Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
Reliance authentication
open-in-new
<h2 id="how-it-is-used">How it is used</h2> <p>Reliance authentication uses multi-step inputs to ensure that the user is not a fraud. Some examples include: </p> <ul><li>When using a credit card, swiping a magnetic stripe or inserting a chip followed by a signature (in some cases, the last four digits of the payment card number is taken).<a class="footnote-ref" id="fnref:1" href="#fn:1"><sup>1</sup></a></li> <li>Answering a <a href="/facts/CAPTCHA/3sIyVjTk">CAPTCHA</a> question to prove you are not a robot.</li> <li>Security keys</li> <li>Verifying an online account via SMS or email.</li> <li>Time-based <a href="/facts/One-time_password/4u0a4vgk">one-time password</a> algorithm.</li></ul> <h2 id="legal-basis">Legal basis</h2> <p>The introduction of strong customer authentication<a class="footnote-ref" id="fnref:2" href="#fn:2"><sup>2</sup></a> for online payment transactions within the European Union now links a verified person to an account, where such person has been identified in accordance with statutory requirements prior to the account being opened. Reliance authentication makes use of pre-existing accounts, to piggyback further services upon those accounts, providing that the original source is 'reliable'. </p><p>The concept of reliability is a legal one derived from various anti money laundering (AML) / counter-terrorism funding (CTF) legislation in the USA,<a class="footnote-ref" id="fnref:3" href="#fn:3"><sup>3</sup></a> EU28,<a class="footnote-ref" id="fnref:4" href="#fn:4"><sup>4</sup></a> Australia,<a class="footnote-ref" id="fnref:5" href="#fn:5"><sup>5</sup></a> Singapore and New Zealand<a class="footnote-ref" id="fnref:6" href="#fn:6"><sup>6</sup></a> where second parties may place reliance on the customer due diligence process of the first party, where the first party is say a financial institution. </p><p>In the Australian legislation, 'reliance' is based upon section 38 of the <i>Anti-Money Laundering and Counter-Terrorism Financing Act 2006</i> (Cth). </p><p>In the European Commission's <i>Proposal for a Directive of the European Parliament and of the Council on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing</i>, reliance is based upon Article 11(1)(a). </p><p>Reliance in the UK has a very specific meaning and relates to the process under Regulation 17 of the <a href="http://www.legislation.gov.uk/uksi/2007/2157/contents/made">Money Laundering Regulations 2007</a>. "Reliance" for the purpose of AML and "reliance authentication" are not the same, although both use similar concepts. </p><p>The Federal Financial Institutions Examination Council of the United States of America (<a href="/facts/FFIEC/Sp9yPw1C">FFIEC</a>) issued <a href="https://www.ffiec.gov/pdf/authentication_guidance.pdf">"Authentication in an Internet Banking Environment"</a>, dated October 2005. Reliance authentication is outlined per the final paragraph of page 14. </p> <h2 id="advantages">Advantages</h2> <p>Advantages of reliance authentication methods are: </p> <ul><li>when used in conjunction with financial services, the identity of the customer has been verified in accordance with AML/CTF legal requirements upon the original account having been opened.</li> <li>they reuse existing security that is already maintained (e.g. by financial institutions).</li> <li>they use familiar and trusted sources. Accessing a financial account in order to retrieve the tokens (which are either credits or debits) is a familiar process to the account holder, and is often available via a variety of means including mobile, online, telephone banking and ATM access.</li> <li>both processes use an in-band method to transmit the tokens, with an out-of-band response mechanism whereby the account holder re-keys in the token value to a new mobile, webpage or app. This mitigates man in the middle and boy in the browser attacks with regards to the token being intercepted.</li> <li>they are a software solution, not requiring any additional hard tokens or complex integrations. Tokens are transmitted as part of the financial network, without the need for any dedicated new networks.</li> <li>that they can be implemented without the involvement of the account issuing institution.