In-band authentication factors are identity signals that rely for their identity check on the same system that is requesting user authentication.
For example, a mobile SMS code sent to a user to enable a mobile app login is likely an in-band code, as the user will receive the SMS code on the same device on which they are authenticating. Proof of identity is being requested in order to use phone features, yet the "proof" of identity is being delivered to the very same phone. A similar situation may occur for one-time codes sent via email for desktop application logins, if the email message is being sent to an account commonly used with a desktop email client as is the case in many enterprise environments.
In-band authentication factors are generally regarded as inferior to out-of-band authentication factors, which are proofs of identity that do not arrive on or depend on the very same system that is requesting authentication.