CDR-CX-Stream
commented
1 year ago A decision proposal for authentication uplift has been published in the original comment.
This consultation will be open for feedback until 24 October 2023.
Open CDR-API-Stream opened 1 year ago
CDR-CX-Stream
commented
1 year ago A decision proposal for authentication uplift has been published in the original comment.
This consultation will be open for feedback until 24 October 2023.
CDR-API-Stream
commented
1 year ago Update: 3rd October 2023
Please note that the version of this DP published on September 26 contained two incorrect recommendations in the summary section and one incorrect wording for the proposed levels of assurance changes. The document also contained minor typographical errors. These have been corrected in the version attached.
Primary changes to this version are as follows:
DELETE
Replacing Level of Assurance (LoA) as defined in the Data Standards, with Identity Proofing Levels (IPL), as defined in TDIFIntroducing IPL 4 that maps to the TDIF Credential Level (CL) CL3
INSERT
- Introducing a Level of Assurance LoA4 that maps to the TDIF Credential Level (CL) CL3
- Recommend Data Holders support at least LoA3 for read access commensurate to existing digital channels
Added a qualifying statement.
INSERT
As per Rule 8.11(1)(c)(i), the Data Standards Chair has an obligation for the “authentication of CDR consumers to a standard which meets, in the opinion of the Chair, best practice security requirements”.
DELETE
Introduce an Identity Proofing Level of Assurance (IPL) 4 represented by the URI:urn:cds.au:cdr:4where authenticators used to attain this level MUST conform with the TDIF Credential Level CL3
INSERT
- Introduce a Level of Assurance LoA 4 represented by the URI:
urn:cds.au:cdr:4where authenticators used to attain this level MUST conform with the TDIF Credential Level CL3
26th September 2023 The superseded version is available here: Decision Proposal 327 - Authentication Uplift Approach.pdf
biza-io
commented
1 year ago Due to November 1 delivery Biza requests this consultation be extended by 3 weeks to 15 November 2023.
AusBanking3
commented
1 year ago The ABA kindly requests an extension to this consultation to be able to provide valuable feedback. We are requesting an extension of 3 weeks with a due date of 15 November. The ABA requires more time for this consultation to review the proposed changes due to their complex nature. Additionally, our members, alongside the ABA, have been very busy reviewing and collating feedback for 4 other concurrent CDR consultations:
CDR-API-Stream
commented
1 year ago Hi @biza-io and @AusBanking3, thank you for your feedback. The consultation will be extended until 15 November as per your request.
CDR-Engagement-Stream
commented
1 year ago The team have put together a overview video to introduce Decision Proposal 327.
Edit: new link to an updated video with Noting Paper 326 reference.
cuctran-greatsouthernbank
commented
1 year ago Please find the feedback from Great Southern Bank attached. Feedback regarding Decision Proposal 327 Authentication uplift phase 1 - Great Southern Bank.pdf
CDR-API-Stream
commented
1 year ago Please find the feedback from Great Southern Bank attached. Uploading Feedback regarding Decision Proposal 327 Authentication uplift phase 1 - Great Southern Bank.pdf…
Hi @cuctran-greatsouthernbank, it appears as though your upload didn't work. Could you please edit your comment and try uploading your feedback document again?
cuctran-greatsouthernbank
commented
1 year ago Please find the feedback from Great Southern Bank attached. Uploading Feedback regarding Decision Proposal 327 Authentication uplift phase 1 - Great Southern Bank.pdf…
Hi @cuctran-greatsouthernbank, it appears as though your upload didn't work. Could you please edit your comment and try uploading your feedback document again?
thanks for letting me know. I reuploaded the file in the original comment now.
