Executive Summary
This report contains findings and recommendations from the third round of CX (Consumer Experience) research conducted as part of the Authentication Uplift project. Round 3 research focussed on Decoupled Authentication and ran in March of 2023. The purpose of the research was to identify consumer experience considerations to support and inform an expanded approach to Consumer Data Right (CDR) authentication. The objective is to give consumers more choice and freedom when authenticating themselves with data holders, while maintaining financial grade security. Round 1 was conducted in September of 2022 and benchmarked the existing ‘Redirect with One Time Password (OTP)’ model. Round 2 was conducted in November of 2022 and focussed on “App/Browser-to-App’ authentication models. In the third round of Authentication Uplift research, the research team tested “Decoupled” authentication, which included elements of “fall-back” models.
In total, 40 consumers participated in round 3 research; 10 consumers participated in 1:1 interview sessions which ran for 90 minutes each, and 30 consumers participated in unmoderated prototype tests which ran 30 minutes. Two prototypes were used to facilitate discussion and generate insights in relation to the authentication models shown, as well as about authentication more generally.
Consultation
This project relates to NP280 and NP296 which were open for consultation from 14 December 2022 to 27 January 2023 and 17 March to 1 May 2023 respectively.
Context
The authentication stage is the second step in The Consent Model and involves a consumer verifying who they are with their Data Holder (DH). This step is required so the data holder can connect the data recipient's authorisation request to the correct CDR consumer.
Authentication in the CDR regime is limited to a single consistent, authentication model, referred to as the 'Redirect with One Time Password' flow. No other flows are currently supported. ‘Redirect with One Time Password’ was previously tested in June 2019 against two other models; ‘Redirect to Known’ and ‘Decoupled’, and was found to be the preferred authentication model by research participants. The outcomes can be accessed in Phase 2 Stream 3 report.
The research now being conducted into CDR authentication uplift has been informed by the following:
- In December 2021, the Government noted support for the Inquiry into Future Directions for the CDR’s recommendation to review the approach to authentication. The Inquiry stated that ‘the convenience and consumer experience of different authentication mechanisms should be considered’ when assessing how to expand CDR authentication support.
- The Independent Information Security Review published in July 2022 separately highlighted that the current approach to CDR authentication does not meet minimum security requirements, and adjustments are warranted.
- The CDR community have also requested changes to the current CDR authentication model, which the DSB is considering as part of this work (see CR405, CR554 and CR542).
- Decision 182 – Information Security Uplift For Write aka action initiation This consultation sought community input on how the info sec profile might evolve to explicitly support write operations.
This third round of research tested Decoupled Authentication with fall-back methods. Decoupled authentication requires the authentication of the user (or ‘challenge’, such as a PIN, password, biometric) to occur outside of the service/channel being accessed. This method verifies the user’s identity and authenticates the transaction via a separate channel — for example, a push notification to their banking app or via an email.
- The service provider sends an Authentication Request message and waits for a notification that the authentication has completed
- The Identity Provider (IDP) confirms if they support decoupled authentication. If supported, the users authenticates themselves and authorises the transaction outside of the service provider channel, usually through the IDP’s app or website
- After authentication and authorisation, the IDP sends the results back through the Results Request message
- The service provider sends confirmation through the Result Response message
Fall-back (or waterfall) authentication is a mechanism that allows for an alternative authentication method/s to be used if the primary authentication method fails. This can be useful in decoupled authentication scenarios where the primary authentication method is unavailable and a fall-back is required to complete the authentication and authorisation process.
For example, if the primary authentication method is through a DH’s app, but the user does not have the app installed, a fall-back option would be logging in with OTP in the browser instead. Fall-back authentication can improve the user experience by providing a backup authentication method in case of issues with the primary method. The research also tested step-up authentication. Step-up authentication requires additional levels of authentication to adapt as the risk profile and sensitivity of the action increases.
Findings
The research found that consumer participants were familiar with methods of decoupled authentication, though they were not familiar with the technical term when asked. They recognised the process for logging in used in the research, having experienced using it at university or work, as well as more commonly with Google.