</li></ul> <h2 id="disadvantages">Disadvantages</h2> <p>Disadvantages of reliance authentication methods are: </p> <ul><li>the reliance on low-cost authentication methods like computer chips, incite hackers to steal information.<a class="footnote-ref" id="fnref:7" href="#fn:7"><sup>7</sup></a></li> <li>the absence of effective tools to monitor fraud, particularly since the transition from magnetic stripes to computer chips.<a class="footnote-ref" id="fnref:8" href="#fn:8"><sup>8</sup></a></li> <li>extra time for admins to upload additional software and users to input their information.<a class="footnote-ref" id="fnref:9" href="#fn:9"><sup>9</sup></a></li> <li>its inability to support mobile devices.</li> <li>poor password practices allow frauds to steal information from multiple platforms.<a class="footnote-ref" id="fnref:10" href="#fn:10"><sup>10</sup></a></li></ul> <h2 id="see-also">See also</h2> <ul><li><a href="/facts/Authentication/64y4S69b">Authentication</a></li> <li><a href="/facts/Mutual_authentication/EYIuxstu">Mutual authentication</a></li> <li><a href="/facts/One-time_password/4u0a4vgk">One-time password</a></li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>"The U.S. Adoption of Computer Chip Payment Cards: Implications for Payment Fraud" (PDF). www.kansascityfed.org. <a href="https://www.kansascityfed.org/publicat/econrev/pdf/13q1Sullivan.pdf" target="_blank">https://www.kansascityfed.org/publicat/econrev/pdf/13q1Sullivan.pdf</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>"ECB releases final Recommendations for the security of internet payments and starts public consultation on payment account access services". 31 January 2013. <a href="http://www.ecb.europa.eu/press/pr/date/2013/html/pr130131_1.en.html" target="_blank">http://www.ecb.europa.eu/press/pr/date/2013/html/pr130131_1.en.html</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>"Bank Secrecy Act/Anti-Money Laundering Examination Manual" (PDF). Federal Financial Institutions Examination Council. 2006. Retrieved 2022-02-18. <a href="https://www.ffiec.gov/pdf/bsa_aml_examination_manual2006.pdf" target="_blank">https://www.ffiec.gov/pdf/bsa_aml_examination_manual2006.pdf</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>"EUR-Lex - 52013PC0045 - EN - EUR-Lex". <a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:52013PC0045:EN:NOT" target="_blank">http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:52013PC0045:EN:NOT</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> <li id="fn:5"><p>"Anti-Money Laundering and Counter-Terrorism Financing Act 2006". Comlaw.gov.au. Retrieved 2022-02-18. <a href="http://www.comlaw.gov.au/Details/C2013C00371" target="_blank">http://www.comlaw.gov.au/Details/C2013C00371</a> <a href="#fnref:5" class="footnote-back-ref">↩</a></p></li> <li id="fn:6"><p>"AML/CFT Act and Regulations - dia.govt.nz". Archived from the original on 2013-10-04. Retrieved 2013-10-01. <a href="https://web.archive.org/web/20131004212749/http://www.dia.govt.nz/diawebsite.nsf/wpg_URL/Services-Anti-Money-Laundering-AMLCFT-Act-and-Regulations" target="_blank">https://web.archive.org/web/20131004212749/http://www.dia.govt.nz/diawebsite.nsf/wpg_URL/Services-Anti-Money-Laundering-AMLCFT-Act-and-Regulations</a> <a href="#fnref:6" class="footnote-back-ref">↩</a></p></li> <li id="fn:7"><p>Holm, Eric (23 March 2014). "Social networking and identity theft in the digital society". <a href="https://www.academia.edu/34026412" target="_blank">https://www.academia.edu/34026412</a> <a href="#fnref:7" class="footnote-back-ref">↩</a></p></li> <li id="fn:8"><p>"Two-Factor Authentication for Beginners". 24 June 2021. <a href="https://medium.com/@mshelton/two-factor-authentication-for-beginners-b29b0eec07d7" target="_blank">https://medium.com/@mshelton/two-factor-authentication-for-beginners-b29b0eec07d7</a> <a href="#fnref:8" class="footnote-back-ref">↩</a></p></li> <li id="fn:9"><p>"Two-Factor Authentication for Beginners". 24 June 2021. <a href="https://medium.com/@mshelton/two-factor-authentication-for-beginners-b29b0eec07d7" target="_blank">https://medium.com/@mshelton/two-factor-authentication-for-beginners-b29b0eec07d7</a> <a href="#fnref:9" class="footnote-back-ref">↩</a></p></li> <li id="fn:10"><p>Holm, Eric (23 March 2014). "Social networking and identity theft in the digital society". <a href="https://www.academia.edu/34026412" target="_blank">https://www.academia.edu/34026412</a> <a href="#fnref:10" class="footnote-back-ref">↩</a></p></li> </ol>