Summary

In the authentication technology standards, the verifier impersonation resistance is considered as a requirement of the highest level of authentication assurance. However, existing authentication technologies focus on user authentication so there is a limitation that cannot verify service providers explicitly.

This Recommendation provides a framework for out-of-band server authentication using mobile devices, which resolves the vulnerability of verifier impersonation and the limitation of user terminal dependency of the existing authenticators. It allows a user to provide user authentication information after verifying the service provider explicitly and independently in the user authentication process on any user terminals.