The findings further support the recommendation for step-up authentication. Many participants were familiar with step-up authentication, and expected corporations to implement 2-Factor Authentication (2FA) and step-up models regardless of the sensitivity of the data being accessed. This awareness and desire for tighter security may be related to recent high profile data breaches. Of all participants tested, 35% mentioned data breaches, and some referred specifically to the Optus, Medibank, and Latitude breaches. Despite a desire for 2FA for sensitive data, participants did not mind platforms they did not deem as sensitive asking for extra factors. They appreciated the security, and the friction was not viewed as negative. Rather, they appreciated that the provider was putting stops in place to protect data, with 8 out of 10 moderated participants preferring security over convenience.
Consumer participants had reservations about using QR codes in the context of sharing their data, irrespective to the number or combination of authentication factors tested. Most participants would only use QR codes for a low-risk, compelling value proposition or if there were no alternative methods available to them. There was a strong preference to be taken to an existing, pre-installed app which had been downloaded from a reputable source as users would have a pre-established level of trust and confidence. Consumer participants were not as comfortable with being redirected to a website in their browser, as they perceived it as rife with security risks, such as the potential for fraudulent websites, malicious code, fake QR codes or landing on different URLs with no way of checking whether they were taken to the correct link. We also note that when being redirected to a website, it was not immediately clear to participants why they couldn’t simply continue the process on the originating device (desktop in the instances tested), adding to the lack of transparency and trustworthiness. This perception of flawed security was true both for brands participants had not previously established trust with, and large corporations they were familiar with.
Many consumer participants had their banking provider’s mobile app installed on their phones, and used the app regularly. This contrasts with less digitally mature sectors, such as the energy sector, where the use of mobile apps is less common. As such, decoupled experiences that require switching from an originating device to an app may be more successful for the financial sector in the interim, but this may improve over time as app adoption increases in other sectors.
Research artefacts at a glance
The following artefacts have been produced to help visualise the research findings. Each artefact is explored in further detail in the Research Outputs section of this report.
Global Performance
Consumer Behavioural Archetypes
System Usability Scale (SUS)
Project goals
This research project aimed to:
- Identify appropriate authentication models to support in the CDR;
- Provide CX input to the authentication framework to assess incoming/supported models;
- Strike a balance between security, consumer experience and value delivery;
- Help organisations provide intuitive, informed, trustworthy consent experiences with positive outcomes.
Research Objectives
- Understand current consumer behaviours, pain points and needs regarding authentication
- Identify appropriate consumer experience criteria and metrics to assess authentication models
- Inform the development and proposal of new standards, and/or the revision of existing standards
- Identify appropriate models to be considered for adoption that are interoperable, flexible and adaptable
- Uplift authentication standards to offer improved experience, choice, convenience, inclusivity and security as well as alignment to consumers' existing digital experiences
- Understand how consumer behaviours and attitudes may shift for different use cases (e.g. banking vs energy) using the same authentication method
- Explore the impacts of different elements and mechanisms
Hypotheses
These hypotheses have been tested in all three rounds of Authentication Uplift research:
- Authenticating without needing to recall or manually enter information is preferred by users
- A familiar authentication method is perceived as more intuitive and will increase the likelihood of task completion
- If a user is informed of the next steps and contextual requirements of an authentication flow, then they will feel more comfortable and in control
- Informed user authentication can be supported by stating the purpose and outcome of the authentication. ("Why and what for?")
- The model meets or exceeds the user's expectations of friction, security and experience
In addition to the standard hypotheses, the research also looked to validate the following:
- Users are not averse to using a QR Code to authenticate
- Users find it more intuitive to use their device camera to scan the QR code over accessing a camera from their Data Holder’s app
- Users prefer to continue the journey back on their desktop browser than on their mobile browser for OTP (One Time Password)
- Effective messaging is needed to close the loop (for users to return to their desktop from their mobile device) and complete the journey
Consistent with the first two rounds of testing, hypotheses 1-4 were largely validated by the research. Hypotheses 5 and 8 were validated in use cases where the QR code took the participant to their Data Holder’s app, but not in the cases where it redirected them to a browser on their device. Hypotheses 6, 7 and 9 were validated by the research.
