The Secret Security Wiki

Categories

Home > Wikis > Authentication > Out of Band Authentication

Categories

Out of Band Authentication

Out of band authentication (OOBA) is an authentication process that utilizes a communications channel separate from the primary communication channel of two entities trying to establish an authenticated connection. Using a separate authentication channel makes it significantly more difficult for an attacker to intercept and subvert the authentication process (i.e. via man-in-the-middle attack), because it requires the attacker to compromise two communications channels.

Example forms of OOB authentication include codes sent to a mobile device via SMS, authentication via a voice channel, codes sent to a mobile app via push notifications, and codes sent to or received from a trusted execution environment connected to the host device trying to establish an authenticated connection (i.e. TEE implemented by the CPU, a separate secure element built into the host or a separate secure element connected to the host via USB or some other port).

OOBA is commonly used by online banking websites. To complete the login process, an authentication code is sent via SMS to the account holder’s mobile device.

  • Which authentication methods are considered out of band?

    Any authentication method that employs a primary communications channel and a secondary authentication channel can be considered out of band authentication. Example forms of OOB authentication include codes sent to a mobile device via SMS, authentication via a voice channel, codes sent to a mobile app via push notifications, and codes sent to or received from a trusted execution environment connected to the host device that is trying to establish an authenticated connection (i.e. TEE implemented by the CPU, a separate secure element built into the host or a separate secure element connected to the host via USB or some other port).

  • Is a laptop biometric reader considered out of band?

    A biometric reader on a laptop can be considered a means for performing out of band authentication provided that it implements a separate communications channel that is not accessible from the operating environment of the primary communications channel. For example, if the biometric reader is implemented using an element that can securely communicate with a remote authentication service (via an end-to-end secured communication channel that terminates inside the secure element), then it can be considered an out of band authentication.

  • Is secured enclave an out of band factor?

    Using a secured enclave can be considered an out of band factor provided that a secure communications channel is properly established between the trusted execution environment of the enclave and the authentication server, thus making authentication completely inaccessible to an attacker that may have compromised the host device.