Exploring Out of Band Authentication in EMVCo 3D Secure 2.0

Out of band (OOB) authentication represents the authentication mechanism that involves the presence of two varied signals from two distinct channels or networks. The objective of OOB implementation is to ward off any attacks by hackers and prevent fraudulent users that have access to only one of these channels. Within the realm of online banking, OOB authentication has been proven to effectively avert incidents of data breaches, database hacking, phishing, identity theft, and hacking.

In an enterprise setting, an out of band channel meets security objectives by generating a request to conduct a secondary verification. The premise behind this framework is based on the view that even if a fraudulent user acquires access to one channel, the additional layer of protection will safeguard the infrastructure, nonetheless.

OOB Authentication and eCommerce

Online transactions are protected from fraudulent activities when a customer wishing to conduct an online transaction is sent a one-time password on a registered phone number. In this instance, even if a fraudulent party has gained access to the online interface, the inability to access the mobile device makes it impossible for the fraudulent activity to be completed. However, in certain cases, protocols related to out of band authentication can be invalidated if the hacker uses a sophisticated method for intercepting messages on the 3G or 4G wireless network.

Nonetheless, this method, which is integrated within the EMVCo 3D Secure protocol, has proven to yield the most effective results in guaranteeing the safety of users. More specifically, the interaction of components such as the 3DS Client, 3DS Server, Directory Server (DS) and Access Control Server (ACS) makes the achievement of security goals possible. By initiating a superior authentication process, EMVCo 3D Secure stands out as an advanced framework to safeguard users against any malicious activity. Out of band authentication continues to undergo advancements to optimise the user experience and develop more sophisticated mechanisms for protection and compliance. EMVCo 3D Secure is certainly an advanced specimen of this technology, which has generated ideal outcomes for both cardholders and card issuers, as external security threats continue to emerge.

OOB Authentication Flow in 3DS2

The out of band authentication flow has been revamped in 3DS2 in comparison with previous versions. The process itself is an interaction between primary components, which include: [1] the 3DS Client (further categorised into 3DS SDK and 3DS Method), [2] the 3DS Server [3] the Directory Server (DS) and [4] the Access Control Server (ACS).

In the first step the cardholder initiates a checkout with the purchase information, which prompts the 3DS enabled app to request, and accordingly return, the 3DS data. A call is then placed to the 3DS server and the authentication request is passed onto the Directory Server (DS), and subsequently, the Access Control Server (ACS), which generates an authentication response.

Accordingly, the request for a 3DS challenge is set up and created after the sender has been validated by the OOB service. The challenge response triggers the open display of a message to the cardholder and the challenge is completed when the request is submitted back to the 3DS server and goes through the DS and ACS. The OOB service once again determines the repeat challenge requirement and the results request readily passes through the ACS, DS and 3DS server until it is received and logged by the OOB service, and a final challenge response is initiated to close the 3DS challenge. The app response then ends along with the process.

In some cases, a consumer may take some time to complete the OOB authentication and it is important for the SDK to consider this aspect. It is, therefore, important for the SDK timeout mechanism to be set accordingly in order to avoid any inconvenience for the consumer and to ensure that the entire process occurs seamlessly.

Benefits of OOB Authentication

As identified previously, OOB authentication is known to be the most effective method for preventing fraudulent attacks, especially in the case of online banking transactions where users are specifically at a risk of being subjected to hacking and phishing incidents.

The key benefit of OOB authentication in 3DS2, which the issuer can experience, is that of having full control over the selection of the cardholder authentication methods. There are a variety of methods that issuers can choose from, depending upon how they wish to design their service, which include: biometric authentication – including finger, voice and facial recognition – as well as tokens and passwords via SMS or email.

Within this framework, the ACS, managed by the card issuer is responsible for identifying whether a 3D Secure authentication is accessible for a specific card number. The ACS executes the OOB interaction with a cardholder instead of interacting with the cardholder through the 3DS SDK. As the OOB authentication process takes place, the cardholder sends an authentication signal to either the ACS or the issuer that is engaged in the interaction with the ACS.

From the OOB interaction with the cardholder, the ACS collects information on whether the authentication was successful. An example of this is a push notification which signifies an OOB communication that takes place when an app is triggered to complete the authentication process and deliver the results to the ACS.

The Bottom Line

The numerous benefits of OOB authentication in terms of convenience, reliability and communication make it an ideal choice to protect users while providing card issuers with the ability to customise their services depending upon their preferences. In 3DS2, the process of OOB authentication undergoes a series of verification steps, challenges and responses to safeguard users in the best way possible.

In comparison with previous 3DS versions, it is indeed a superior framework to support seamless and frictionless online transactions via browsers or applications. The protocols utilised in the development of this framework are not only robust and secure but also user-friendly.