I've been going through the nrf mesh Provisioner SDK for android. It has predefined input and output oob models that is selected while provisioning.
Is it possible to design a vendor specific OOB implementation (preferably multistep authentication)
Currently output oobs are :
NO_OUTPUT((short) 0x0000), BLINK((short) 0x0001), BEEP((short) 0x0002), VIBRATE((short) 0x0004), OUTPUT_NUMERIC((short) 0x0008), OUTPUT_ALPHA_NUMERIC((short) 0x0010);
Is it okay to perhaps add a custom OOB to this (e.g. 0x1001)? If yes, will it be against any ble specifications?
My end goal is to ask the user three or more times whether the light is currently on or off. The firmware on the node is designed in house and modifiable to the requirements
The latest version of the Android sdk lets you pick whatever authentication method supported by the device. As far as I am aware the specification does not mention anything about custom authentication mechanisms, but you will have to check to be sure. If you think the authentication steps provided by the spec is not secure enough you may consider implementing your own. Also adding your own authentication methods will introduce a liability on your end for it to be secure. However you should also consider the usability point where you don't want to bog down the user making it way too complicated to setup these devices in my opinion setting up should be secure and faster.