This report collates findings from three rounds of CX research conducted as part of the Authentication Uplift project and provides a comparison on models tested.
Round 1 was conducted in September of 2022 and benchmarked the existing ‘Redirect with One Time Password (OTP)’ model. Round 2 research focused on ‘App/Web-to-App with Biometric’ and ran in November of 2022. Round 3 research focused on ‘Decoupled with QR Code’ and ran in March of 2023.
The purpose of the research was to identify consumer experience considerations to support and inform an expanded approach to Consumer Data Right (CDR) authentication. The objective of uplifting authentication in the CDR is to give consumers more choice and freedom when authenticating themselves with DHs (data holders), while maintaining financial grade security.
In total, over 150 consumers participated across the three rounds of research; which involved 90-minute 1:1 interview sessions and 30-minute unmoderated prototype tests. Various prototypes were used to facilitate discussion and generate insights in relation to the authentication models shown, as well as to authentication more generally.
More detail on context can be found in each of the research reports, and in Noting Paper 280 – The CX of Authentication Uplift.
Several recurring themes were identified and observed throughout all rounds of research. These recurring themes are significant to the overall research findings and offer valuable insights to the research project as a whole.
Friction is multifaceted
The research found the principle of friction to be multifaceted, with factors manifesting in various ways; friction can occur both online and **offline. Online friction can include extra authentication factors, and offline friction could be the requirement to switch between devices, for example. Friction can be viewed by participants as negatively or positively impacting on an authentication experience, i.e. there are ‘positive’ or ‘negative’ levels of friction in a given flow. One may hypothesise that higher levels of online friction create more frustrating experiences for users, however the research does not support this. While some participants experienced frustrations when accessing devices (such as, to receive one time passwords or access an app), they generally appreciated lengthier processes when accessing sensitive data.
Users look for, and rely on, visual trust markers to assess risk
Consumer participants across all age demographics were conscious of the risks involved with using the internet and implement practices and habits to ensure their safety online. The research found participants heavily relied upon visual cues to determine whether a platform was trustworthy. Each research round saw an uptick in participant awareness of the potential for data breaches, and an increased understanding of scams. This may be attributed to the increase in highly publicised data breaches. Those who had been impacted by previous security breaches are proactive in their approach to online safety and actively seek out information on how to protect themselves.
Extra authentication factors are appreciated
Across the board, consumer participants appreciated extra authentication factors even when they were not expected. Although two or more factors were expected for high-risk scenarios such as banking or health related data, participants also appreciated extra factors for actions they deemed as slightly risky. Even when a participant did not expect a second factor, they did not feel negatively toward the increased level of friction. On the contrary, participants perceived the extra layers of security as the brand or corporation’s effort to prioritise consumer privacy and data safety. Implementing extra factors provided participants with a sense of security and comfort. Research indicated that the extra factors or increased friction should be in context and relevant to the use case. A low-risk use case such as social media log in does not warrant multi-factor authentication (MFA).