Cloud Software Authentication & Authorisation

An authorised representative can transition a software product to the new solution by entering the provider and product details below and certifying that the product meets the requirements stipulated below.

Authorised representative name (required)

Authorised representative position (required)

Authorised representative telephone (required)

Authorised representative email (required)

Software provider ABN (required)

Software provider name (required)

Product name

Product ID (ebMS) (required)

Declaration

I would like to transition the product listed above to the Cloud Software Authentication & Authorisation solution and I certify that my software product meets the requirements listed below:

My software product's terms and conditions will display the following declaration to my clients:
- "I acknowledge that [software provider name] , through the use of [software product name], is not providing an agent service and is not responsible for the preparation of any taxation, superannuation or other related documents on behalf of my business/entity. It can, however, submit transmissions (e.g. lodgements and prefill) through the SBR channel that my business/entity chooses to make through [software product name]."
My software will meet the following minimum user authorisation requirements:
- Upon authentication the software must recognise the role of the user (e.g. Authorised business representative or intermediary). This should determine what information the user is authorised to access and what functions they are able to undertake (for example must recognise the difference between an authorised representative and an intermediary).
My software product will meet the following Software ID requirements:
- A unique (read only) 'Software ID' must be provided to authorised users for each software subscription or instance of software via secured electronic communication (or over the phone)
- The software must ensure the unique 'Software ID' of the software subscription or instance of software is automatically sent within the message of a transmission (Software ID not manually entered by client).
My software will meet the following minimum user authentication standards:
- The pass phrase must include a minimum password length of 6 characters, consisting of at least two of the following character sets:
  - Lowercase alphabetic characters (a-z)
  - Uppercase alphabetic characters (A-Z)
  - Numeric characters (0-9)
  - Special characters
- Failed authentication attempts
  - Software developers must lock out user accounts after five failed log on attempts to reduce the risk of brute force attacks.
  - Software providers can implement a temporary lock out feature after five failed attempts (e.g. 10 minutes or 24 hours). Software developers must completely lock out the user account after a specific number of additional failed log on attempts (decided by the software developer).
  - Software must have a facility to allow authorised system administrators to reset locked accounts

Last updated: 5 September 2018

Last updated: 14 June 2021

Page ID: 11