OOB Authentication in Bluetooth® Mesh
Out-of-Band (OOB) authentication enhances Bluetooth® Mesh provisioning security by exchanging authentication data through a separate channel from the standard Bluetooth connection. This guide provides an overview of OOB methods and their implementation considerations for mesh product testing.
Why OOB Authentication Matters
Traditional Bluetooth® Mesh provisioning without OOB authentication is vulnerable to passive eavesdropping attacks1. OOB authentication provides cryptographic proof that both the provisioner and product have access to shared authentication data.
OOB Methods Overview
Certificate-Based (v1.1+): Uses X.509 digital certificates for authentication. Highest security level for remote provisioning and enterprise deployments.
Static OOB: Pre-shared secrets like QR codes, printed numbers, or NFC tags. High security (128-bit entropy) for production deployments and consumer products.
Input/Output OOB: Interactive methods where products display or accept numeric/alphanumeric values. Limited security (1-8 characters) for simple products with basic I/O.
No OOB: Uses all-zeros AuthValue. No security, development and testing only.
Technical Details
For detailed implementation requirements, refer to the Bluetooth® Mesh Protocol Specification2.
Output OOB Actions
| Bit | Description | Data Type |
|---|---|---|
| 0 | Blink | Numeric |
| 1 | Beep | Numeric |
| 2 | Vibrate | Numeric |
| 3 | Output Numeric | Numeric |
| 4 | Output Alphanumeric | Alphanumeric |
| 5-15 | Reserved for Future Use | n/a |
Input OOB Actions
| Bit | Description | Data Type |
|---|---|---|
| 0 | Push | Numeric |
| 1 | Twist | Numeric |
| 2 | Input Numeric | Numeric |
| 3 | Input Alphanumeric | Alphanumeric |
| 4-15 | Reserved for Future Use | n/a |
Security Consideration
Numeric Input/Output OOB methods provide limited security due to low entropy. For production deployments, prefer Static OOB with 128-bit entropy or Certificate-Based provisioning when available.3