Out of Band Authentication: An Overview of Alternate Verification Channels

Howard Poston

What is Out-of-Band Authentication?

Out-of-band authentication (OOBA) requires signals from two different communication channels. For example, imagine that an employee in the finance department receives an email claiming to be from the CEO that instructs them to wire money to a particular bank account to close a deal. In this case, one way that the employee could perform out-of-band authentication is to call the number listed for the CEO in the company address book and receive verbal confirmation of the email’s contents.

The goal of OOBA is to improve security and make it more difficult for attackers to carry out social engineering attacks. If an attacker has access to the CEO’s or employee’s email account, then attempting to confirm the request via email would make it easy for the attacker to reply and instruct the employee to go ahead. However, confirming the request via the phone means that the attacker would need to control both the CEO’s phone and their email account to carry out the attack. 

Often, OOBA is considered a form of two-factor authentication (2FA) or multi-factor authentication (MFA). With 2FA/MFA, the user needs to have access to two different types of authentication factors to log in, such as a password and a smartphone that receives or generates one-time passwords (OTPs). To gain malicious access to a user’s account, the attacker needs access to both of these features as well.

With OOBA, two different forms of communication are used to confirm a request. Like 2FA/MFA, this requires the attacker to control both forms of communication to carry out their attack. If the attacker sends the email, but the CEO has no idea what you’re talking about on the phone, then the gig is up.

Out-of-Band Device

An out-of-band device is an authentication device that establishes another communication channel within a 2FA/MFA system. In the example with the CEO, the user’s email account is the primary form of authentication for the request. If the attacker controls the CEO’s email account, then any information transmitted using it is untrusted. Replying to the email to confirm the request — or using any communications channel that is accessible to an attacker with access to that email — provides no additional authentication or security.

In this example, the out-of-band device is the CEO’s phone, which will receive an additional authentication request or secret out-of-band. An attacker that controls the CEO’s email account doesn’t necessarily control their phone. The CEO could use the phone to verbally confirm the request or provide a secret (such as a PIN number or password) that the user needs in order to complete the transaction. To carry out the attack, the attacker would need to be able to access both the CEO’s email and their phone, which is a much harder attack to carry out.

How Out-of-Band Authentication (OOBA) Works

OOBA how it works01

OOBA uses multiple, distinct channels to authenticate a request. For example, a request made via email may be authenticated using a phone call or a one-time password generated on the user’s smartphone or texted to their device.

When implementing an OOBA system, it is important that the two communication channels used are distinct. However, with the rise of mobile devices, companies have a wide range of potential options for implementing OOBA.

Using OOBA Securely

A crucial part of OOBA is that the two authentication channels must actually be distinct. For example, in the email scenario above, imagine that the email requesting the wire transfer included the CEO’s phone number in the signature line. If an attacker sent the email, they could easily have changed that number to one that they control rather than the CEO’s real phone number. If the user calls that number, they may be speaking with the attacker instead, who would definitely approve the transfer.

It’s also important that the communications channels used to perform OOBA are distinct. For example, an OOBA system may include a combination of a user entering a password into a site and receiving a confirmation email. If the website offers password reset via email, an attacker with access to the user’s email could reset the password and click on links in the OOBA confirmation.

Delivering OOBA to Mobile Devices

OOBA can be used for user authentication, whether 2FA or MFA. In a 2FA scheme, the user needs two distinct forms of authentication, such as a password and an OTP generated by an authenticator app. With MFA, three or more distinct forms of authentication are used, which may include adding biometric authentication alongside the password and OTP.

Mobile devices offer a wide range of potential options for implementing OOBA. Some of the most common options include:

  • Push Notifications: Mobile devices can receive push notifications for OOBA. These may include an OTP or display a consent screen where the user can approve or deny the request.
  • Authenticator Apps: Authenticator apps like Google Authenticator can generate OTPs in sync with the associated website. This makes it possible to perform OTP-based authentication without the risk of the code being intercepted.
  • Security Tokens: Security tokens are physical devices that can generate OTPs or store digital certificates that verify the user’s identity. The user will enter the code from the security token or connect it to the device to authenticate.
  • Biometrics: Biometric readers on mobile devices can scan fingerprints or perform facial recognition. This provides strong authentication without the potential risks of phishing attacks.

