This article shows an example of how to manage users with respect to Airlock 2FA.

• Understand how Airlock 2FA can be enabled for a user.
• Understand how to manage Airlock 2FA tokens.
• Learn how to prepare a user for token migration to Airlock 2FA.
• Learn how to generate an activation letter for an Airlock 2FA user.

All following procedures are exemplary and will vary according to your setup or needs.

The following examples use the Airlock IAM Adminapp. A REST API for all administrative actions of the Airlock IAM Adminapp is available.

• All admin actions shown below are subject to access control.
• Review the access control configuration in the Adminapp.
• In the following, we assume, that the administrator has all the necessary privileges.

• The IAM Adminapp is configured, so users and authentication tokens can be managed.
• The Airlock 2FA Token Controller is configured in the IAM Adminapp.
• The administrator has enough privileges (roles) to perform all shown actions.
• All examples are given on an existing user account.

Assure that token migration is enabled in the Adminapp configuration: Adminapp >> Users >> Show Migration Section.

The described procedure may also be done for multiple users at a time using the bulk change feature.

It can be enabled here: Adminapp >> Users >> Allow Bulk Changes.

1. Open the Authentication Methods tab in the user details.
2. Select Airlock 2FA in the Authentication Method Migration section
3. Optionally set a due date in the field Migrate until.
4. Click the Save button
5. The user is now asked to migrate to Airlock 2FA at the next login.

To manually set Airlock 2FA as the second factor, do the following.

Assumption: The selection of the second authentication factor is based on the assigned auth method.

1. Open the Authentication Methods tab in the user details.
2. If the user has no Airlock 2FA account yet i. e. no Airlock 2FA tab is shown: In section Add New Authentication Method select Airlock 2FA and click the Add button.
3. In section Select Active Authentication Method select Airlock 2FA and click the Save button.
4. The user has now an Airlock 2FA account as shown below. Whether the user is able to log in using Airlock 2FA depends on whether a token has been enrolled.

The following screenshot shows the Airlock 2FA tab on the user detail page with account information and one enrolled token.

Possible actions:

• Section Airlock 2FA Account
• Lock (or Unlock) an Airlock 2FA account:
  When locked, Airlock 2FA tokens no longer be used for authentication or transaction approval.
• Delete:
  This will remove Airlock 2FA including all devices. It will also remove the corresponding account in the Futurae cloud.


This action cannot be undone.

• Section Airlock 2FA App (iOS/Android)
• Delete:
  This will remove the corresponding token. The Airlock 2FA account still remains and new tokens can be enrolled by the user.


This action cannot be undone.

• Section Activation Letter
• Delete:
  Deleting an activation letter will remove the pending enrollment from the Futurae cloud, and make the QR code on the corresponding paper letter useless. This action is necessary if the activation letter is lost or stolen before the end-user could enroll the Airlock 2FA app and activate their token. It prevents an unintended third party who found/stole the letter from illegally enrolling their device.


This action cannot be undone.



To delete an Airlock 2FA activation letter, the permission Delete Authentication Token is required. By default, this permission is available only for Adminapp administrators with the role tokenadmin or superadmin.

To assign the permission to another Adminapp role, go to Adminapp >> Access Control, section Authentication Token Management. However, be cautious to whom to assign this permission - deleting a user token may have far reaching consequences. For more information on assigning permissions to roles, see Access Control.

• Buttons
• Create activation letter: Creates an activation letter and stores the generated PDF in the pre-configured directory (e.g., instances/auth/pdfs/).
• Order activation letter (button not shown in the screenshot above): allows ordering an activation letter which is then generated by the corresponding service container task.

• Modification of Airlock 2FA accounts directly in Futurae's management web application should be avoided. This is because data regarding activation letters are stored in the Airlock IAM database only and because Airlock IAM does not support all features that can be managed in the Futurae cloud.

• Token migration self-service
• Activation letter enrollment
• Airlock 2FA token management configuration
• Access Control
• IAM REST APIs
• Airlock 2FA letter generation task