What is out-of-band authentication?
Out-of-band authentication is a type of two-factor authentication (2FA) that requires a secondary verification method through a separate communication channel. It involves two different channels: the customer’s Internet connection and wireless network on which their mobile phone operates. The possibility of two channels, the customer’s Internet and mobile wireless network, being compromised at the same time by an attacker while the customer is attempting to login or do a transaction is significantly reduced, compared to a login attempted in a single band system.
Out-of-band (OOB) authentication is used by financial institutions and other organizations with high security requirements to prevent unauthorized access. OOB helps improve cybersecurity because it makes hacking an account more difficult due to two separate and unconnected authentication channels that would need to be simultaneously compromised for an attacker to gain access.
How out-of-band authentication works
In an out-of-band authentication (OOBA) system, the channel that is used to authenticate a customer is completely separate from the channel used by the customer to log in or perform a transaction. Out-of-band authentication is a type of two-factor authentication (something you know such as a password and something you have which is your mobile device), rather than multi-factor authentication (MFA). For example, a customer who wants to do an online banking transaction on their desktop will be sent a one-time password (OTP) via SMS text message or push notification on their mobile device, which involves two different channels – the Internet and a wireless network. Using a separate channel decreases the possibility of Man-in-the-Middle and other attacks due to data breaches.
What out-of-band authentication is sent to mobile devices?
Out-of-band passcodes can be delivered in a variety of ways to mobile devices:
Out-of-band authentication example 1: push notifications
Push notifications deliver an authentication code or OTP one-time passcode through a notification that appears on the lock screen of a customer’s mobile device.
Out-of-band authentication example 2: cronto codes
A Cronto® or QR-like code can authenticate or authorize a financial transaction. The customer will see a graphical cryptogram that resembles a QR code, displayed through a web browser. Only the customer’s registered device can read the Cronto code, which makes it very secure. When you want to perform a transaction, you enter the payment data into the online banking application in the browser. You’ll then see the QR-like code and scan it using the camera on your phone. Your device will decode it, decrypt the payment data, and show it to you on your mobile in plain text. It provides data protection and data security. As well, this approach meets the dynamic linking requirements outlined in the European Union’s Revised Payment Services Directive (PSD2) Regulatory Technical Standards.
Out-of-band authentication example 3: voice authentication
Voice authentication places a call to the customer to tell them there is a login request to be approved or rejected. Typically, the customer can press a button or a key as instructed to accept the request or decline it by hanging up.
Out-of-band authentication example 4: biometric reader on a laptop
A biometric reader on a laptop can be considered as a way of performing out of band authentication provided that it implements a separate communications channel that is not accessible from the operating environment of the primary communications channel.
How out-of-band authentication helps prevent fraud and cyberattacks
When a high-risk transaction is flagged by a bank’s risk engine, it provides a score that reflects the propensity for fraud based on algorithms. A higher risk score triggers higher authentication steps or additional security requirements, such as out of band authentication, to challenge the customer to reconfirm the transaction (which would generally involve a large amount of money). The risk engine and related score can trigger a change in the authentication workflow, to send an OTP to a customer’s trusted mobile device for additional verification.
With OOB, the possession element is the mobile phone where the user receives an authentication code. The knowledge or inherence element is entered into:
- The banking device for two device-authentication (desktop and mobile)
- Or a mobile device for two-app authentication (two different apps running on the same mobile device)
- Or one mobile app authentication where the customer uses a single device and a single app to initiate and authenticate transactions.
Out-of-band authentication thwarts man in the middle attacks
OOB also helps financial institutions reduce malware attacks. For example, OOB can help prevent Man-in-the-Middle attacks, in which fraudsters position themselves between the financial institution and the user in order to intercept, edit, send, and receive communications without being noticed. For example, they can take over the communication channel between the user’s device and the bank’s server by setting up a malicious Wi-Fi network as a public hotspot.
Even if the customer is on their cellular network, such an attack would be prevented because the fraudster would only have access to one of the channels. As mentioned earlier, out of band authentication makes attacks much more challenging for hackers or fraudsters because they need to be able to take control of both of the separate communication channels. simultaneously in order to compromise the user authentication process. Out-of-band authentication is critical tool for financial institutions to fight fraud.
Regulatory compliance
Out of band authentication helps organizations meet the requirements of the European Union’s Second Payment Services Directive (PSD2), specifically Article 97, which requires payment service providers to authenticate a user when they:
- Access an online payment account
- Initiate an electronic payment transaction
- Carry out any action through a remote channel that may involve a risk of payment fraud
- It also meets GDPR compliance on data protection and privacy
Out-of-band authentication meets the requirements of NIST, the National Institute of Standards and Technology. In 2016, NIST proposed “deprecating” SMS two-factor authentication due to vulnerabilities as an out-of-band factor in multi-factor authentication environments. Due to confusion about the term deprecating and whether SMS two-factor authentication was allowed or not, NIST changed its guidelines in 2017 and determined that SMS fell under the “restricted” category, where customers and organizations would be taking a risk using SMS 2FA. However, an out of band authentication approach such as a push-based OTP (sending a code to a mobile device via an app such as Google Authenticator), which is cryptographically signed and not delivered via the SMS channel, avoids the SMS message vulnerabilities.
What analysts say about out-of-band authentication
According to Allied Market Research, the “rise in the volume of online transactions, continuous increased in advanced and complex threats are some of the major factors that have propelled the growth of the out-of-band authentication market. However, risks included in the OOB authentication with SMS and high product cost association restrain the market growth. Conversely, the increase in adoption by small and medium-sized businesses is expected to produce numerous opportunities for this market.” The global out of band authentication market was valued at $274 million in 2016 and is projected to reach $1.1 billion in 2023, growing at a CAGR rate of 22.8% from 2017 to 2023.
Research and Markets notes that “OOB is a powerful tool used to prevent fraud as the OOB authentication software works with a secured communication channel. For high-risk transactions, enterprises use this technology to verify and authenticate the identity of a user. The technology is used for authentication for both financial and non-financial transactions.” The analysts forecast the global OOB authentication software market for 2016-2020 to grow at a CAGR of 23.57% during the period 2016-2020.