Noting Paper 280: The CX of Authentication Uplift

[CDR-CX-Stream]

Following the Government’s response to the Inquiry into Future Directions for the CDR, as well as the Independent Information Security Review, the Data Standards Body (DSB) is now conducting Consumer Experience (CX) research to inform which authentication approaches should be supported by the technical and CX standards.

The purpose of this noting paper is to share the DSB’s general CX research approach to authentication uplift with the community. We invite community feedback on this work and recommend you read this noting paper if you would like to: • Provide views on the preliminary scope and priorities for authentication uplift • Suggest other authentication approaches for the DSB to consider • Comment on the general approach to CX assessment of authentication approaches

This paper and consultation will not delve into technical considerations. It focuses on CX research goals and the preliminary scope for authentication uplift, as well as various methods, measures, and metrics being used to assess alternative authentication approaches.

While this paper centres on CX research, the preliminary scope and focus will inform the general scope for CDR authentication uplift. Given the DSB is prioritising authentication uplift as foundational to future CDR expansion including action initiation, community feedback is invited on the preliminary scope and priorities for authentication uplift, as well as any other issues or items that the DSB should consider.

Noting Paper 280 on the CX of Authentication Uplift can be found below: Noting paper 280 - CX of Authentication Uplift.pdf

The community is invited to provide feedback on this paper by Friday ~27 January~ 10 February 2023.

---

Edit: Consultation extended to 10 Feb following community requests

[CDR-CX-Stream]

Noting Paper 280 on the CX of Authentication Uplift has now been posted and can be found in the original post.

While this paper centres on CX research, the preliminary scope and focus will inform the general scope for CDR authentication uplift.

Feedback is invited by Friday 27 January 2022.

[kristyTPGT]

TPGT appreciates the opportunity to provide feedback in relation to Noting Paper 280, however, we would like to request an extension be provided until Friday 10 February to allow for key stakeholders to be able to participate in the response.

[perlboy]

Performing CX research on authentication in isolation from the information security and implementation impacts will result in a potential disconnection from the technical reality. This has already been demonstrated in the course grained scopes, collapsed scopes and fine grained access disclosure variability between the Standards, CX Guidelines and Rules. If nothing else my feedback would be that CX learn from the mistakes of the past so implementers aren't, once again, in a conflict between DSB guidance and Rules.

Additionally, this is a noting paper so there is no actual scope to alter the DSBs approach. Nonetheless I would note that it's a bit rich to publish a paper containing some fairly complex and far reaching research techniques over a holiday break and call it "consultation". On this basis the request of TPGT seems reasonable.

[CDR-CX-Stream]

This consultation will be extended to Friday 10 February in response to community requests.

[CDR-CX-Stream]

Thanks for your comments @perlboy

This noting paper was developed following requests from members of the Data Standards Advisory Committee. The aim was to relay how the DSB are approaching CX research on authentication, but also to provide a channel for the community to comment on the initial scope.

The DSB's CX and technical teams worked together on this paper to facilitate alignment. It was published as early as possible once that had been achieved, but we acknowledge the difficulties of consulting in the December-January period. The feedback window has now been extended.

The purpose of this noting paper is to allow the community to provide early input, and we welcome views on any disconnects or negative implications that may have been missed.

[kristyTPGT]

TPG Telecom is supportive of the authentication review and agrees with the findings of the Independent Security review that the current OTP method does not meet minimum security requirements. We do not see value in augmenting the current OTP process and believe that the other authentication methods in scope should be considered. The Standards should be updated to provide minimum security requirements for authentication, rather than explicitly prescribing fixed method/s. This is particularly relevant for the Telco sector, as we are already governed by the Telecommunications Service Provider (Customer Identity Authentication) Determination 2022, which outlines how Telcos must undertake Multi-Factor Authentication for high-risk transactions. The Standards should seek to specify the baseline requirement of a framework for authentication that includes:

• a focus on desired outcomes (rather than process);
• an awareness of the effect of other relevant regulatory requirements;
• allows flexibility in how and when businesses use additional authentication measures, to maintain best practices in a constantly evolving security environment;
• provides easy-to-use, flexible approaches to authentication in recognition that one size fits all approaches will impact accessibility for vulnerable consumers; and
• to allow for the expected move towards Action Initiation / Right access in the CDR.

