Out-of-band authentication is a process in which one party in a communication session verifies the identity of another party by sending a message outside of the established session to the party with whom they believe they are communicating and confirming that the other party in the session received the message. For example, if a person is participating in an instant messaging (IM) chat with someone they believe is a particular friend, the person may call their friend's telephone to ask whether that friend is indeed the other party in the IM session. In this example, the IM session represents the established interaction and the telephone call represents an out-of-band (also called out-of-network) authentication process. As another example, an online retailer may request that a financial institution (e.g., a credit-card issuing bank) verify that a certain payment is actually being made by the owner of a certain payment account. In that case, the payment processor may send a verification code to the account owner (e.g., through email) and, the retailer may require that the same code be entered on their website before accepting payment.
A problem, recognized by the present inventor, is that current out-of-band authentication schemes require the second party to perform particular actions in response to receiving the out-of-band communication. For instance, in the IM session example, the authentication required that the friend answer their phone and confirm their presence in the session. In the online retailer example, the owner would need to check their email and enter a verification code in order to complete their purchase. Requiring such specific second-party interaction, however, can be slow and imprecise in addition to potentially annoying to the second party.