Out-of-Band authentication (OOBA) is the process by which two different signals are required through two different channels or networks to authenticate the identity of a user when trying to access an online service. This is implemented by online service providers to ensure a high degree of security when it comes to identity access. The notification to the user can be sent either through an 'SMS' message to the registered mobile phone of the user or through 'Push Authentication' notification to the same mobile phone.
The majority of the market of OOBA is currently based on SMS authentication notification. There is view in the industry that SMS based OOBA provides a weak mechanism for authentication and subject to misuse. Hence, SMS based OOBA should be phased out in favor of Push Authentication. New draft publication by NIST (US National Institute of Standards and Technology) relating to OOBA reiterates that SMS authentication could be subject to misuse as it is vulnerable to interception. It is also relatively easy to setup VoIP phone number without proper identity verification. Hence, only mobile numbers from network operators should be considered and not from VoIP providers. Also, it should not be possible to change the registered mobile number without proper 2FA (Two Factor Authentication). It also recommends Push Authentication as a more secure alternative for OOBA.
Simage Technologies supports the 'Push Authentication' for OOBA as a secure method to verify the identity of the online service user. It provides a 2FA to ensure the authenticity of the transaction as it is difficult to misuse.
How it Works
OOBA is a 2FA authentication and Push Authentication is a secure mechanism of OOBA to validate the identity of the online service user. The Push Authentication provides an efficient and professional way for service providers to authentication the user of the service.
Push Authentication for the mobile is an app installed on the mobile phones of the user. This ensures that the user has a valid connection from a network operator. When the user makes a log-in request on the service providers portal or initiates a transaction request, the Push Authentication server installed at the service provider or its trusted service manager, send an authentication notification to the Authentication App installed on the mobile phone of the user. The user can be asked to provide log-in details for the app itself to see the notification, thereby ensuring 2FA. Once the user open the app, they can clearly see the request details on the notification. These details include the request time and date, location, IP address, request type, etc. The user can then decide to accept or decline the request by a simple click of a button. This makes this process very convenient for the user and also guarantees a high degree of security. Consequently, the authentication server receives the input from the user and actions it accordingly by granting and denying access.
Service Provider Benefits
Easy to implement and fast
No additional infrastructure or resources are required (authentication servers could be hosted at Simage)
Less investment cost to provide the service
Better reputation and brand image
Increase customer base with secure and reliable services
End User Benefits
Mobile handset independent. The app can be made available for Android and iOS devices.
A highly secure authentication method
Undisputed reliability of services, anywhere, anytime
Convenient, fast and simple to use