Cooldown period with one-device policy

This article explains how to configure the cooldown period feature combined with the one-device policy (short: CPOD), where only one valid 2FA device per end-user is allowed. If an end-user with a valid 2FA device enrolls a second device, the "old" device is deleted. When this happens, depends on the rigidness of the rule.

  • There are two implementations:
  • Lenient: In this case, the end-user may use the "old" 2FA device until the newly enrolled 2FA device is out of the cooldown period and used for the first time.
  • Strict: Here, the end-user may only have one valid 2FA device at any time. Upon enrollment of a new 2FA device, the old 2FA device is deleted.

See below for a graphical representation of the lenient implementation:

Airlock2FA-cooldownperiod_onetouch-lenient

See below for a graphical representation of the strict implementation:

Airlock2FA-cooldownperiod_onetouch-strict

To implement this use case, first specify the general cooldown settings. Then, add an Airlock 2FA Delete Devices Step. This step deletes the old device so that there is only one valid 2FA device, namely the newly registered device. Where to add this step in the flow and which device(s) to delete depends on the implemented variant (strict or lenient).

Configuring CPOD - Lenient implementation

In the CPOD-lenient implementation, the end-user may still use the "old" 2FA device as long as the newly registered device is in cooldown. However, the old device is deleted the first time the user uses the new device after cooldown.

To implement this use case, add an Airlock 2FA Delete Devices Step before the Airlock 2FA authentication/approval step in each authentication/approval flow, that is, before the step where an end-user must either authenticate or approve with the Airlock 2FA app. Do this for all authentication/approval flows that contain at least one Airlock 2FA authentication/approval step.

The following overview relates the various authentication and approval flows available in IAM with the relevant Airlock 2FA authentication/approval steps - you should add the Airlock 2FA Delete Devices Step before the listed steps.

Flow

Step

Authentication flows with Airlock 2FA app

  • Airlock 2FA Authentication Step
  • Airlock 2FA Mobile Only Authentication Step
  • Airlock 2FA Usernameless Authentication Step

Public self-service flows with Airlock 2FA app

Airlock 2FA Public Self-Service Approval Step

Protected self-service flows with Airlock 2FA app

Airlock 2FA Self-Service Approval Step

Transaction Approval flows with Airlock 2FA app

Airlock 2FA Transaction Approval Step

  1. Proceed as follows:
  2. First, configure the cooldown period, as described in in Configuring the cooldown period.
  3. Then go to the relevant authentication/approval flow containing the Airlock 2FA authentication or approval step.
  4. In the Steps list, create an Airlock 2FA Delete Devices Step. It should come before the Airlock 2FA authentication/approval step.
  5. Edit the Airlock 2FA Delete Devices Step plugin as follows:
  6. In section Basic Settings, property Devices to Delete, select the All Devices Except Most Recently Registered option. Do not change the default settings (i.e., the Respect Cooldown Period property must remain enabled).
    • This is why:
    • If the end-user uses the old device during the cooldown period, the system will check the 2FA devices of the end-user in order to keep only the most recent registered device, which is the new one. However, because the new device is in cooldown and cooldown is respected, the system does not consider the new device for its check. In the perception of the system, the old device is still the most recently registered device. It is thus not deleted.
    • As soon as the new device is out of cooldown and active, it is included in the system's check of end-user devices. Upon first use of the new 2FA device after cooldown, the system now counts two active 2FA devices. It will delete the old one and keep the new one, as this is the most-recently registered device.
  7. Activate your configuration.
  8. You have now configured a cooldown period combined with a one-device policy, in the lenient implementation.

Configuring CPOD - Strict implementation

In the CPOD-strict implementation, only one valid 2FA device is allowed per end-user at a time. This means that the "old" device will be deleted as soon as the new 2FA device is enrolled/registered. To implement this use case, add a Airlock 2FA Delete Devices Step after the Airlock 2FA Activation Step. The activation step appears in all flows where a new Airlock 2FA device can be registered.

  1. Proceed as follows:
  2. First, configure the cooldown period, as described in the general use case above.
  3. Then go to the relevant flow with the Airlock 2FA activation step.
  4. In the Steps list, create an Airlock 2FA Delete Devices Step. It should come after the Airlock 2FA Activation Step.
  5. Edit the Airlock 2FA Delete Devices Step plugin as follows:
  6. In section Basic Settings, property Devices to Delete, select the All Devices Except Most Recently Registered option. Edit the option as follows:
  7. Disable the Respect Cooldown Period property.
  8. Leave all other default settings as they are.
    • This is why:
    • Upon registering a new 2FA device, the system will check all 2FA devices of the end-user in order to keep only the most recently registered device. Because cooldown is not respected, the system also considers the newly registered device for its check. As this device is the most recently registered one, the system will delete all other devices. As a consequence, the end-user now has just one valid device left, which is currently in cooldown.
  9. Activate your configuration.
  10. You have now configured a cooldown period combined with a one-device policy, in the strict implementation.