Other forms of OOBA exist, such as delivering OTPs via SMS message or requesting that the user enter a password as well. However, these factors are less secure and more prone to phishing, man-in-the-middle (MitM), and other attacks.

Preventing Fraud and Cyberattacks with Out-of-Band Authentication

The primary goal of OOBA is to thwart MitM attacks, where the attacker is able to intercept and manipulate communications. For example, an attacker who could intercept the CEO’s request for a bank transfer could insert their account information in place of the correct information, resulting in the money being sent to them instead.

OOBA helps to prevent fraud and cyberattacks by making it more difficult for an attacker to perform a MitM attack. By using multiple channels of communication between a user and a financial institution or other organization, OOBA forces the attacker to intercept and control all of these channels. Since control over a user’s email account doesn’t equate to control over their phone, this raises the bar for a successful attack.

Out-of-Band Authentication Examples

OOBA is a method of increasing trust in communications by protecting against MitM attacks. It has applications in a range of scenarios, including:

  • Corporate Operations: An organization may use OOBA to perform verification of potentially risky or expensive requests. For example, corporate policy may require OOBA before updating the financial details of a vendor or employee or initiating a large payment as part of a deal or a merger and acquisition (M&A).
  • E-Commerce: An attacker may perform a MitM attack to gain access to a user’s account or redirect a shipment to their address. By using OOBA, an organization can make these attacks more difficult by receiving additional verification via a channel that the attacker is unlikely to control.
  • Finance: Financial institutions commonly use OOBA to help verify a user’s identity and protect against fraud. This could include an OTP delivered via SMS, email, or voice call that the user will need to input to authenticate a login request or a transaction.
  • IT: MitM attacks and phishing are common methods of delivering malware to users and stealing sensitive information. OOBA can help to protect against these threats by providing additional authentication that an email or other message is legitimate.
  • Regulatory Compliance: Regulators are increasingly requiring companies to prove that only authorized parties are accessing data or performing certain actions. OOBA provides an additional level of security for these sensitive and critical processes.

These are only a few examples of how an organization can use OOBA. However, any situation where an attacker masquerading as a legitimate user could cause damage to the company or its customers is a potential use case for OOBA.

Conclusion

Attackers know that it’s often easier and more profitable to trick users than it is to defeat cyber defenses. That’s why Social engineering and MitM attacks have emerged as a major threat to corporate and personal cybersecurity. 

OOBA provides additional protection against these types of attacks by making it more difficult for attackers to intercept messages and control communications channels. By confirming a request using a channel that is likely outside of the attacker’s control, it is possible to dramatically decrease the risk of a successful social engineering or MitM attack.

OOBA also has broad applicability across most secrets and for most businesses. With use cases ranging from authenticating customers to protecting against business email compromise (BEC) attacks, the ability to easily and scalably authenticate identity is invaluable for enhancing security and mitigating cyber risks.

Implement OOBA with Kelvin Zero

Protecting your organisations against MitM and social engineering attacks is paramount, which is why Kelvin Zero is building next-gen trust solutions, like Multi-Pass, that deliver built-in OOBA. With Multi-Pass, you can easily deploy high value authorizations with a global authentication card that uses offline biometrics, proprietary cryptography, and native MFA to validate your users in seconds, with one NFC tap.  

Contact us today and set up a demo to learn more about Multi-Pass and how Kelvin Zero can help you integrate trust throughout all of your operations.

Howard Poston
Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. Howard is also a staff writer for Kelvin Zero, where he has contributed several articles and guides covering various cybersecurity and authentication topics. Additionally, he is the creator of over a dozen cybersecurity courses, has authored two books, and has been featured as a speaker at numerous cybersecurity conferences.