[anzbankau]

Thank you for the opportunity to provide feedback. We are broadly supportive of the proposal and note the following for consideration:

• Scope to include CX consideration for action initiation and particularly payment initiation. Ideally payments patterns should be resolved before locking down authentication patterns or risk rework. We support a holistic and consistent approach to CX authentication across the breadth of CDR.
• As per previous submissions, the desired action initiation obligation and liability framework may influence preferred security approaches between payment initiators and service providers. As per previous point, A.I. patterns should be an input to CX authentication uplift.
• The security review conducted in 2022 highlighted that the 'current approach to CDR authentication does not meet minimum security requirements'. Is that specific to SMS OTP and not other forms of OTP?
• Will consideration extend to the mooted “expansion of the Digital Identity System” (Statutory Review of the Consumer Data Right Issues paper, Kelly E. March 2022) and its potential impacts to CX? Related point, has a central registry pattern for consumer authentication been considered in light of action initiation complexities? What has the UK experience been and are there lessons we can implement?
• No mechanism exists to ensure that information shared/actions fulfilled by the DH on behalf of a consumer actually relates to the same consumer on the ADR/payment initiator, i.e.:
  • Person A uses Person B’s phone and username to share account data/make payment from Person B’s account without their knowledge (Note that this requires the active consumer (Person A) to have compromised the username & mobile phone of the other person (Person B)).
  • Should there be obligatory verification of customer name (held by DH) at the ADR/service provider end (with appropriate customer consent) as part of A.I. to ensure a more secure system? Of course this is a problem today where consumers only share account data but arguably payments introduces substantially more risk.

[rjshanahan]

As a prospective ADR, Tic:Toc welcomes the opportunity to comment on the proposed approach for CX research in relation to the authentication uplift. The experiences that consumers have with authentication are a key driver of CDR conversion rates, which in turn influence commercial decisions about extent and timing of participation in the CDR.

Tic:Toc supports the security uplift for authentication and the proposed CX research, noting the following points for the DSB’s consideration:

• A key objective of the research should be to test the extent to which leveraging known experiences/patterns could achieve the objectives of increased security and consumer experience.
  • A new, unfamiliar experience pattern (eg a new biometric authentication process or passwordless security app) may stop a user from completing a consent process and negatively impact consent/conversion. Even more so for use cases involving authentication with multiple data holders.
  • What are the outcomes in terms of conversion where the authentication process follows an experience pattern the consumer was already familiar with?
  • This kind of approach would be consistent with the ‘parity principle’ that applies in Open Banking in the UK.
• We agree with an elements-based research approach but note that the way that these elements are tested will be really important. While it is necessary to test individual elements, they need to be tested as part of a complete authentication process (or patterns of elements), which in turn need to be tested in a natural environment for consumers. As an example, consumers are likely to respond differently to an authentication process without context than they are to the same process as part of a home loan application in which they have already provided personal information and built up a sense of trust for the business they are dealing with.
• The data collection methods are varied, which we support, however it is unclear what the scope of the data collection is in terms of sample sizes and which target groups are included. Target groups covered should include a broad range of age groups, those with English as a second language, digital literacy levels groups.
• We are keen to know if there will be an opportunity to see the uplift prototypes and provide feedback before they are tested?

[commbankoss]

Please find CBA's feedback attached. NP280 submission 10 Feb 23 final.pdf

[dpostnikov]

@perlboy made a good point. There is a danger of this research producing something that is either not secure or not implementable.

There is no question that authentication in CDR has to be uplifted and current mechanism is not user friendly or secure.

Noting paper seems to be mixing different things together. I propose to breakdown this problem space into multiple areas, re-assemble it together and only then perform a CX research on the final outcome.

1. What authorisation flows should be supported?

• Web-based redirect flow (x2web, web2web)
• App-based redirect flow (x2app, app2app)
• Decoupled flow

UK Open banking, for example, supports all three because they provide appropriate user and use-case coverage (inclusion).

All flows come with different security considerations and have appropriate controls available within FAPI framework that CDR has already adopted, so there is not need to re-invent the wheel.

The flows that were considered insecure are already ruled out by the community (e.g. embedded).

Picking only one of the flows only creates a bad customer experience, restricts possible use cases and/or prevents a part of the community from using CDR.

Current Australian CDR flow as prescribed by the CDR specifications is a strange, non-standard weak mix of redirect and OTP.

2. What level of authentication and risk based decisioning is required of different types of transactions?

This is where we discuss types authenticators, their strength, biometrics multiple factors and FIDO standards (not just Passkeys).

This should be an opportunity to modernise and improve authentication across Australian banking, energy and telecommunications industries.

Frameworks like NIST should drive what level of assurance is required for a particular use case. We should be encouraging data holders to avoid using knowledge-based secrets and phishable credentials / factors.

3. What security and fraud concerns should be considered?

Movement towards FIDO standards together with transaction signing and risk-based fraud decisioning solves security concerns.

Data holders should be allowed to use existing customer authentication and associated fraud controls.

4. What overall customer experience is acceptable? The answer to this question should build up on the previous answers.

Overarching principle should always be: Customer shall be using existing and familiar authentication channel with no additional friction.

Movement towards FIDO standards improves user privacy and authentication user experience.

Existing CX guidelines and design principles in other jurisdictions can be helpful too, for example, OBIE CX guidelines (UK).

If you break the problem down as suggested, the right solution might become much clearer, cleaner and we don’t have to re-invent it.

This has been successfully done before.

[CDR-CX-Stream]

Thanks to everyone who provided feedback on the initial scope and approach for CX research into authentication uplift. The DSB will review and consider these comments for ongoing CX research and technical analysis.

Importantly, the CX research is focused on existing and familiar authentication approaches and considering historical learnings from other jurisdictions, such as the UK's OBIE (e.g. the current guidelines). The purpose of the CX research is to understand how and where the existing CDR CX standards and guidelines might need to be adjusted to accommodate these approaches, validate issues with the current state of authentication, and test various community proposals (such as the ‘waterfall authentication’ proposition raised at a previous Data Standards Advisory Committee and change requests posted on GitHub).

To support transparency, the DSB will provide links in this thread to published CX of authentication research reports. The DSB is conducting standards analysis in tandem to support any future decision proposals. This thread will remain open so ongoing discussion can take place ahead of any formal consultation on authentication uplift.

[CDR-CX-Stream]

The report for the first round of CX of authentication uplift research can be found here.

This report contains findings and considerations based on Round 1 of CX research that was conducted on the ‘Redirect with One Time Password’ (OTP) approach.

[CDR-CX-Stream]

The report for the second round of CX of authentication uplift research can be found here.

This report contains findings and considerations from Round 2 of CX research on ‘App/Browser-to-App with Biometric’.

[Telstra-CDR]

We welcome the opportunity to provide feedback and apologies in publishing our feedback later than accepted.
Broadly, We agree with the purpose and intent of this noting paper and keen to see the outcome of the research. However, Telstra’s view is stronger authentication factors should use pre-existing methods provided by the data holder where possible.

    • Telstra and its brands are compliant with authentication requirements for ACMA determination
    • Our customers are used to our existing authentication methods which give customers confidence they are authenticating 
       with Telstra instead of a rogue party.
    • Introducing a differing method will introduce additional friction for our e2e customer experience as our customers may 
      need to use different authenticators depending upon whether they are using CDR or BAU experiences
    • The CDR authenticators and backup methods needs to be managed, as such new self-service capability to manage CDR 
       authenticators may be required introducing additional build requirements for data holders.

[CDR-CX-Stream]

This comment originally contained a problem space description for offline customer authentication. To facilitate a targeted feedback, it has been converted into a separate consultation, Noting Paper 296, which is open for feedback until Monday 17 April.

[AGL-CDR]

Hi DSB et al, with respect to timeframes, can I please ask that the above request for feedback be updated with a date that consultation closes? Also, there is chance for confusion here given the request is nested within the comments section of another request for consultation, which has since closed. Would it be appropriate for this new request to be separated into a new issue card, linking back to #280?

[CDR-CX-Stream]

@AGL-CDR the problem space has now been converted into a separate consultation, Noting Paper 296, which is now open for feedback until Monday 17 April.

[CDR-CX-Stream]

Authentication Uplift - Round 3 Research report has been published and can be found here. This report contains findings and recommendations from the third round of CX research conducted as part of the Authentication Uplift project. This research ran in March of 2023 and tested “Decoupled” authentication and included elements of “fall-back” models. The purpose of the research was to identify consumer experience considerations to support and inform an expanded approach to Consumer Data Right (CDR) authentication.

In total, 40 consumers participated in this round of research. Two prototypes were used to facilitate discussion and generate insights in relation to decoupled authentication, selected fallback methods, and general sentiments regarding authentication.

Key insights from the research included that:

• Risk-based authentication aligns with consumer participant mental models
• When using fall-back authentication, decoupled is more intuitive when an app is available
• Users are cautious of QR codes, though accept their usage with caveats
• Consumers feel empowered and in control when corporations act responsibly
• Participants are wary of the potential for security breaches with QR code usage
• Extra authentication factors are appreciated even when unexpected
• Participants are aware and educated regarding risks and scams online
• The term “decoupled” was not widely recognised, though participants were familiar with the method

Decoupled authentication could be supported by the CDR with the following constraints in order to meet user expectations of comfort, control and trust:

• Only switch devices if an app is available on the user’s device
• Provide contextual information on the QR code and process
• Remedy concerns regarding the safety of QR codes
• As part of step-up authentication models

The study concludes with this third round of research. The research team will now focus on preparing a report on the outcomes and compare the findings across the three models tested along with a recommendation for consultation.

The full report can be accessed here.

[CDR-CX-Stream]

A fourth report on the CX of authentication uplift research has been published online and can be found here.

This report contains summaries and comparisons of all the recent CX research conducted on this topic, including an improved Redirect with OTP flow; App/Web to App with Biometrics; Decoupled with QR Code.

In total, over 150 consumers participated across the three rounds of research; which involved 90-minute 1:1 interview sessions and 30-minute unmoderated prototype tests.

Key Themes Virtually all research hypotheses were validated in this research. Key qualitative themes from consumer participants also highlighted that: • Friction is multifaceted • Users look for, and rely on, visual trust markers to assess risk • Extra authentication factors are appreciated • Meeting consumer expectations helps build trust • Step-up authentication is perceived as the norm • Supporting those experiencing vulnerability is important

System Usability Scale App/Web-to-App was the best performing model when it came to System Usability with a score of 82.88, followed closely by Redirect with One Time Password, which scored 82.61. Decoupled scored slightly lower at 74.29, but this is still an above average score.

N.B. The average SUS score for technology in general is 68. Usability scores above 80 are considered well-performing; scores around 68 are considered average and may require improvement; and scores below 51 are considered poor.

Opportunities There was a clear desire for App/Web-to-App to be supported, affording consumers the option to authenticate within their DH app.

The research on Redirect with One Time Password identified several key opportunities and improvement areas and could be uplifted to continue being a supported model, particularly for sectors with lower digital adoption.

Decoupled could also be supported to allow the user to authenticate securely with their known device no matter how they interact with the CDR, while support for the use of QR codes as part of CDR authentication could be de-prioritised.

Next Steps The DSB are now working on an initial Decision Proposal to consult on the step-up and waterfall authentication approach.

Authentication uplift will also need to consider Credential Level pairings and recommendations from both the PwC IC Accessibility and Independent Security Review reports.

The DSB will present on the topic of authentication uplift at the CDR Implementation Call on Thursday 13th July from 3pm-4:30pm. This session will cover key findings and opportunities from the CX research along with a brief overview of the DSB's approach to CDR authentication uplift. You can register for the regular call by emailing contact@consumerdatastandards.gov.au - see here for further details about the call.

[CDR-CX-Stream]

Attached to this comment is the slide deck the CX Team presented at the Implementation Call on Thursday 13th July.

Implementation Call Presentation - Authentication Uplift Research Outcomes.pdf

The deck contains high-level summaries and comparisons of all the recent CX research conducted on this topic, Redirect with OTP flow; App/Web to App with Biometrics; Decoupled with QR Code. It also shares the DSB's current thinking on the authentication uplift approach, which will be formally consulted on as a Decision Proposal soon.

This thread will be updated when the DP is live.

[CDR-CX-Stream]

This issue has now been closed. The authentication uplift work has now progressed into the decision proposal phase. Please see https://github.com/ConsumerDataStandardsAustralia/standards/issues/326 and https://github.com/ConsumerDataStandardsAustralia/standards/issues/327 for the ongoing consultations regarding authentication uplift.