Research Approach
The following 4 major components of authentication were explored:
- Channel: This is the channel where authentication is performed. For example: mobile, desktop, kiosk etc.
- Modality: Modalities are the inputs used for authentication. For example: Biometric, Pin code etc.
- Authentication method: This is the method by which an authentication is performed. Out of many factors of authentication methods, these 3 are mostly recognised:
- Knowledge-based: Something the user knows, such as a password or the answer to a security question
- Inherence-based: Something that the user is, as represented by a fingerprint or iris scan
- Possession-based: Something the user possesses such as a one-time password generator, certificate, or smart card
- Notification method: This is the different ways a user is alerted about the authentication requirement. For example: Push notification, Email notification etc.
Combination of elements tested in Round 3
Channel | Modality | Authentication method | Notification method |
Decoupled: Web-2-Web | One Time Password | Possession based | Text/SMS |
Decoupled: Web-2-App
| Biometric + PIN Code | Inherence + Knowledge based | N/A |
Use cases
The research team developed 2 use cases that would be tested across 2 flows. The use cases included:
- Getting indicative interest rates for a car loan through a fictional non-bank lender called Lendify (ADR). The participant was told they bank with a real world banking data holder.
- Comparing energy plans from various providers using a fictional comparator service called Switch (ADR) to get a better deal on energy. The participant was told their provider was a real world energy data holder.
These use cases were tested across two prototypes. The first prototype tested a decoupled scenario where a participant began their journey on Lendify’s desktop website and scanned a QR code using a mobile phone which opened the DH’s app installed on the mobile device. They then authenticated and authorised in-app on the mobile device and were then prompted to return to their desktop browser to complete the journey.
In the second prototype, the participant began the journey on Switch’s desktop website, and scanned a QR code using a mobile phone. In this use case, no energy app was available on the device, so the fall-back was triggered. The browser was automatically opened with the DH’s log in page, where a participant authenticated with an OTP before returning to the desktop.
Use case 1
Use case 2
Methodology
Data was collected throughout various points in the research. The research team conducted both moderated and unmoderated testing sessions, both feeding in to the final outputs. Moderated testing sessions involved a facilitator guiding the participants through tasks. Unmoderated test participants completed the test independently as they would in a natural environment.
Moderated sessions: 1-on-1 interviews
- Number of participants: 10
- Activities: Screener, Interview, Prototype test, In-depth interview, Post-task Survey
- Duration: 1.5 hours
Unmoderated sessions: Maze Online platform
- Number of participants: 30
- Activities: Screener, Prototype test, Post-task Survey
- Duration: 30 minutes
Research Findings & Insights
Research findings and insights include key observations and themes identified during moderated research sessions, supported by participant quotes. Some findings may go beyond the scope of the research topic, but have been included for completeness. Recommendations to uplift the CX may also be included – though this has not been the focus for the research team – as the goal is to identify appropriate authentication models for the CDR.
1. Risk-based Authentication Aligns with Participant Mental Models
The research generally found that consumer participants expected authentication to adapt based on the associated level of risk when accessing certain data. Participants were familiar with risk-based authentication because it is common in industries such as banking, where providers have employed two-factor authentication (2FA) to occur when adding a new payee, as an example. Step-up authentication was highly valued by participants who prefer an extra layer of security, even if it means more steps (and time) to authenticate, as we discuss in Insight #6.
Research indicated that 8/10 moderated participants valued security over convenience. Examples of step-up authentication shared by consumer participants during research included requiring a higher level of authentication when transferring money. An example of a less risky action included accessing a social media account. Step-up authentication aligned with participant expectations of security and demonstrates the importance of security measures that are tailored to meet individual user actions. The extra layers and steps in the security process go far in giving participants comfort and peace of mind.
