• Table of contents

Executive Summary

This report contains findings and recommendations based on Round 1 of CX research that was conducted on the ‘Redirect with One Time Password’ (OTP) in September of 2022 as part of the Authentication Uplift project. The purpose of the research is to identify consumer experience considerations to support and inform an expanded approach to Consumer Data Right (CDR) authentication. The objective is to give consumers more choice and freedom when authenticating themselves with data holders, while maintaining financial grade security.

Twenty-two consumers participated in the research in total; ten consumers participated in 1:1 interview sessions which ran for 90 minutes each and twelve consumers participated in unmoderated prototype testing. Prototypes of the Redirect with One Time Password flow were used to facilitate discussion and generate insights in relation to authentication more generally.

Consultation

This project relates to NP280 which is open for consultation from 14 December 2022 to 27 January 2023.

Context

The authentication stage is the second step in The Consent Model and involves a consumer verifying who they are with their Data Holder (DH). This step is required so the data holder can connect the data recipient's authorisation request to the correct CDR consumer.

Authentication in the CDR regime is limited to a single consistent, authentication model, referred to as the 'Redirect with One Time Password' flow. No other flows are currently supported. ‘Redirect with One Time Password’ was previously tested in June 2019 against two models; ‘Redirect to Known’ and ‘Decoupled’, and was found to be the preferred authentication model by research participants. The outcomes can be accessed in Phase 2 Stream 3 report.

This research has been informed by the following:

• In December 2021, the Government noted support for the Inquiry into Future Directions for the CDR’s recommendation to review the approach to authentication. The Inquiry stated that ‘the convenience and consumer experience of different authentication mechanisms should be considered’ when assessing how to expand CDR authentication support.
• The Independent Information Security Review published in July 2022 separately highlighted that the current approach to CDR authentication does not meet minimum security requirements, and adjustments are warranted.
• The CDR community have also requested changes to the current CDR authentication model, which the DSB is considering as part of this work (see CR405, CR554 and CR542).
• Decision 182 – Information Security Uplift For Write aka action initiation This consultation sought community input on how the info sec profile might evolve to explicitly support write operations.

Findings

The research found OTP to be a generally well-performing authentication method. Consumers are typically familiar with the verification requirements having regularly used the OTP model in various contexts, with banking platforms specifically matching their mental models. Consistent exposure to this method means users across the board are confident with the flow and aware of what to do at each step, making it a fast and easy process to complete. OTP offers a level of convenience to users by removing the need to recall lengthy and complex passwords, and (in some instances) quickly auto-fills passwords from SMS text messages. From a security perspective, users appreciate the OTP expiration window and prefer entering a one time password in place of their actual password; subsequently reducing drop-off rates.

While OTP is satisfactory for most use cases, there are several areas where the current process could be improved. Customer ID is potentially problematic, with only half of all participants interviewed able to recall their banking Customer ID number off the top of their head; the other half find their banking Customer ID either by entering the relevant banking app with biometrics to find it, or store it on their device in the notes or contacts app. The practice of storing a Customer ID on a device brings rise to concerns around security and the ease in which OTP can be breeched if your device falls into the wrong hands, many participants having experienced theft or loss of their mobile phones. The research found giving consumers extra security features, such as options for multi-factor authentication and automatic log-out, can contribute to feelings of being in control. The inclusion of educational elements, for instance explaining how a DH triggers an SMS, can be beneficial for those with lower levels of digital literacy. An improvement to consumer experience could see App-to-App included as a supported authentication model; striking a balance between convenience and security, as it’s perceived by users to be more trustworthy than redirect or browser-based methods.

One Time Password is a sufficient authentication model and could offer better consumer experience with some minor improvements, however, there are several shortcomings which could be addressed with the introduction of other models. Across the board, OTP did not match user expectations contextually; as most participants were familiar with the model as a second factor of authentication and did not perceive it as strong enough when used as a primary, stand alone model. Implementing OTP as a step-up, secondary form of verification when used in conjunction with a gold standard primary authentication method could go far in exceeding user perceptions of security and trust. Step-up authentication requires additional levels of authentication to adapt as the risk profile and sensitivity of the action increases, and could be implemented across the Consumer Data Right, irrespective of sector. We explore early stage recommendations in the summary section of this report.