Preconditions

The ACS has defined, deployed, and communicated an OOB authentication process to the Cardholder.

The Issuer has a pre-established authentication process with the Cardholder using the OOB Authentication App, available as a web service or a mobile app, and accessed on any device or a specific device at the ACS’s preference.

Assumptions

The 3DS Requestor Website and the OOB Authentication App do not need to be on the same device.

Sequence Diagram

The Cardholder authenticates the transaction using an OOB Authentication App provided by the ACS.

  1. The Cardholder makes a purchase and proceeds to checkout.
  2. The 3DS Requestor initiates a 3DS authentication.
  3. The 3DS Server sends an AReq message.
  4. The ACS responds with an ARes message requesting a challenge.
  5. The 3DS Requestor proceeds with the challenge, opens an iframe in its checkout page and makes the redirection to the ACS.
  6. The ACS provides the UI in the iframe and instructs the Cardholder to proceed with an OOB authentication.
  7. The Cardholder switches to the OOB App, which may be available on a Browser or as a mobile app, on the same or different device. The Cardholder completes the authentication with the OOB App as instructed by the ACS or authentication system provider. The OOB authentication is defined and controlled by the ACS, and thus falls outside the scope of the 3DS Specification.
  8. The Cardholder manually switches to the 3DS Requestor checkout page and selects the “Complete” button.
  9. The ACS sends the result of the authentication in the RReq message to the 3DS Server.
  10. After receiving the RRes message from the 3DS Server, the ACS sends a Final Challenge Response (CRes) message through the iframe to the 3DS Requestor to indicate the end of the challenge and the outcome of the authentication.
  11. The 3DS Requestor closes the iframe and updates the UI according to the outcome of the authentication and/or authorisation.

Note: In Step 9, the ACS may continue the challenge if the OOB authentication was not performed or if it failed, before sending the Final CRes message.

Note: Automation (URLs to and from the OOB Authentication App) of the OOB flow in the Browser channel is not possible.

User Experience – Browser Flow