Out-of-Band Authentication
Out-of-band authentication enhances security by utilizing a separate communication channel, or ‘band,’ to authenticate from the primary channel or device being used. This is opposed to “in-band authentication”: sending credentials over the same in-band channel, a separate independent “out-of-band” channel is used for an additional authentication step.
In simpler terms, out-of-band means that the authentication is independent of the device – so even if a device is compromised, the authentication is not.
iProov’s facial biometric solution leverages true out-of-band authentication. The authentication process happens in the cloud rather than on the user’s device itself. This separates the authentication plane from the device plane.
The benefits of this architecture include:
- Securing Against Compromised Devices: If an attacker gains full access to a user’s device, the out-of-band authentication process remains secure since the authentication is processed independently of the device; it is isolated from that compromised device.
- Avoiding In-Band Vulnerabilities: In-band authentication offers less security than perceived. For example, if an organization sends one-time passwords (OTPs) to that compromised mobile device to authenticate an individual, the OTP code is not actually providing any additional security. The bad actor can copy the email, authenticator, or SMS OTPs generated on that device because they’re sent to the device which the fraudster already has access. Access to the device grants access to the OTP. This is a critical vulnerability.
- Convenience for End User: Cloud-based biometric authentication enables you to deliver true out-of-band authentication without requiring the use of multiple devices. This maximizes convenience for the user compared to other user flows; imagine someone enters their password on their desktop but doesn’t have their phone with them (or loses their phone entirely) – they are completely locked out of the authentication process at this time, which will diminish success rates.
Crucial vulnerabilities remain if all authentication factors are still centralized on the same device. For example, If a user is buying something via a mobile app and the app provider sends an SMS code to that mobile device to verify the purchase, the SMS code is not actually providing any additional security—the code is being sent to the same device and is, therefore ‘in-band’. If the device has been compromised, the OTP is worthless.
iProov assumes that the device is not trusted and completes the authentication securely and privately in the cloud, so it is independent of the device being used. Even if a bad actor had full access to another’s device, the authentication process remains secure.
Organizations should take a comprehensive and multi-layered approach to security. The ideal scenario is to decentralize identity signals across multiple trusted sources – combining out-of-band authentication with biometrics and other signals collected independently from different channels under the monitoring of a security operations center.