TT-Frollo
commented
1 year ago Please attached for Frollo comments Decision 327 Authentication uplift Frollo Comments TT.docx
WestpacOpenBanking
commented
1 year ago Please find feedback from Westpac attached. Decision Proposal 327.pdf
AGL-CDR
commented
1 year ago Please find AGL's response to the consultation attached. AGL Response to Decision Proposal 327_ Authentication Uplift Approach.pdf
paige-skript
commented
1 year ago Please find Skript's feedback attached. Skript_Feedback_DP327_Auth_Uplift_Phase_1.pdf
TT-Frollo
commented
1 year ago One Additional comment. Changes that impact either DCR or a consent must be tested with over 100 DH's. In the banking sector it also means having a production account at each bank, which as an ADR is not practical to do. A solution to this needs to be discussed.
anzbankau
commented
1 year ago ANZ's feedback on this DP: ANZ feedback on DP327 - Authentication Uplift Phase 1.pdf
biza-io
commented
1 year ago Due to ongoing operational workload associated with recent November 1 changes, Biza requests a further small extension through to Friday 17 November. We appreciate the Data Standards Body understanding.
commbankoss
commented
1 year ago CBA's feedback attached. 20231115 CBA Group Submission Decision Proposal 327 (final).pdf
CDR-API-Stream
commented
1 year ago Due to ongoing operational workload associated with recent November 1 changes, Biza requests a further small extension through to Friday 17 November. We appreciate the Data Standards Body understanding.
Hi @biza-io, we appreciate the current workload for participants, particularly in the Energy sector. This consultation shall be left open until the end of this week.
CDR-API-Stream
commented
1 year ago With permission from the Australian Banking Association, their submission has been uploaded on their behalf.
dpostnikov
commented
1 year ago In my personal opinion, this proposal is mixing different issues together (weak CDR authentication and inflexible requirements to support it, inability to do x2app and decoupled flows and etc) and patch these "symptoms" as oppose to fix the root cause.
As a result, the recommendations produced will be difficult to implement for all existing and future data holders. And some recommendations just will not work and or will contradict other regulations and practices.
If we fix the root cause we can solve most of the issues and limitations that we are experiencing now.
Root cause
There should not be a CDR Authentication method separate from a regular Data Holder authentication. We should not be focusing on CDR Authentication uplift but on moving back to Data Holder authentication.
Most open data ecosystems use existing authentication methods familiar to their customers.
Main recommendation: Move to existing data holder authentication mechanisms.
This will simplify CDR ecosystem significantly and will increase adoption of CDR because this will allow for:
_Note 1: On CDR implementation call last week, Mark confirmed that this is aligned with DSB intent, but the proposal doesn’t spell it out explicitly. This should be one of the key guiding principles.
Note 2: it doesn’t prevent from adding additional minimal requirements for certain type of functionality in the future. In fact, it makes it simpler to build upon.
Note 3: Of course there should be a special consideration for non-digitally active customers._
To summarise, just by focusing on moving back to existing data holder authentication, DSB would be addressing most of their key outcomes targeted.
Additional recommendation. After implementing main recommendation above, conduct further consultation if there are any additional requirements for certain use cases or certain industries and what is the best way to implement them.
In general, it is great to encourage data holders to improve their authentication but there are a lot of questions that need to be answered before designing and prescribing a solution, for example:
Note 4. I would recommended to remove TDIF references from CDR standards until all these questions are answered. Otherwise, this creates more confusion for implementers.
biza-io
commented
1 year ago Biza.io thanks the Data Standards Body for its understanding. Please find attached our response to the above proposal. DP-327 Authentication Uplift Response.pdf
Edit: Apologies, very minor typo from final drafting fixed.
CDR-API-Stream
commented
1 year ago This consultation is now closed. Thanks to everyone for engaging and providing comprehensive feedback. Responses will be reviewed and considered.
Please find attached a decision proposal on authentication uplift. This decision proposal will cover the first tranche of authentication uplift (Phase 1) and is seeking preliminary feedback that will then be consulted on in detail in a series of subsequent decision proposals.
This consultation will be open for feedback until 15 November 2023.
Update: 16 October 2023 This consultation has been extended for feedback until 15 November 2023.
This consultation will be open for feedback until 24 October 2023Update: 3rd October 2023 A corrected version has been published: Corrected - Decision Proposal 327 - Authentication Uplift Approach.pdf