Out-of-band Authentication

Organisations are rapidly expanding their use of electronic delivery channels such as the Internet beyond static information delivery to provide higher value transaction services for their customers and trading partners. These facilities enable users to make purchases, effect payments or bank transfers, and generally manage their commercial or personal affairs online.

With this increase in "value" of services delivered via electronic channels comes an increase in the risk that these channels will be compromised through malicious attack, potentially resulting in financial, privacy and reputational losses for one or both parties.

At greatest risk is the integrity and authenticity of authorisation instructions for the payments received via these channels, many of which are inherently insecure and subject to a range of malware and interception attacks.

Out-of-band authentication has been used for many years to mitigate the risk relating to instructions received by postal mail or facsimile being bogus or corrupted - for instance, a call to a customer from a bank manager verifying that a faxed payment instruction, purportedly signed by the customer, was in fact genuine.

The high transaction volumes supported by modern electronic channels and the time criticality of processing necessitates higher assurance and more automated and scalable approaches to such out-of-band authentication.

Critical requirements of a contemporary electronic out-of band authentication mechanism are:

  • The authentication request must be sent to the authoriser via an independent channel to the original instruction submission
  • The authentication request should not rely upon the authoriser being at a particular location; the party could be anywhere in an electronic marketplace
  • The authentication request must be sent and received in real-time and the mechanism must support real-time responses
  • The authentication request and the resultant response must be high assurance such that in combination with controls over the original request, there is high trust in the integrity and veracity of the instruction
  • The authentication request should be unstructured and not bound to static layouts or content requirements, thereby enabling ongoing serviceability of the mechanism even in the event of changes in the underlying instruction structures

Salt mSign out-of-band authorisation utilises a mobile handset based application in conjunction with mobile network messaging to provide a convenient, high assurance solution that addresses all of the critical requirements of a contemporary electronic out-of band authentication mechanism.

Authentication alerts are received over-the-air on the mobile handset; PIN entry reveals the authentication request and its associated Signature Code. The Signature Code is used to authenticate the transaction.

Salt mSign is readily deployable to support authentication of instructions initiated via the Internet, Tele Sales channels, Interactive Voice Response (IVR), Point of Sale (POS), Electronic Funds Transfer Point of Sale (EFTPOS), email or facsimile.

Transaction authentication requests are unstructured and 'free-format' without the need for the user to key in the information to form the Signature Code.

Any sensitive applications that use un-trusted platforms such as a web browser or email, and at the same time use low-assurance authentication techniques, would benefit greatly from the introduction of Salt mSign out-of-band authentication.

Key Benefits

  • Assertion that what you SEE is what you SIGN
  • Signature code is generated cryptographically on the handset
  • Transaction authentication payload delivered over-the-air for approval
  • Payload is free format for total authentication-content and context flexibility
  • Eliminates user keying errors associated with standalone physical token devices
  • Mobile tokens are provisioned over the air, to anywhere in the world, with users up and running in minutes
  • Mobile tokens can be deployed on a broad range of mobile handsets and are independent of network technology or service provider

Thales SafeSign Authentication Server

SafeSign Authentication Server is a unique identity and transaction authentication infrastructure service that provides enterprises with the surety of operating a trusted central provisioning and authentication service, whilst also providing the flexibility to adopt one or more of a range of user identity authentication mechanisms aligned to the commercial risks of the various services they offer electronically.

SafeSign supports PKI smart cards, EMV CAP, specialised tokens including Vasco, ActivIdentity and Thales, and Salt Mobile Tokens.