This article explains how to configure the cooldown period.
- You need to configure the following elements:
- The cooldown period itself. If a cooldown period is configured, all steps involving end-user authentication or action approval with the Airlock 2FA device respect this cooldown period by default. In this case, a newly enrolled 2FA device cannot be used for authentication nor for transaction approval during the specified period. (In setups without specified cooldown period, newly enrolled 2FA devices will be active directly after registration, as usual.)
- If required, it is possible to exclude specific low-risk steps from the cooldown period. The end-user will then be able to perform these steps during the cooldown period with the new device. For example, you may want to allow approval of low-value transactions or authentication to unexposed low-risk applications. Excluding a step from the cooldown period can be done directly on the corresponding Step plugin.
Be careful with excluding steps from the cooldown period. Especially transactions concerning sensitive data or higher amounts of money should not be possible if you want the cooldown period measure to be effective and useful.