This article explains how to configure the cooldown period feature combined with the one-device policy (short: CPOD), where only one valid 2FA device per end-user is allowed. If an end-user with a valid 2FA device enrolls a second device, the "old" device is deleted. When this happens, depends on the rigidness of the rule.
- There are two implementations:
- Lenient: In this case, the end-user may use the "old" 2FA device until the newly enrolled 2FA device is out of the cooldown period and used for the first time.
- Strict: Here, the end-user may only have one valid 2FA device at any time. Upon enrollment of a new 2FA device, the old 2FA device is deleted.
See below for a graphical representation of the lenient implementation:
See below for a graphical representation of the strict implementation:
To implement this use case, first specify the general cooldown settings. Then, add an Airlock 2FA Delete Devices Step. This step deletes the old device so that there is only one valid 2FA device, namely the newly registered device. Where to add this step in the flow and which device(s) to delete depends on the implemented variant (strict or lenient).