Out-of-band authentication is a type of two-factor authentication that requires a secondary verification method through a separate communication channel. The most common form involves two different channels: the customer’s internet connections and the wireless network on which their mobile phone operates. The possibility of the two channels being compromised at the same time by an attacker while the customer is attempting to login or do a transaction is significantly reduced compared to a login attempted in a single band system.
Out-of-band (OOB) authentication is mainly used by financial institutions and other organizations with high security requirements to prevent unauthorized access. Out-of-band- helps improve cybersecurity because it makes hacking an account more difficult due to two separate and unconnected authentication channels that would need to be compromised at the same time for an attacker to gain access.
What is an Out-Of-Band Device?
Out-of-Band Device is an authentication device that establishes an additional channel of communication with a 2FA system to receive an authentication request or another type of out-of-band secret.
How Does Out-Of-Band Authentication Work?
Out-of-band authentication, as opposed to multi-factor authentication, is a type of 2FA (something you know, such as a password, and something you have, such as a mobile device). The channel used to authenticate a customer in an out-of-band authentication (OOBA) system is completely independent of the channel used by the customer to log in or make a transaction.
Cybercriminals may have access to compromised credentials and can use a laptop to make a transaction. But rarely do they have access to the user’s smartphone to obtain the one-time password required for authorization unless additional means like call forwarding, cloning, or phone theft occurs. The transaction cannot be completed without the OTP. Out-of-band Authentication techniques, such as a fingerprint scan or QR code, could be used instead of an OTP by the company.
What Out-Of-Band Authentication is Sent to Mobile Devices?
Out-of-band passcodes can be delivered in a variety of ways to mobile devices:
Push notifications – Push notifications deliver an authentication code or OTP one-time passcode through a notification that appears on the lock screen of a customer’s mobile device.
Cronto codes – Cronto or a QR-like code can authenticate or authorize a financial transaction. The customer will then see a graphical cryptogram that resembles a QR code, displayed through a web browser. Only the customer’s registered device can read the Cronto code. This approach meets the dynamic linking requirements outlined in the European Union’s Revised Payment Services Directive (PSD2) Regulatory Technical Standards.
Voice authentication – Voice authentication places a call to the customer to tell them there is a login request to be approved or rejected. The customer can press a button or a key as instructed to accept the request or decline it by hanging up.
Biometric reader on a laptop – A biometric reader on a laptop can be considered as a way of performing out of band authentication provided that it implements a separate communications channel that is not accessible from the operating environment of the primary communications channel.
How Out-Of-Band Authentication Helps Prevent Fraud and Cyber Attacks
If we use a bank as an example, when a high-risk transaction is flagged by a bank’s risk engine, it provides a score that reflects the susceptibility for fraud based on algorithms. A higher risk score triggers higher authentication steps or additional security requirements. This is when out-of-band authentication is used, to challenge the customer to reconfirm the transaction. The risk engine and related score can trigger a change in the authentication workflow in order to send an OTP to a customer’s trusted mobile device for additional verification.
With out-of-band authentication, the possession element is the mobile phone where the user receives an authentication code. The knowledge or inherence element is entered into:
The banking device for two device-authentication (desktop and mobile)
Or a mobile device for two-app authentication (two different apps running on the same mobile device)
Or one mobile app authentication where the customer uses a single device and a single app to initiate and authenticate transactions.
Out-Of-Band Authentication Thwarts Man In The Middle Attacks
OOB can help prevent Man-in-the-Middle attacks in financial institutions, in which fraudsters position themselves between an institution and the user in order to intercept, edit, send, and receive communications without being noticed. Out-of-band authentication makes attacks much more challenging for hackers or fraudsters because they need to be able to take control of both of the separate communication channels. simultaneously in order to compromise the user authentication process. Fraudsters can take over the communication channel between the user’s device and the bank’s server by setting up a malicious Wi-Fi network as a public hotspot. Even if the customer is on their cellular network, such an attack would be prevented because the fraudster would only have access to one of the channels. Out-of-band authentication is a critical tool for financial institutions to fight fraud.
Out-of-Band Authentication Use Cases
Rising concerns related to data privacy have also fuelled the demand for Out-Of-Band authentication solutions from businesses handling critical data such as payment card, banking, insurance, healthcare, etc.
Out-of-band can be segmented into these industries:
Small and medium enterprise
Large enterprise
Banking, financial services and insurance (BFSI)
Information Technology (IT)
Retail
OOB is a powerful tool used to prevent fraud as the OOB authentication software works with a secured communication channel. For high-risk transactions, enterprises use this technology to verify and authenticate the identity of a user. The technology is used for authentication for both financial and non-financial transactions.
