This report contains findings and recommendations from the third round of CX (Consumer Experience) research conducted as part of the Authentication Uplift project. Round 3 research focussed on Decoupled Authentication and ran in March of 2023. The purpose of the research was to identify consumer experience considerations to support and inform an expanded approach to Consumer Data Right (CDR) authentication. The objective is to give consumers more choice and freedom when authenticating themselves with data holders, while maintaining financial grade security. Round 1 was conducted in September of 2022 and benchmarked the existing ‘Redirect with One Time Password (OTP)’ model. Round 2 was conducted in November of 2022 and focussed on “App/Browser-to-App’ authentication models. In the third round of Authentication Uplift research, the research team tested “Decoupled” authentication, which included elements of “fall-back” models.
In total, 40 consumers participated in round 3 research; 10 consumers participated in 1:1 interview sessions which ran for 90 minutes each, and 30 consumers participated in unmoderated prototype tests which ran 30 minutes. Two prototypes were used to facilitate discussion and generate insights in relation to the authentication models shown, as well as about authentication more generally.
This project relates to NP280 and NP296 which were open for consultation from 14 December 2022 to 27 January 2023 and 17 March to 1 May 2023 respectively.
The authentication stage is the second step in The Consent Model and involves a consumer verifying who they are with their Data Holder (DH). This step is required so the data holder can connect the data recipient's authorisation request to the correct CDR consumer.
Authentication in the CDR regime is limited to a single consistent, authentication model, referred to as the 'Redirect with One Time Password' flow. No other flows are currently supported. ‘Redirect with One Time Password’ was previously tested in June 2019 against two other models; ‘Redirect to Known’ and ‘Decoupled’, and was found to be the preferred authentication model by research participants. The outcomes can be accessed in Phase 2 Stream 3 report.
The research now being conducted into CDR authentication uplift has been informed by the following:
This third round of research tested Decoupled Authentication with fall-back methods. Decoupled authentication requires the authentication of the user (or ‘challenge’, such as a PIN, password, biometric) to occur outside of the service/channel being accessed. This method verifies the user’s identity and authenticates the transaction via a separate channel — for example, a push notification to their banking app or via an email.
<aside> <img src="/icons/subtask_gray.svg" alt="/icons/subtask_gray.svg" width="40px" /> A standard workflow for decoupled authentication may occur as follows:
Fall-back (or waterfall) authentication is a mechanism that allows for an alternative authentication method/s to be used if the primary authentication method fails. This can be useful in decoupled authentication scenarios where the primary authentication method is unavailable and a fall-back is required to complete the authentication and authorisation process.
For example, if the primary authentication method is through a DH’s app, but the user does not have the app installed, a fall-back option would be logging in with OTP in the browser instead. Fall-back authentication can improve the user experience by providing a backup authentication method in case of issues with the primary method. The research also tested step-up authentication. Step-up authentication requires additional levels of authentication to adapt as the risk profile and sensitivity of the action increases.
The research found that consumer participants were familiar with methods of decoupled authentication, though they were not familiar with the technical term when asked. They recognised the process for logging in used in the research, having experienced using it at university or work, as well as more commonly with Google.
The findings further support the recommendation for step-up authentication. Many participants were familiar with step-up authentication, and expected corporations to implement 2-Factor Authentication (2FA) and step-up models regardless of the sensitivity of the data being accessed. This awareness and desire for tighter security may be related to recent high profile data breaches. Of all participants tested, 35% mentioned data breaches, and some referred specifically to the Optus, Medibank, and Latitude breaches. Despite a desire for 2FA for sensitive data, participants did not mind platforms they did not deem as sensitive asking for extra factors. They appreciated the security, and the friction was not viewed as negative. Rather, they appreciated that the provider was putting stops in place to protect data, with 8 out of 10 moderated participants preferring security over convenience.
Consumer participants had reservations about using QR codes in the context of sharing their data, irrespective to the number or combination of authentication factors tested. Most participants would only use QR codes for a low-risk, compelling value proposition or if there were no alternative methods available to them. There was a strong preference to be taken to an existing, pre-installed app which had been downloaded from a reputable source as users would have a pre-established level of trust and confidence. Consumer participants were not as comfortable with being redirected to a website in their browser, as they perceived it as rife with security risks, such as the potential for fraudulent websites, malicious code, fake QR codes or landing on different URLs with no way of checking whether they were taken to the correct link. We also note that when being redirected to a website, it was not immediately clear to participants why they couldn’t simply continue the process on the originating device (desktop in the instances tested), adding to the lack of transparency and trustworthiness. This perception of flawed security was true both for brands participants had not previously established trust with, and large corporations they were familiar with.
Many consumer participants had their banking provider’s mobile app installed on their phones, and used the app regularly. This contrasts with less digitally mature sectors, such as the energy sector, where the use of mobile apps is less common. As such, decoupled experiences that require switching from an originating device to an app may be more successful for the financial sector in the interim, but this may improve over time as app adoption increases in other sectors.