Out-of-band authentication

Entersekt | Encyclopedia | Out-of-band authentication
What is out-of-band authentication?

Out-of-band authentication (OOBA) is a security mechanism that uses separate communication channels, such as SMS or a phone call, to verify a user’s identity during authentication. This type of authentication can form part of a two-factor authentication (2FA) or multi-factor authentication (MFA) approach.

Typical methods of out-of-band authentication

An example of using an OOBA approach is a customer wanting to pay a bill on their online banking platform on their laptop. After logging in with their username and password, they receive an OTP via a push notification to their mobile device. This means two separate channels were used to authenticate the customer.

Other methods of out-of-band authentication could include a QR code, a biometric scan, or a phone call — in addition to one other separate channel.

Out-of-band authentication and 3DS

This type of authentication helps financial institutions meet regulatory requirements and standards like 3-D Secure and the Second Payment Services Directive (PSD2). With payments authenticated through 3DS, customers can use their mobile banking app as an OOBA measure to approve a transaction they’re performing on another device.

OOBA enables FIs to meet PSD2 requirements when customers make digital payments, as well as requirements stipulated by the National Institute of Standards and Technology (NIST) regarding 2FA, if an SMS OTP is sent via a push notification.

How is out-of-band authentication used in banking?

In financial services, out-of-band authentication adds an extra layer of cybersecurity to prevent hackers gaining unauthorized access to customers’ accounts. They would need to get through two separate channels for a successful attack.

If a bank’s risk engine detects that a transaction is suspicious or high risk, it could employ OOBA as a more secure way to verify the cardholder for instance, if a customer is making a high-value instant payment. The bank’s system may step-up the authentication and challenge them with an out-of-band push notification to confirm their choice and identity.

Additional resources:


Out-of-band authentication | Two-factor authentication (2FA) | Risk-based authentication