Out of Band authentication is, by definition, an alternative authentication method that applies a communication path that is not in direct association with the path for the initial login to the merchant app/web browser. It relies on two completely separate communication channels instead of one. This makes for a sophisticated authentication solution proven to be successful in ensuring heightened security measures. Continue reading to get a detailed overview of OOB authentication flows and practical use cases.
Out of band authentication (OOBA) is a type of two-factor authentication (2FA) that uses two different channels in order to deliver successful and secure authorization of online payments. The first channel is for making the transaction/purchase, and the second channel is the authentication channel, used for verifying the identity of the cardholder. By separating the process into two channels, using both the cardholder's internet and mobile wireless connection, the chances of compromising the transaction/account are greatly reduced. It is not likely that an attacker would be able to compromise both channels in the short timespan necessary for an online transaction to take place.
OOB authentication is widely used by financial institutions as well as organizations demanding sophisticated security requirements. It is an effective way for improving cybersecurity and known hacking methods such as ''man-in-the-middle'' attacks.
As mentioned, OOB authentication assumes two completely separate channels for conducting the successful processing of a transaction. Since it is a form of 2FA, necessary authentication components are something the user knows (password/PIN/OTP), something the user owns (smartphone/HW or SW token) or something the user is (biometry, fingerprint, face recognition).
A common example for implementing OOBA is for making an internet banking transaction. The cardholder logs in to their internet banking account on their laptop. Upon entering the transaction details, the cardholder is recevies an SMS OTP on their mobile phone to verify the transaction. And there it is - two completely separate channels, internet and wireless network, participating in achieving heightened online payment security.
Typically, additional authentication is necessary when an Issuing bank's risk scoring engine detects a transaction that results in a score higher than the set threshold for frictionless transactions. Depending on the risk level, the cardholder needs to apply a more sophisticated means of authentication. This is when out of band authentication comes into play, assuming two different security elements obtained through different channels.
The possession element is the smartphone registered for receiving authentication request notifications. Following are the knowledge (OTP, PIN, etc.) or inherence (biometry) security elements. Depending on the cardholder's selection, they are required to complete the chosen authentication challenge.
OOB authentication can be done using a single device (different apps running on the same device simultaneously), multiple devices (e.g., smartphone and a tablet), or in case of absence of authentication apps, by entering an SMS OTP into a designated field within the merchant's app.
Out of band authentication is apart of the EMVCo 3D Secure protocol and is proving to effectively combat malicious attacks directed towards online payments. What makes this approach successful is the combination of active components necessary for the functioning of 3D Secure environment. Those components are namely 3DS Requestor, 3DS Server, ACS (Access Control Server), and the Directory server.
To better understand the authentication flow, let's review three possible use case scenarios when it comes to OOBA.
OOBA enables authentication outside the merchant's shopping app, using an authentication application installed on the cardholder's device. Out of band checkout flow is triggered when an authentication app installed on the cardholder's device is identified as a second authentication channel. The mentioned application can be any of the following:
Within this flow, the cardholder is switching between the 3DS merchant app to the authentication app and finally back to the 3DS merchant app displaying the transaction/payment confirmation screen.
Let's review the entire checkout flow for a single device out of band authentication. This example includes push notification and fingerprint recognition as a means of authenticating the cardholder.
Numerous studies state that the vast majority of online transactions within Europe are initiated from a laptop, PC, or tablet. Research also suggests that this pattern is going to be relevant for the next two to three years. OOB authentication enables cardholders to conduct their online shopping using a laptop, while authentication can be controlled by using their mobile device.
The following flow covers an example of a cardholder purchasing items online on a merchant website (HTML flow). We will review the cardholder activity both on the laptop and on the registered user device.
In the case where the cardholder does not have access to an authentication app, the alternative authentication method is OTP via SMS. We consider OTP (One Time Passcode) as a possession element indicating ownership of a registered device.
The following flow assumes a single device OOB authentication, including a merchant app and an OTP sent via SMS to the cardholder's registered device.