Reliance authentication

Last updated January 28, 2024

Reliance authentication is a part of the trust-based identity attribution process whereby a second entity relies upon the authentication processes put in place by a first entity. The second entity creates a further element that is unique and specific to its purpose, that can only be retrieved or accessed by the authentication processes of the first entity having first being met.

Reliance authentication can be achieved by one or more tokens with random characteristics being transmitted to a secure area controlled by the first entity, where such secure area is only accessible by the person authorised to use the account. The secure area may be an online banking portal, telephone banking system, or mobile banking application.

The token is often in the form of a single or plural of debit or credits to a financial account, where the numerical values of the debit or credits form the token, whose numeric value is to be confirmed by the account holder.

The token are retrieved by the cardholder accessing a secure area from the first entity's secure area, which is protected and accessible only by satisfying the first entity's authentication means. In the case of financial services, authentication to access the secure area normally includes multi-factor and in the SEPA would likely involve strong authentication.

The transmission and requirement to retrieve the token adds a further challenge and response factor to the overall authentication process when considered from the point of view of the second party, which generates and transmits the token.

The token may be generated by the second party dynamically, and can thus act as a one-time password.

The reliance authentication method has particular application with financial instruments such as credit cards, e-mandate and direct debit transactions, whereby a person may instigate a transaction on a financial instrument, however the financial instrument is not verified as belonging to that person until that person confirms the value of the token.

The reliance method often incorporates an out-of-band response means, once the tokens have been retrieved from the secure area.

How it is used

CAPTCHA is a response question that helps determine whether or not a user is a robot or not CAPTCHA wikibook.png — CAPTCHA is a response question that helps determine whether or not a user is a robot or not

Reliance authentication uses multi-step inputs to ensure that the user is not a fraud. Some examples include:

When using a credit card, swiping a magnetic stripe or inserting a chip followed by a signature (in some cases, the last four digits of the payment card number is taken).^[1]
Answering a CAPTCHA question to prove you are not a robot.
Security keys
Verifying an online account via SMS or email.
Time-based one-time password algorithm.

Legal basis

The introduction of strong customer authentication ^[2] for online payment transactions within the European Union now links a verified person to an account, where such person has been identified in accordance with statutory requirements prior to the account being opened. Reliance authentication makes use of pre-existing accounts, to piggyback further services upon those accounts, providing that the original source is 'reliable'.

The concept of reliability is a legal one derived from various anti money laundering (AML) / counter-terrorism funding (CTF) legislation in the USA,^[3] EU28,^[4] Australia,^[5] Singapore and New Zealand^[6] where second parties may place reliance on the customer due diligence process of the first party, where the first party is say a financial institution.

In the Australian legislation, 'reliance' is based upon section 38 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).

In the European Commission's Proposal for a Directive of the European Parliament and of the Council on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing, reliance is based upon Article 11(1)(a).

Reliance in the UK has a very specific meaning and relates to the process under Regulation 17 of the Money Laundering Regulations 2007. "Reliance" for the purpose of AML and "reliance authentication" are not the same, although both use similar concepts.

The Federal Financial Institutions Examination Council of the United States of America (FFIEC) issued "Authentication in an Internet Banking Environment", dated October 2005. Reliance authentication is outlined per the final paragraph of page 14.

Advantages

Advantages of reliance authentication methods are:

when used in conjunction with financial services, the identity of the customer has been verified in accordance with AML/CTF legal requirements upon the original account having been opened.
they reuse existing security that is already maintained (e.g. by financial institutions).
they use familiar and trusted sources. Accessing a financial account in order to retrieve the tokens (which are either credits or debits) is a familiar process to the account holder, and is often available via a variety of means including mobile, online, telephone banking and ATM access.
both processes use an in-band method to transmit the tokens, with an out-of-band response mechanism whereby the account holder re-keys in the token value to a new mobile, webpage or app. This mitigates man in the middle and boy in the browser attacks with regards to the token being intercepted.
they are a software solution, not requiring any additional hard tokens or complex integrations. Tokens are transmitted as part of the financial network, without the need for any dedicated new networks.
that they can be implemented without the involvement of the account issuing institution.

Disadvantages

The use of low cost chips as a reliance authentication device has led to easy targets for fraud and theft Smartcardpixelated.JPG — The use of low cost chips as a reliance authentication device has led to easy targets for fraud and theft

Disadvantages of reliance authentication methods are:

the reliance on low-cost authentication methods like computer chips, incite hackers to steal information.^[7]
the absence of effective tools to monitor fraud, particularly since the transition from magnetic stripes to computer chips.^[8]
extra time for admins to upload additional software and users to input their information.^[8]
its inability to support mobile devices.
poor password practices allow frauds to steal information from multiple platforms.^[7]

Related Research Articles

Electronic funds transfer at point of sale is an electronic payment system involving electronic funds transfers based on the use of payment cards, such as debit cards or credit cards, at payment terminals located at points of sale. EFTPOS technology was developed during the 1980s.

A smart card (SC), chip card, or integrated circuit card, used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit (IC) chip. Many smart cards include a pattern of metal contacts to electrically connect to the internal chip. Others are contactless, and some are both. Smart cards can provide personal identification, authentication, data storage, and application processing. Applications include identification, financial, public transit, computer security, schools, and healthcare. Smart cards may provide strong security authentication for single sign-on (SSO) within organizations. Numerous nations have deployed smart cards throughout their populations.

Online banking, also known as internet banking, virtual banking, web banking or home banking, is a system that enables customers of a bank or other financial institution to conduct a range of financial transactions through the financial institution's website or mobile app. Since the early 2000s this has become the most common way that customers access their bank accounts.

