend the One-Touch authentication with the multi-numbered challenge solution, contact the Airlock staff (order@airlock.com). They will then initiate the corresponding process at Futurae.
Additionally, disable the login ID property (for a description of this property, see further above). Otherwise, the login ID will still be visible in the Airlock 2FA app. On the browser login page, however, only the multi-numbered challenge value is shown. This may confuse the user and impact usability.
- To disable the login ID property, proceed as follows:
- The login ID property is a feature of the Airlock 2FA Authentication Step. To disable the property, open the Airlock 2FA Authentication Step plugin dialog.
For this, go to
Loginapp >> Applications and Authentication >> <the relevant application> >> Authentication Flow >> Steps
Navigate to the Airlock 2FA Authentication Step plugin. It depends on the configuration of your authentication flow where to find the Airlock 2FA Authentication Step in the flow. - In the Airlock 2FA Authentication Step plugin dialog, disable the Generate One-Touch Login ID property (which is enabled by default).
- Activate your configuration.
- You have now disabled the login ID property. The login ID is no longer generated when a user authenticates using One-Touch on the Airlock 2FA app.
Further information and links
- Internal links:
- Airlock 2FA One-Touch login - REST flow example
- This Airlock 2FA factor may also be used for transaction approval (requires an advanced license) and to verify user self-services.