2. Fall-back Authentication: Decoupled is more Intuitive When an App is Available
Within Decoupled Authentication there are several ‘fall-back’ options which must be considered. Fall-back authentication serves as a backup method in case one of the primary authentication methods fails or is unavailable. In the instance of the research, two decoupled user flows were tested, both originated on a desktop browser and presented a QR Code for participants to scan with a mobile device. In one flow, the QR Code triggered the DH app to open, and in the second flow there was no DH app available so – as a fall-back – One Time Password authentication occurred in the mobile browser.
The research revealed that when participants authenticated through a DH app which was already installed on the device, they felt more comfortable and in control due to an established, pre-existing trust. Participants knew they were the one who installed the app from a reputable source and could log in with existing and preferred authentication methods. In the instance where no app was available and participants were directed to the mobile browser, they felt confused and irritated. Confused, because it was not clear to participants why they needed to authenticate on their mobile browser and couldn't simply continue the process on their initial desktop browser; and irritated because of a poorer user experience on mobile compared to web browser. There was also some concern around the validity and security associated with using QR codes, particularly when being redirected to a webpage (for more detail, see Insight #3 of this report).
Furthermore, the research found that only two of the ten consumer participants interviewed actually had their energy app installed on their mobile device. This highlights the importance for fall-back options to be considered for various use cases – particularly if the DH does not offer a mobile app – to ensure the authentication process is optimised and avoids unnecessary confusion and frustration.
There was a strong preference from participants to continue the authentication journey on the initial desktop browser if no app was available. This was due to an improved user experience on desktop; larger font size, more screen real estate, a keyboard and, for some, a preference to conduct banking and utility related activities on a desktop. Lastly, because participants couldn’t rationalise the requirement for two devices instead of one, there was feedback that switching between devices involved extra effort and friction and didn’t necessarily improve security.
3. Users are Cautious of QR Codes, though Accept their Usage with Caveats
Consumer participants were not familiar with the use of QR codes to initiate an authentication, but cautiously accepted it with certain caveats. As explored in Insight #2, consumer participants preferred the use of QR codes to log in if they have their DH’s app already installed on their device. However, the fall-back flow where a participant was directed to a browser on a mobile device generated a totally different response.
Firstly, there were concerns from participants around the lack of security associated with QR codes, with some participants having experienced data breaches relating to the use of QR codes for COVID check-ins. One participant also experienced what they described as ‘fake QR codes’ which were stuck on top of legitimate QR codes in a bid to collect user data. Participants also expressed concern around the lack of visibility of where a QR code would take them, and not knowing whether the redirection would take them to a spoofed website or potentially inject malicious code. The security and privacy of QR codes are opaque, and there was a shared perception that the process was not commonly experienced by consumer participants in the past.
Consumer participants found it suspicious when they saw the desktop website update after they authenticated on the mobile device. This was based on the desktop website using "asynchronous calls” – a process which allows different parts of a website to update independently without the need for a full page reload. Though this usually contributes to an improved user experience, in this instance it was not immediately clear to participants how the devices had communicated with one another.
Using a QR code to authenticate may meet user expectations of security if it is used to open a DH app for authentication, or to open a webpage on the users mobile browser only for low-risk scenarios with compelling use cases if opening a web page.
4. Consumers Feel Empowered And In Control When Corporations Act Responsibly
The research highlighted participant opinions on the importance of corporate responsibly and ‘holding up their end of the bargain’ in order to build trust and assist participants in feeling more in control of their online security. Consumer participants believed that more needs to be done by corporations to keep user data safe from hacking attempts, while also implementing functional security measures to encourage best practice from customers. For instance, balancing password complexity and strength requirements so users aren’t creating low-quality passwords (i.e. Password123!) simply to satisfy the requirements.
