Out of Band Authentication (OOB)

Out of band authentication (OOBA) refers to an authentication process that utilizes a communications channel that is separate from the primary communication channel used by two entities trying to establish an authenticated connection. Using a separate authentication channel makes it significantly more difficult for an attacker to intercept and subvert the authentication process (i.e. via man-in-the-middle attack), because it requires the attacker to compromise two communications channels.

Example forms of OOB authentication include, codes sent to a mobile device via SMS, authentication via a voice channel, codes sent to a mobile app via push notifications, and codes sent to or received from a trusted execution environment connected to the host device trying to establish an authenticated connection (i.e. TEE implemented by the CPU, a separate secure element built into the host or a separate secure element connected to the host via USB or some other port).

OOBA is commonly used by online banking websites. To complete the login process, an authentication code is sent via SMS to the account holder’s mobile device.

 

Frequently Asked Questions
Which authentication methods are considered out of band?

Any authentication method that employs a primary communications channel and a secondary authentication channel can be considered out of band authentication. Example forms of OOB authentication include, codes sent to a mobile device via SMS, authentication via a voice channel, codes sent to a mobile app via push notifications, and codes sent to or received from a trusted execution environment connected to the host device trying to establish an authenticated connection (i.e. TEE implemented by the CPU, a separate secure element built into the host or a separate secure element connected to the host via USB or some other port).

Is a laptop biometric reader considered out of band?

A biometric reader on a laptop can be considered a means for performing out of band authentication provided it implements a separate communications channel that is not accessible from the operating environment of the primary communications channel. For example, if the biometric reader is implemented using a secure element that can securely communicate with a remote authentication service (via an end-to-end secured communication channel that terminates inside the secure element), then it can be considered an out of band authentication.

Is secured enclave an out of band factor?

Using a secured enclave can be considered an out of band factor provided a secure communications channel is properly established between the trusted execution environment of the enclave and the authentication server, thus making authentication completely inaccessible to an attacker that may have compromised the host device.