OOB – Introduction

OOB authentication is a challenge activity that is completed outside of, but in parallel to, the 3DS flow. OOB authentication methods or implementations are not in scope of the 3DS Specification.

Benefits by actor

Merchant
  • Cardholder is used to the authentication process defined by the ACS, so there is less abandonment or failure
  • Automated App-to-App transfer between merchant and OOB apps when on the same device (App flow in 3DS version 2.3)
Issuer
  • Consistent authentication methods for cardholders
  • Simpler customer education and support
Cardholder
  • Similar user experience across all Merchants

Use Case Overview

During a challenge, the ACS directs the Cardholder to use a specific channel and application to authenticate the transaction, instead of using the 3DS challenge window to authenticate the Cardholder. For example, the Issuer requests the use of the mobile banking app to authenticate and validate the transaction.

The OOB flow depends on:

  • the 3DS Specification version;
  • the channel used by the Cardholder for the transaction and the channel used by the ACS for the authentication;
  • whether the OOB Authentication App is on the same device as the transaction – for an App- based transaction;
  • whether the transition from the 3DS Requestor checkout page to the OOB Authentication App, and the return, is manual or automated.

Table 3.1 below shows all the possible options and indicates whether automation of the transition between the merchant app and the OOB Authentication App is possible.

Table 3.1: OOB Authentication per Channel and Automation

Merchant Channel

OOB App Channel

Same Device

OOB App Transition Automation

Browser

Browser

Yes

No

Browser

App

Yes

No

App

Browser

Yes

No

App

App

Yes

2.2, 2.2 + Bridging Message Extension and 2.3.1

App/Browser

App/Browser

No

No

Note: This table assumes an implementation fully compliant with the 3DS Specification – in particular, the setting of the iframe for the challenge in the Browser flow, and the use of Universal App Link for the App flow.