What is Out-of-Band Authentication (OOBA)?

Identity security moved front-and-center during the pandemic, as more people worked, shopped and banked from home. Enterprises had to set up roadblocks to stop fraudsters before they could commit account takeover fraud to steal money, goods and rewards points, steal data and corporate resources, install ransomware and carry out other crimes. Data from cybersecurity firm Deduce showed that “one-third of account takeovers are for banking accounts, as a third of login attempts for financial services and financial technology (fintech) companies are suspected account takeover attempts.”

Multi-factor authentication (MFA) and two-factor authentication (2FA) are extremely effective solutions for keeping bad actors out of networks. Out-of-band authentication (OOBA), also known as OOB authentication, used as part of an MFA solution or 2FA solution requires users to verify their identities through two different communications channels. This makes it harder for fraudsters to bypass or tamper with the authentication process, providing an increased level of security.

There are different communications channels that can be used for transactions, such as internet connections, wireless networks, landlines and in-person meetings. Out-of-band authentication (OOBA) requires that the communications channel used to authenticate a user is separate from the channel used to sign in or perform a transaction. OOBA is often considered a form of two-factor authentication (2FA) or multi-factor authentication (MFA).

Let's say a customer wants to complete a banking transaction on their desktop computer. They log in to the online banking system using their username and password. The system then sends a one-time password (OTP) as a text message or push notification to their mobile device. Two different channels are involved here—the user's internet and their wireless network.

Alternatively, the customer may have already set a unique PIN for online banking and be required to enter it using their mobile or landline phone. This additional step prevents account access should a fraudster already have the customer's username and password. Two different channels are used to verify the user's identity using two different authentication methods.

Bad actors may have access to compromised credentials and sign on to make a purchase with a laptop, but they rarely have access to the user's smartphone to receive the one-time password needed for authorization unless call forwarding, cloning, phone theft or other methods are also involved. Without the OTP, the transaction cannot be completed. The same is true of other OOBA methods the enterprise may use instead of an OTP, such as a fingerprint scan or QR code.

Financial institutions often use out-of-band authentication to verify users, with some banks devoting sections of their website to explain OOB authentication to their customers. Financial service firms are a high-value target for bad actors, who can use access to transfer money, make purchases, and obtain additional information about the user.

Learn more about the steps banks and other financial institutions are taking to combat fraud.

Some examples of out-of-band authentication (when paired with a typical online login) include:

• Push notifications sent to a mobile device
• QR codes with encrypted transaction data
• Biometric readers for fingerprint scans or facial recognition
• Phone calls for voice authentication

To learn more about how financial institutions are using out-of-band authentication and other forms of multi-factor authentication (MFA) to prevent fraud, please read The Case for MFA Everywhere for Financial Services.