Digital gold currency is a form of electronic money based on mass units of gold. It is a kind of representative money, like a US paper gold certificate at the time that these were exchangeable for gold on demand. The typical unit of account for such currency is linked to grams or troy ounces of gold, although other units such as the gold dinar are sometimes used. DGCs are backed by gold through unallocated or allocated gold storage.

Wire transfer, bank transfer, or credit transfer, is a method of electronic funds transfer from one person or entity to another. A wire transfer can be made from one bank account to another bank account, or through a transfer of cash at a cash office.

A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.

An e-commerce payment system facilitates the acceptance of electronic payment for offline transfer, also known as a subcomponent of electronic data interchange (EDI), e-commerce payment systems have become increasingly popular due to the widespread use of the internet-based shopping and banking.

Digital identity is the phrase referring to the data that computer systems use to represent external agents, which can be individuals, organizations, applications, or devices. For individuals, it involves an aggregation of personal data that is essential for facilitating automated access to digital services, confirming one's identity on the internet, and allowing digital systems to manage interactions between different parties. It is a component of a person's social identity in the digital realm, often referred to as their online identity.

A transaction authentication number (TAN) is used by some online banking services as a form of single use one-time passwords (OTPs) to authorize financial transactions. TANs are a second layer of security above and beyond the traditional single-password authentication.

A direct debit or direct withdrawal is a financial transaction in which one organisation withdraws funds from a payer's bank account. Formally, the organisation that calls for the funds instructs their bank to collect an amount directly from another's bank account designated by the payer and pay those funds into a bank account designated by the payee. Before the payer's banker will allow the transaction to take place, the payer must have advised the bank that they have authorized the payee to directly draw the funds. It is also called pre-authorized debit (PAD) or pre-authorized payment (PAP). After the authorities are set up, the direct debit transactions are usually processed electronically.

Payment cards are part of a payment system issued by financial institutions, such as a bank, to a customer that enables its owner to access the funds in the customer's designated bank accounts, or through a credit account and make payments by electronic transfer with a payment terminal and access automated teller machines (ATMs). Such cards are known by a variety of names, including bank cards, ATM cards, client cards, key cards or cash cards.

3-D Secure is a protocol designed to be an additional security layer for online credit and debit card transactions. The name refers to the "three domains" which interact using the protocol: the merchant/acquirer domain, the issuer domain, and the interoperability domain.

An ATM card is a dedicated payment card card issued by a financial institution which enables a customer to access their financial accounts via its and others' automated teller machines (ATMs) and, in some countries, to make approved point of purchase retail transactions. ATM cards are not credit cards or debit cards, however most credit and debit cards can also act as ATM cards and that is the most common way that banks issue cards since the 2010s.

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

<span class="mw-page-title-main">SMS banking</span> Form of mobile banking

SMS banking' is a form of mobile banking. It is a facility used by some banks or other financial institutions to send messages to customers' mobile phones using SMS messaging, or a service provided by them which enables customers to perform some financial transactions using SMS.

Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The Payment Card Industry Data Security Standard is the data security standard created to help financial institutions process card payments securely and reduce card fraud.

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

An identity verification service is used by businesses to ensure that users or customers provide information that is associated with the identity of a real person. The service may verify the authenticity of physical identity documents such as a drivers license, passport, or a nationally issued identity document through documentary verification. Additionally, also involve the verification of identity information (fields) against independent and authoritative sources, such as a credit bureau or proprietary government data.

Online Banking ePayments (OBeP) is a type of payments network, developed by the banking industry in conjunction with technology providers. It is specifically designed to address the unique requirements of payments made via the Internet.

Google Pay is a mobile payment service developed by Google to power in-app, online, and in-person contactless purchases on mobile devices, enabling users to make payments with Android phones, tablets, or watches. Users can authenticate via a PIN, passcode, or biometrics such as 3D face scanning or fingerprint recognition.

References

↑ "The U.S. Adoption of Computer Chip Payment Cards: Implications for Payment Fraud" (PDF). www.kansascityfed.org.
↑ "ECB releases final Recommendations for the security of internet payments and starts public consultation on payment account access services". 31 January 2013.
↑ "Bank Secrecy Act/Anti-Money Laundering Examination Manual" (PDF). Federal Financial Institutions Examination Council. 2006. Retrieved 2022-02-18.
↑ "EUR-Lex - 52013PC0045 - EN - EUR-Lex".
↑ "Anti-Money Laundering and Counter-Terrorism Financing Act 2006". Comlaw.gov.au. Retrieved 2022-02-18.
↑ "AML/CFT Act and Regulations - dia.govt.nz". Archived from the original on 2013-10-04. Retrieved 2013-10-01.
1 2 Holm, Eric (23 March 2014). "Social networking and identity theft in the digital society".
1 2 "Two-Factor Authentication for Beginners". 24 June 2021.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[:0-1] "The U.S. Adoption of Computer Chip Payment Cards: Implications for Payment Fraud" (PDF). www.kansascityfed.org.

[2] "ECB releases final Recommendations for the security of internet payments and starts public consultation on payment account access services". 31 January 2013.

[3] "Bank Secrecy Act/Anti-Money Laundering Examination Manual" (PDF). Federal Financial Institutions Examination Council. 2006. Retrieved 2022-02-18.

[4] "EUR-Lex - 52013PC0045 - EN - EUR-Lex".

[5] "Anti-Money Laundering and Counter-Terrorism Financing Act 2006". Comlaw.gov.au. Retrieved 2022-02-18.

[6] "AML/CFT Act and Regulations - dia.govt.nz". Archived from the original on 2013-10-04. Retrieved 2013-10-01.

[:1-7] 1 2 Holm, Eric (23 March 2014). "Social networking and identity theft in the digital society".

[:2-8] 1 2 "Two-Factor Authentication for Beginners". 24 June 2021.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]