The Airlock 2FA app is an integral part of the Airlock 2FA solution and available for iOS and Android in the corresponding app stores.
App features
The table below gives an overview of features available for the Airlock 2FA app. It indicates for each feature whether it is supported by the current Airlock 2FA app (short: A2FA app), Airlock IAM as well as a white-label/customized 2FA app based on the Futurae SDK.
Feature | Feature description | Support state | |||
---|---|---|---|---|---|
Current A2FA app (Q4 2024) | 2FA app based on Futurae SDK | Airlock IAM | |||
Enrollment ( = the process of activating a new Airlock 2FA token and linking it to a user account) | |||||
QR code | Enrollment by scanning a QR code, from either the browser or a hard-copy letter (activation letter). Currently, this is the default enrollment method. For more information, see Token enrollment. | ✓ | ✓ | ✓ | |
URI-based | Enrollment by clicking on a link on the mobile phone (e.g., in an SMS message or a web page shown in the mobile browser). The link URI contains all information needed for enrollment and automatically opens the 2FA app. | ✓ | ✓ | ✓ | |
Authentication | |||||
One-Touch | A notification is pushed to the end-user's smartphone and signed with cryptographic key material stored in the phone's secure storage. The end-user confirms authentication by opening the A2FA app from the push notification and pressing the Approve button.
| ✓ | ✓ | ✓ | |
One-Touch with Push-to-All | If an end-user uses several A2FA devices, the feature pushes notification messages to all devices simultaneously. | ✓ | ✓ | ✓ (as of release 8.3) | |
One-Touch with multi-numbered challenge | End-users must not only approve the push message on their A2FA app but also choose the correct number from the list of numbers shown on the app screen. This feature helps protect against MFA fatigue attacks. For more information, see One-Touch with multi-numbered challenge. | ✓ | ✓ | ✓ (as of release 8.3) | |
Actionable Push Notification | End-users can approve login- or transaction push notifications even when their mobile device is locked.
| ✓ | ✓ | ✓ | |
Encrypted Push Notifications | Push notifications typically do not contain transaction information, except for actionable push notifications (see above). This feature encrypts the notification payload with a device key. | --- | ✓ | n/a | |
Online QR code | End-users first scan a QR code with the A2FA app. The app will then ask the user to approve (or cancel) the authentication attempt. Upon approval, the end-user is automatically logged in. This process requires a 2FA device that is online.
| ✓ | ✓ | ✓ (as of release 8.2) | |
Push to open app for QR-Code Online | Sends a special push message to the 2FA device to directly open the QR code scanner. | ✓ | ✓ | ✓ (as of release 8.3) | |
Usernameless QR code | Works as the online QR code, however without the need for end-users to enter (and remember) their user ID.
| ✓ | ✓ | ✓ (as of release 8.2) | |
Offline QR code | End-users first scan a QR code with the A2FA app. The app will then ask the user to approve (or cancel) the authentication attempt. Upon approval, the app shows the end-user a verification code, which the end-user can enter manually in the application login page in the browser. Thus, end-users can log in to an application even when the 2FA device is offline. The Offline QR code feature is also supported by the A2FA hardware tokens.
| ✓ | ✓ | ✓ | |
Passcode | Passcode authentication is based on time-based OTPs (one-time passcodes) that are generated every 30 seconds and displayed in the A2FA app. The end-user must enter the passcode in the application login page in the browser. Passcode authentication works completely offline. Authentication with a time-based one-time passcode is also supported by the A2FA hardware tokens.
| ✓ | ✓ | ✓ | |
Mobile-only | Refers to the A2FA authentication scheme where both the business application and the A2FA authentication functions run on the same smartphone.
| ✓ | ✓ | ✓ | |
TOTP (hardware token) | For more information on Airlock 2FA with hardware tokens, see Hardware tokens. | n/a | n/a | ✓ | |
QR-code token (hardware token) | n/a | n/a | ✓ | ||
Security features | |||||
Payload encryption | Ensures that transaction data is encrypted when transmitted between Airlock IAM and the Futurae service. For more information, see Payload encryption. | ✓ | ✓ | ✓ (as of release 8.2) | |
Trusted session binding | Allows binding the action (enrollment or recovery) to an IAM flow and thus guarantees that the action can only be performed by a legitimate end-user. For more information, see Trusted session binding. | --- | ✓ | ✓ (as of release 8.3) | |
User Verification Setting Override | The user can enable an additional verification level, based on the lock mechanism of their 2FA device, directly in the A2FA app. | ✓ | ✓ | n/a | |
Verdict (Jailbreak / Root Detection); Blocking | Checks whether the A2FA app is rooted or jailbroken, and subsequently blocks the app (if enabled). | ✓ | ✓ | n/a | |
Account recovery | |||||
Automatic Recovery | Allows end-users to automatically migrate their previously enrolled A2FA accounts to a new device. For more information, see Backup and recovery. | ✓ | ✓ | n/a | |
Adaptive Recovery | Evaluates the risk of a recovery request and decides whether to accept it, based on the end-user's contextual information. | ✓ | ✓ | n/a | |
Miscellaneous features | |||||
User Self-Service: Delete User Account from App | Allows end-users to delete an account directly from the (A2FA) app by wiping the account entry in the app to the left. | ✓ | ✓ | n/a | |
Mobile Version Checking | Futurae maintains a blacklist of unallowed mobile device versions. If end-users use an unallowed version, they are asked to upgrade their device. | ✓ | ✓ | n/a | |
Mobile Version Blocking | Futurae maintains a blacklist of unallowed mobile device versions. If end-users use an unallowed version, they are forced to upgrade their device. | ✓ | ✓ | n/a | |
Bypass feature | If an end-user account is in bypass mode, all authentication and approval attempts coming from devices of this user are reported to be successful without any user interaction (i.e., they are bypassed). For more information, see Bypass feature. | n/a | n/a | ✓ (as of release 8.2) |
✓ | Supported | |
--- | Not supported | |
n/a | Not applicable |
Additional features
- The Airlock 2FA app provides the following additional features:
- Support of multiple user accounts.
- Support of multiple applications or services.
- Display of the IAM username or any other context data (e.g., email address).
- Display of the application- or service-specific logo in the app.
- The smartphone needs to be unlocked to use the app. Optionally, an additional "unlock process" can be required during authentication (this can be configured in the service settings in the Futurae admin web application).
Note that the displayed context data elements are stored in the Futurae cloud, which presents a security risk.
Displaying and thus storing such information in the Futurae cloud is optional and can be disabled in the IAM configuration.
The unlock mechanism of the smartphone may involve a PIN, a fingerprint, face recognition, or alike. The lock mechanism is defined by the smartphone and not by the Airlock 2FA app.
If no locking mechanism is configured on the smartphone, the app may still be used. If you strictly require an "unlock process" when using Airlock 2FA, either use the Futurae app or a custom app.
Airlock 2FA App in the app stores
The following QR codes may be used to download the Airlock 2FA apps for iOS and Android devices.
Apple app store:
Google app store: