search

ConsumerDataStandardsAustralia / standards

Work space for data standards development in Australia under the Consumer Data Right regime
Other
321 stars 56 forks source link

Noting Paper 296 - Offline Customer Authentication #296

Closed CDR-CX-Stream closed 1 year ago

CDR-CX-Stream commented 1 year ago

Friday 17 March: Noting Paper 296 Published The purpose of this paper is to seek community feedback on offline customer authentication. The paper focuses on the impacts and opportunities regarding the augmentation or deprecation of the redirect with OTP (One Time Password) model.

The key consultation questions for this noting paper are as follows:

Noting paper 296 on Offline Customer Authentication can be found below: Noting paper 296 - Offline Customer Authentication.pdf

Feedback is now open on this noting paper and will close on ~Monday 17~ ~Friday 21 April~ Monday 1 May 2023.

Edit: Deadline extended from 17 April to 1 May 2023.

CDR-CX-Stream commented 1 year ago

The noting paper for the consultation on offline customer authentication has been published and can be found in the original post.

AGL-CDR commented 1 year ago

Following on from a recent AEC-DSB forum that discussed this consultation - a number of participants voiced support to have the due date of consultation extended to Friday 21st April. AGL is supportive of this delay as we consolidate feedback from around the business after the Easter break. Requesting DSB consider this request to delay, thank you.

CDR-CX-Stream commented 1 year ago

In response to community requests, this consultation will be extended to Friday 21 April 2023.

anzbankau commented 1 year ago

We seek confirmation that the scope of this paper is restricted to offline energy customers only and that any redirect with OTP augmentation or deprecation considerations are in the context of offline energy customers only and are not relevant for other designated sectors.

Thank you for your assistance.

CDR-CX-Stream commented 1 year ago

Hi @anzbankau

The scope of this paper relates to the impacts and opportunities of augmentation/deprecation of the Redirect with OTP model, in particular in relation to offline customers.

At the moment, offline customers are only eligible CDR consumers in the Energy sector. The scope of eligible offline customers may change as new sectors are designated, or subject to rules changes.

Having said this, any augmentation or deprecation of the redirect with OTP model may be implemented across the CDR ecosystem, and as such will impact any other sectors where OTP is used. Therefore it may be beneficial for CDR participants in other sectors, including Banking, to review and contribute feedback to this paper.

commbankoss commented 1 year ago

The CBA supports the ACCC’s current banking sector eligibility rules, namely that a customer must have online access to at least one account to be considered eligible. Given the highly sensitive nature of the data that can be shared under CDR we do not believe it is feasible to safely extend authentication to offline customers, particularly when the authentication factor is a phishable OTP.

CDR-CX-Stream commented 1 year ago

thanks @commbankoss for your comment. To clarify, this paper is seeking input into the augmentation/deprecation of the redirect with OTP model only. This paper is not seeking to assess whether eligibility for offline customers should change or be extended.

We would welcome feedback on how any augmentation or deprecation of the redirect with OTP model might impact existing operations and to what degree. We also welcome thoughts on how OTP can be augmented to meet the required CL.

AGL-CDR commented 1 year ago

Thank you for the opportunity to provide feedback on Offline Customer Authentication. Please find AGL's submission in the attached pdf. AGL - Offline Customer Authentication - 21 April 2023.pdf

anzbankau commented 1 year ago

We are not supportive of offline customers being included in scope for the banking sector in the CDR and being able to authenticate, separate to any existing mechanisms that are in place today for customers. If this was to be changed, a full assessment of the mechanism for these customers to share would need to be performed at that time.

CDR-CX-Stream commented 1 year ago

Thank you to the responses provided by the community thus far. We would like to clarify that this noting paper does not seek to change the definition of eligible customers for the banking sector to include offline customers.

The DSB however welcomes any input banking sector participants may have on the impacts and opportunities regarding the augmentation or deprecation of the redirect with OTP (One Time Password) model, should they choose to provide it.

NationalAustraliaBank commented 1 year ago

Hi @CDR-CX-Stream ,

As banking sector has been invited to provide feedback(this week) as well on this topic, we will need some more time to discuss and analyse the impacts and opportunities regarding the augmentation or deprecation of the redirect with OTP (One Time Password) model. We are asking for extension on this topic until the 28th of April 2023?

Yash

CDR-CX-Stream commented 1 year ago

In response to community requests, and with consideration to the upcoming Anzac Day public holiday, this consultation will be extended to Monday 1st May 2023.

JohnMillsEnergyAustralia commented 1 year ago

Thank you for the opportunity for EA to provide feedback on Offline Customer Authentication.

The case for change here in April 2023 is not clearly evident.

All Energy retailers should be regulated to build to the same Customer Authentication standard and the same costs. (Key competitive neutrality principle)

With Action Initiation legislation now before Parliament, an uplift is expected in Customer Authentication to support payments and transactions arising from AI. To do so sooner, is premature and may well risk omitting key use cases arising from AI standards development.

To undertake an earlier uplift in Customer authentication could incur costly duplicate build costs on the industry that are unnecessary if a sensible deferment is adopted.

Further EA, endorses many of the points made in the above AGL submission on this topic.

NationalAustraliaBank commented 1 year ago

NAB supports the position of ANZ and CBA on the offline customer access considering the highly sensitive data sharing in banking industry. Based on this position, any deprecation of redirect with OTP model will impact existing online customer authentication and consent flow. NAB believe OTP model is still the most widely accepted authentication method for online customer (considering the security vulnerability of username/password). Therefore, NAB is not expecting the change on OTP model for now before the new/stronger authentication method is introduced (such as CIBA, but it will have less customer coverage comparing with OTP model).

CDR-CX-Stream commented 1 year ago

Thanks to those who have provided feedback so far. To clarify the purpose of this consultation, the DSB would like to emphasise that this noting paper:

Rather, this paper is inviting views on:

The DSB would also like to clarify that this consultation is happening as part of CDR authentication uplift work, including to support action - it is not proposing a separate, distinct, or earlier change.

PratibhaOrigin commented 1 year ago

Thank you for the oppertunity to provide feedback on this topic.

CDR-CX-Stream commented 1 year ago

This consultation is now closed. Thank you to all who responded.

CDR-CX-Stream commented 1 year ago

This issue has now been closed. The topic of offline customers will be consulted on as part of the ongoing authentication uplift work, which has now progressed into the decision proposal phase. Please see https://github.com/ConsumerDataStandardsAustralia/standards/issues/326 and https://github.com/ConsumerDataStandardsAustralia/standards/issues/327 for the ongoing consultations regarding authentication uplift.