Not all Out-of-band is Out of Band

An Out-of-band authentication system is another layer of protection that institutions can use to protect user accounts from online fraud. Out-of-band uses a communication path different from the path used to access the application or data - the phone network. And the phone serves as another authentication factor: something you have.

But not all Out-of-band methods are out of band.

There are systems that deliver an OTP to the user’s phone as text by SMS, or by text-to-speech. The user then enters the OTP credential as the challenge response to access the application. Other systems deliver the OTP to the user’s email address. These systems use out-of-band for credential delivery to the user; the authentication (challenge response) is not out of band.

Out-of-band systems that use a separate communication channel for authentication challenge the user with a phone call. The user enters either a static PIN or an OTP on the phone and sends it on the phone network. The OTP can be displayed on the user’s screen, or can be a software OTP generated on the phone.

IdMlogic’s Service Oriented Authentication Architecture - SOA² supports a wide variety of Out-of-band authentication methods.