While the participants take measures such as implementing strong passwords, updating them regularly, and monitoring credit reports for credit applications following data leaks, they felt that they can only do so much to protect their privacy and data online. Participants felt strongly that data protection can only rely so much on the consumer, and the majority of the onus should fall on the corporates. Participants expect corporations to act in their best interests, hire expert cyber security teams, and implement the latest and greatest security measures to protect customer data from breaches, while also finding a balance between security and convenience. Although larger brands are perceived as being more trustworthy, participants recognised that their data is not guaranteed safety. Participants cited Optus, Medibank and Latitude as examples of companies whose recent data breaches have shaken consumer trust.
Overall, participants want to feel more in control of online security and expect corporations to take responsibility for data protection. Keeping customers updated on data security, breaches, methods to keep accounts safe and any compromises in data should be swiftly and regularly communicated to account holders in order to assist participants to feel more in control. Consumer participants noted they generally only create accounts out of necessity and want their data to be protected, so it is crucial for corporations to prioritise security measures to build and maintain consumer trust and build systems which withstand any attempts by hackers.
5. Participants are Wary Of The Potential For Security Breaches
Participants are highly aware of potential security breaches while using the internet – the recent highly publicised data breaches of well-known Australian companies has meant online security is top of mind for participants. Several participants raised these data breaches in the research sessions, with a number of them involved or impacted by the breaches and subsequently changing their behaviour online to safeguard their data.
Participants are conscious of the risks and the possibility of security breaches when accessing information online, particularly when using QR codes to initiate authentication. Participants seemed to be okay when the QR code opened a DH which was installed on the device (as touched on in Insight #2 of this report), but they were far more concerned about the lack of credibility of QR codes when redirected to a browser. Participants had concerns about the credibility of QR Codes and were worried they may be taken to a fake website, the potential for malicious code to be injected into the QR redirect URL, or keystrokes being recorded after opening a bad webpage. In addition to feeling uneasy, some participants also expressed discomfort with the possibility that their device's camera could be accessed without their consent beyond the period of scanning.
6. Extra Authentication Factors Are Appreciated Even When Unexpected
Consumer participants appreciated extra authentication factors even when they were not expected. Although two or more factors were expected for high-risk scenarios such as banking or health related data, participants also appreciated extra factors for actions they deemed as lower-risk, such as energy data. Even when 2FA was not required, participants were not bothered by the extra step, extra time or the increased level of friction. On the contrary, participants perceived the extra layers of security as the brand or corporation’s effort to prioritise consumer privacy and data safety, and demonstrate that they take customer data security seriously. Implementing extra factors provided participants with a sense of security and comfort. As explored in Insight #1, a use case such as social media log in does not warrant MFA, however riskier user cases like financial transactions were perceived by participants to carry some level of risk. Research indicated that the extra factors or increased friction should be in context and relevant to the use case.
7. Participants Are Aware And Educated Regarding Risks And Scams Online
This round of research produced similar findings to Round 1 research Insight #4 “Users Rely on Visual Trust Markers”. Consumer participants tested were conscious of the risks involved with using the internet and implement practices and habits to ensure the safety and security of their data. Similar to Round 1, this round of research found that participants were aware of and looked for visual cues to assess whether a site or experience was secure and trustworthy. Examples of these cues include checking URLs to ensure their legitimacy, not clicking on random links in text messages (even if the SMS has come through in the text-thread from their bank), and looking for SSL certificates on websites.
Participants noted that any activity or action which they personally initiated is preferred (such as opening an app on their own accord rather than receiving a SMS with a link to open) as it gives participants peace of mind. They also appreciate being informed and educated about online risks and scams by the business they engage with. Those who have been impacted by previous security breaches are proactive in their approach to online safety and actively seek out information and advice on how to protect themselves, with one participant even enrolling in an InfoSec TAFE course to learn more. While consumer participants were cautious, they also understood and accepted that there are inherent risks with using the internet. Overall, participants felt that they are well-informed and educated when it comes to online safety and take steps to ensure their security.
