The purpose of this blog is to examine the issues related to a Relying Party (RP) authenticating a user, establishing a user session with that user, and then maintaining confidence that the user at the other end of the session (the endpoint) continues to be the “authentic user” for the duration of the user session. We start from the premise that asymmetric key based authentication is superior to other methods such as SMS text and OTP.
With an Out Of Band Authentication channel the authentication is done on a channel separate from which will be used to access the service of the RP. A common example would be an out of band channel to a phone to authenticate a user accessing a web site from a web browser on their laptop. The Out Of Band Authentication channel has an inherent architectural incorrectness because it separate from the user session to be used to access the service. The authentication must be tightly bound to the authentic user and the RP but attackers can find ways to break that association when an Out Of Band Authentication channel is used. ...read more!
