Out-of-Band Authentication

With increasing regularity, attackers are figuring out ways to circumvent multi-factor authentication (MFA). One method of strengthening MFA is out-of-band authentication (OOB).

What is out-of-band authentication?

Out-of-band authentication refers to using separate communication channels from the channel that a user first used to sign in to verify a user’s identity prior to granting access. The likelihood of both communication channels is lower, reducing the risk of an attack.

How out-of-band authentication works

• The user initiates authentication, usually with a password, which is their first factor.
• A second factor is sent to or acquired by the user through a different communication channel. This might be a one-time password (OTP) sent via SMS, push notification sent to their mobile device, or a code acquired through an authenticator application.
• The user enters the OTP, clicks the push notification, or enters the code generated by the authenticator.
• Authentication is complete and access is granted.

Examples of out-of-band authentication

Most organizations and users are already familiar with out-of-band authentication through experience. Here are a few real-world examples:

• One-time passcode and push notifications: OTPs and push notifications are examples of OOB. SMS and mobile push notifications are the secondary channel.
• QR Codes with encrypted data: QR codes are becoming popular as an OOB method.
• Phone calls: Another OOB method involves the user entering a code after receiving a phone call or being asked to verify their login.
• Biometric authentication: A secondary device, like a fingerprint reader, is used to verify user identity.  

Security issues with out-of-band authentication

The risk to the organization depends on the type of OOB used. Biometric authentication is more secure than some other options. If an attacker has access to the user's phone or email account, they would be able to intercept an OTP.

Biometrics uses facial recognition and fingerprints to authenticate the user. These can’t be stolen and are stored in the device, making them far more secure than passwords.

With OTPs, push notifications, and phone calls, there’s always a level of trust that these codes are making it to the intended user. Modern cyberattackers can outsmart MFA using these weak factors. They divert the codes, execute a man-in-the-middle attack (MitM),or use push fatigue to trick users into sharing the information.

The Twilio hack is a perfect example. Attackers targeted employees through an SMS phishing attack, eventually tricking them into giving away their credentials, which allowed the hackers to gain access to sensitive systems.

How Beyond Identity can help

Beyond Identity eliminates passwords and uses cryptographic credentials (Universal Passkeys), which are immutable and tied to both the user and the device. As a result, the authentication process is more secure and simplified. Users don’t need a secondary device to confirm a login or to rely on other weak factors.

For network administrators, eliminating the password eliminates the attack vector used for more than 80% of cyberattacks. Utilizing cryptographic credentials removes the risk of man-in-the-middle, phishing, or SIM swapping attacks.

Our 100% cloud-native platform provides fine-grained, risk-based access control and analytics for improved security, auditing, and compliance. We’d love to show you how Beyond Identity can change how you think about modern authentication. Ask for a demo today.

‍