Airlock 2FA cooldown period feature

Customers increasingly have to deal with fraudulent theft of credentials. Methods used are for example phishing, where cybercriminals try to trick individuals into providing their credentials through fake emails, websites, or messages that appear legitimate, or brute force attacks, where automated tools are used to guess passwords by systematically trying various combinations until the correct one is found.

The cooldown period feature represents a measure to detect and protect against credential theft. It allows defining a cooldown period for newly enrolled Airlock 2FA devices. This gives customers time to verify that the new device was registered by a real and legitimate end-user, and not by a malicious third party attempting to access the end-user's account with stolen end-user credentials.

If required, it is possible to allow the use of new Airlock 2FA devices for specific low-risk operations during the cooldown period, such as low-value transaction approvals and authentication to unexposed applications.

Both the cooldown period itself and the allowed transactions are configurable. For more information on how to configure the cooldown period feature, see Configuring the cooldown period.

There is also a special use case, which combines the cooldown period feature with the one-device policy. In this use case, only one valid 2FA device per end-user is allowed. For more information on how to configure this special use case, see Cooldown period with one-device policy.

Event notifications on the cooldown period

IAM provides several Airlock 2FA notifications to inform the end-user about the events that occur during the cooldown period.

  • There are notifications about the following events:
  • Airlock 2FA Device Activated - This event's notification informs the end-user about the successful registration of the new 2FA device.
  • Airlock 2FA Device In Cooldown Used - This event's notification informs the end-user when they used a 2FA device that is currently in cooldown.
  • Airlock 2FA Device Deleted - This event's notification informs the end-user about the deletion of their "old" 2FA device. This notification is of relevance to the special use case, where the cooldown period feature is combined with the one-device policy.

The Airlock 2FA Authentication Data Map value provider

Besides notifying the end-user, it is also possible to inform the backend application about the cooldown status of the used Airlock 2FA device. This happens with the value provider Airlock 2FA Authentication Data Map during identity propagation. Based on the information provided by the value provider, the backend application may, e.g., block specific operations for the device in cooldown, but allow these operations for devices that are active and outside the cooldown period.

The following keys of the Airlock 2FA Authentication Data Map value provider are relevant for the cooldown period feature: a2fa-cooldown-auth-device, a2fa-cooldown-ends, and a2fa-cooldown-devices. They are described in the table below.

For an overview of all keys of the Airlock 2FA Authentication Data Map value provider plugin, see the corresponding plugin documentation in the Config Editor.

Key

Description

Values

a2fa-cooldown-auth-device

Reports whether the Airlock 2FA device used for authentication is in cooldown.

  • cooldown: The device is in cooldown.
  • active: The device is out of the cooldown period and fully active.

a2fa-cooldown-ends

Delivers the point in time when the cooldown period will end for the Airlock 2FA token used for authentication. If this token is out of the cooldown period and active, the key is not supplied.

  • Example values:
  • 2011-12-03T10:15:30.000+01:00
  • 2018-02-06T15:58:53.661Z

a2fa-cooldown-devices

Informs about the cooldown status of the Airlock 2FA tokens of the end-user.

  • has_active: There is at least one Airlock 2FA token that is active and not in cooldown.
  • all_cooldown: All available Airlock 2FA tokens are in cooldown.
  • none: There are no Airlock 2FA tokens at all.

It is possible to add the cooldown information provided by the Airlock 2FA Authentication Data Map value provider to the event notifications described previously. You achieve this by adding the Airlock 2FA Authentication Data Map value provider to the list of Value Map Providers of the relevant event subscriber.

Configuring identity propagation with the Airlock 2FA Authentication Data Map value provider

The Airlock 2FA Authentication Data Map value provider can be configured in several locations within the Config Editor. One important way in this context is in combination with the Identity Propagation plugin. This plugin is used to provide information about an authenticated end-user to the backend application.

  1. To provide cooldown information to the backend application with the Identity Propagation plugin, proceed as follows:
  2. Go to
    Loginapp >> Applications and Authentication >> <your application>
  3. In property Identity Propagation, create and edit a Generic ID Propagator plugin, as follows:
  4. In property Ticket String Provider of the Generic ID Propagator plugin, create and edit a Ticket String Provider plugin. Based on a list of value providers, this plugin creates a structured ticket (basically a list of key-value pairs) and encodes them in a JWT. To provide cooldown information, do the following:
    1. Add the Airlock 2FA Authentication Data Map plugin to the Value Providers list of the Ticket String Provider plugin.
    2. In the Key-Value Pairs list, create and edit one Ticket Key Value plugin for each of the above listed keys of the Airlock 2FA Authentication Data Map plugin (a2fa-cooldown-auth-device, a2fa-cooldown-ends, and a2fa-cooldown-devices).
  5. To configure all other settings of the Generic ID Propagator, see The Generic ID Propagator plugin.
  6. Activate your configuration.
  7. You have now configured an identity propagator that provides the backend application with information about the cooldown status of the used Airlock 2FA device.