How to Properly Leverage Mobile for Out-of-Band Authentication

Share Button

banner_DIDIn the wake of the most recent FFIEC guidance published in 2011, many financial institutions and service providers have undertaken very expensive and time-consuming projects to replace the traditional challenge questions and answers that they previously used as a security measure. One of the more popular solutions suggested as an alternative was to provide out-of-band authentication via a second independent device. Mobile phones were the natural fit as that independent device, since the typical consumer’s high usage of SMS texting would make it easy to incorporate into their banking routine.

Although SMS out-of-band and one-time passwords are not as user-friendly as challenge questions and answers, most out-of-band authentication system implementations were rolled out smoothly. But now that the mobile device is being used as a security-related authentication factor, it is fair to wonder how confident organizations can be that they are not sending authentication messages to a cybercriminal who has taken control of a device or account. In most cases, organizations probably don’t know if a user device is compromised, jail-broken, patched with the latest software to close known security holes, or has malicious apps installed.


With mobile malware continually on the rise, financial institutions need to make sure that their customers’ devices are safe from malware and other advanced persistent threats. So how can financial institutions verify this?

Today there are many security solutions available as an add-on app that can be installed by your customers on their mobile devices. The functionalities provided by those apps range from safe-browsing to antivirus programs. In order to encourage end users to install these add-on security apps, financial institutions have to run educational campaigns to promote them. The vendors that sell the apps usually provide all the marketing materials, which range from splash ads integrated from within the online banking platform to e-mail campaigns. But even with that big marketing push, customer adoption of the apps usually only averages around 20-30%, and more often than you would hope or expect, customers delete it after a while in order to install the latest Flappy Bird copycat app instead.

To solve the problem of third-party apps having a low rate of user adoption, the future of enforced mobile device security will likely happen with very little involvement required by the consumer. One of best ways to do this is to integrate security technologies into existing mobile banking apps. Many financial institutions already have mobile applications, and the recreation of these mobile footprints from scratch is time-consuming and difficult. However, if security technologies are embedded into an existing mobile banking app, organizations can focus their energy on driving mobile banking adoption. These security technologies are usually provided via open toolkits, APIs, and SDKs that reduce time to market, enhance existing infrastructure, and keep your organization flexible for the future, which is important when considering the rapid pace of technology changes in the mobile world.

In terms of security, the technologies that can be transparently deployed include threat intelligence, app behavioral analysis, device authentication, push notifications, and so on. At Easy Solutions, we are embracing these types of deployments, because we see them as the best and easiest way to provide banks with the visibility they need to decision, authenticate or extend new features to customers such as mobile payments, iBeacons etc, One of our latest innovations allows banks to embed push notification technology within mobile banking apps,  so that customers can securely approve online activities such as login and transaction requests or changes to their personal online profile on their mobile devices.

If you would like to learn more about our embedded security technologies, please contact us at  or take a look at our website located at

Related Posts

Video Blog: Detect Safe Browsing Risk Controller Flexibility is an integral part of any strong fraud-monitoring service. The Risk Controller feature from Detect Safe Browsing Mobile allows financial institutions to create custom tolerance levels for risk factors affecting their end-users
How to Adopt DMARC in 6 Steps Though you may never have heard of Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and email-authentication protocols, the people making sure the emails you receive are safe are quite familiar with them. 

Leave a Reply

Your email address will not be published. Required fields are marked *