Out of Band Authentication
How I rewrote the authentication process in online banking to make it more secure.
The credit union needed to support out of band authentication to protect their members’ accounts. The company that made the online banking product offered a module to enable out of band authentication but it required out of band authentication for every sign in attempt which would be annoying to the users. It also did not have a way to whitelist certain IP addresses so providers like Mint could not sign in to members’ accounts for account aggregation.
Luckily the system was so customizable that even the authentication process could be overridden. So I designed an entirely customized out of band process for the authentication flow.
IP Address to Geolocation Database
My code used an IP address to location database to analyze the typical location the user would sign in from. If the location fell outside a typical area that the user would typically sign in from, it would trigger an out of band authentication request that would require the user to receive a SMS text message, voice phone call, or email with a code that would need to be entered in on the website to sign in.
For security, the code generated by the out of band process would expire after a system-configurable number of minutes.
Always On or As Required
Users could choose to have the out of band required every time they signed in for extra security. By default, the system would only require an out of band request if it was necessary to keep users from being frustrated by the feature.
SMS, Voice, and Email Options
When an out of band authentication was required to sign in, the user can select which option they wanted to use to have the code delivered to them. The system could send a text message (SMS) to their phone, could call their phone, or could send an email. The phone numbers and email addresses were masked to only display enough information that the user would know which email address or phone number it was.
I used Twilio to deliver the SMS message or make the automated phone call to deliver the out of band code.
Support for Aggregators
The user could also select which third party aggregation services were allowed to access their account. This protected the credit union’s membership because, by default, third party aggregation services were blocked unless the user chose to allow them.
I was the only developer on this project. I worked with several employees at the credit union to gather requirements and test the system before moving it to production.
The out of band authentication was very successful. The credit union had several compromised accounts (mostly due to members giving out their credentials to scammers) before the out of band process was created. After implementation, that number was reduced to almost zero.
It was in use for many years until the credit union transitioned to another online banking provider.