Excellent usability is when the customer notices nothing.
Solutions for users.

Real security means security that is used actively. That's why Airlock delivers impressively high usability and outstandingly convenient operation thanks to a host of functions ranging from social logins and single sign-on to intuitive user self-services.

User self-services

According to a study by the Service Desk Institute, over 80% of businesses are already using self-services – for example, to block accounts, reset forgotten passwords or register new customers. This comes as no surprise, because the benefits are crystal clear.

Helpdesks are often full to capacity with simple repetitive tasks – especially if they have to deal with large numbers of users. That's why user self-services will ease the pressure on your support staff, as well as slashing costs and cutting down user waiting times. Another advantage: Airlock can also handle central authentication solutions in environments with higher security requirements.


  • Account registration
  • Confirmation of service agreements
  • Token registration
  • Token migration
  • Printing letters for registration and migration

Single sign-on and identity federation

Is there an easy way to integrate web applications with their own user masters into a web single sign-on infrastructure? Yes – Airlock Suite solves this problem too! Airlock allows employees to access in-company services, for example via the internet or from mobile devices. But that's not all: customers and partners can also enjoy unique access rights without a user account or password, or even via a Facebook account.

Here's how the technology works: with Airlock's flexible SSO solutions, user authentication is separated from identity propagation (see the illustration). The user authentication technology operates independently of the standards used to represent users to applications (identity propagation). This opens up a variety of potential access scenarios, and single sign-on is not merely limited to the internal IT infrastructure.

Airlock IAM supports the latest standards such as SAML 2.0, OAuth 2.0 and OpenID Connect, making genuine cross-domain single sign-on possible. The first step is to verify the user's identity and authorization. The methods used to do this vary depending on the user and point of entry. Internal users may already be known to the network because they have logged in at their workplace, so they can be authenticated implicitly with a Kerberos ticket. For access by external employees, an OTP token is often used in addition to the password, while business partners can identify themselves with an SAML assertion. The separation of authentication and identity propagation opens up the way to various combinations of user types, points of entry and target services (in cross-domain scenarios as well). Popular Cloud applications such as Salesforce, Office 365 or Google Docs can be integrated seamlessly into your company's own SSO architecture thanks to standards such as SAML 2.0 or OpenID Connect.

The Airlock Application Portal is a flexible and easy to maintain portal application. Its purpose is to present all applications available to users through the Airlock WAF Web Application Firewall. The Application Portal can be configured to display only applications for which the authenticated user has access rights.


  • Single sign-on
  • Cross-domain SSO and identity federation
  • Cloud SSO (e.g., Salesforce, Office365, Google Docs)
Airlock Web Application Portal

Social logins (BYOI)

Maximum security and maximum user comfort: until now, you couldn't have both. Experience shows that today's "homo interneticus" rarely complies with the requirements set by security officers: password hygiene is a foreign concept to him, he uses one single access code for everything, and he is hopelessly lost in the jungle of user accounts. Experiences such as these call for new answers – such as Airlock's social logins and bring-your-own-identity functionality.

The new OAuth 2.0 and OpenID Connect standards offer an alternative to the confusing jumble of passwords. These standards make it possible to re-use existing user identities for applications throughout the internet. An important aspect: Gartner forecasts that half of all new customer accounts will be based on social network logins by the end of 2015. This means that businesses will make more of their applications available for "Login via Facebook" instead of foisting yet another account and password on the user.

There are also a number of foreseeable applications in the B2B sector. OAuth 2.0, for instance, is HTTP- based, making it ideal for protecting RESTful web services. The potential of the new standards can be exploited to the full when authorization for enterprise APIs is needed – for example, to allow access to partners.
The new standards should also be considered in architectures that provide for federation of user identities and composition of APIs from different areas.


  • Password-free authentication
  • OAuth 2.0
  • OpenID Connect

Strong authentication

All web application firewalls (WAFs) filter data traffic. But Airlock WAF does far more: when combined with Airlock Login or IAM, Airlock WAF provides a central policy enforcement point for authentication and authorization. We are convinced that upstream authentication is the most important security filter bar none.

Why is two-factor authentication (2FA) so important? Because passwords are often stolen, forgotten or guessed. That's why they should be backed up with a second factor. But deciding to do this separately in every application is a costly undertaking that would soon become technically outmoded, because the application landscape is constantly growing and changing. Nor should the architectural complexities of this approach be overlooked. With Airlock, the decision on a central solution only needs to be taken once: it doesn't matter which applications (or how many) you decide to "hook up", and these aspects have no impact on the cost.

We have already integrated the best authentication methods directly in Airlock Login and Airlock IAM. We also link up existing user directories and databases – so there is no need to do this separately for each application. If additional profile information is needed (e.g. to register new tokens), it can be provided by expanding existing profiles or by an additional persistence layer.


  • Two-factor authentication (strong authentication)
  • Single sign-on
  • User self-services

Risk-based Authentication

Today, strong authentication using two factors is best practice for business applications. However, this measure is often considered to be cumbersome in everyday work.

This is where risk-based authentication (or adaptive authentication) comes in. Instead of stricly enforcing the second factor, Airlock IAM analyzes the context of a login attempt and compares it to previous sessions of the same user. Typically, attributes such as the originating network, geographical location or the browser used are considered. In case Airlock IAM concludes that a login attempt occurs from the user's internal workplace or from his home-office, the second factor may be omitted.

Using the „remember me“ functionality of Airlock IAM, it is possible to remember revisiting users based on a browser cookie. The new feature is very useful for applications requiring an indicative user identity even before authentication took place. In case more trust in the user identity is required later on, e.g., because more sensitive parts are accessed, additional step-up authentication provides the required authentication quality.


  • Strong security and usability at the same time
  • Adaptive behavior
  • Flexible authentication policy
  • "Remember me" functionality