8. The Term “Decoupled” Was Not Widely Recognised, Though Participants Were Familiar With The Method
The term "Decoupled” authentication was not widely recognised among participants, although they were familiar with the method and had used it before when prompted. While most consumer participants had not heard of the term "decoupled," they recognised the process once it was explained to them. Participants who were not familiar with the term said they had used the method frequently in the past or currently used a form of it.
Research Outputs
Global Performance: Radial Graph
Global Performance is a measure developed by the research team to define success for various authentication models, made up of five separate measures:
- Recall & input
- Familiarity & completion
- Comfort & control
- Purpose & outcome
- Expectations
Each of these five measures consists of 3 different metrics (as demonstrated in the ‘Measures & Metrics in detail’ table) collected throughout the research and then collated to determine a quantifiable outcome for each measure. These 5 measures are then reflected on a five-point radial graph, demonstrating the global performance for the respective authentication model.
Decoupled
Decoupled metrics and measures outcomes. A score above 4 is considered excellent, above 3.75 is considered very good, a score below 3.25 is considered poor and below 3 is bad.
Measures and metrics | Score |
Recall & input | 3.76 (score for measure) |
Information a user needs to recall | 4.14 (score for metric) |
Users perception of length | 3.02 (score for metric) |
Number of user inputs | 4.12 (score for metric) |
Familiarity & completion | 3.25 (score for measure) |
Familiarity | 3.06 (score for metric) |
Brand influence | 3.22 (score for metric) |
Current authentication models | 3.47 (score for metric) |
Comfort & control | 3.52 (score for measure) |
User feeling in control | 3.33 (score for metric) |
Awareness of next step | 4.29 (score for metric) |
Trustworthiness | 2.94 (score for metric) |
Purpose & outcome | 3.36 (score for measure) |
Benefit awareness | 3.33 (score for metric) |
Sensitivity of value prop | 3.54 (score for metric) |
Level of positive-friction | 3.22 (score for metric) |
Expectations | 3.60 (score for measure) |
User security expectations | 3.55 (score for metric) |
Perceived security | 3.56 (score for metric) |
Sector | 3.69 (score for metric) |
Recall & Input (3.75)
Familiarity & Completion (3.25)
Comfort & Control (3.52)
Purpose & Outcome (3.36)
Expectations (3.60)
Consumer Behavioural Archetypes
Each Archetype has specific needs for how authenticating to share CDR data should work in order for them to trust and understand it.
- Sceptics (36% of participants) are less trusting of organisations and/or technology. They generally value control, and are averse to sharing data based on experience with current practices.
- Assurance Seekers (51% of participants) want to read additional information. They generally value familiarity and external reference/support, and are apprehensive to new experiences.
- Sensemakers (13% of participants) need to understand how the process works. They generally value details, and can trust the process if given enough valuable information.
- Enthusiasts (0% of participants) are excited to get the benefits of authenticating to share CDR data. They generally value simple experiences once trust is established.
System Usability Scale
The overall SUS (System Usability Scale) score for Decoupled authentication with QR code was 74.29, which is considered ‘good’ but not great – anything above 80.3 is well-performing. The coloured markers depicted in the graph above correspond to the Consumer Behaviour Archetypes (Sceptics, Assurance seekers, Sense makers, Enthusiasts) as described to the left of the graph. The raw SUS scores were widely distributed for this round of research. When reviewing the SUS scores against the Consumer Behaviour Archetypes, researchers observed a trend: most of the Sceptics consistently scored lower in SUS compared to other archetypes; thus characterising their consumer archetype. Generally speaking, Sense Makers recorded higher scores, while Assurance Seekers had mixed results. Out of all consumer participants, 38% rated their experience as ‘excellent’, 31% as ‘good’, 15% as ‘okay’ and other 15% as ‘poor’ or ‘very poor’.
Opportunities
The research found that consumer participants were not entirely comfortable with the use of QR codes for authentication, with concerns around their safety and the need for more instructions on the process. The method could be supported by the CDR with the following constraints in order to meet user expectations of comfort, control and trust:
- Only switch devices if an app is available: Implementing a step within the Consent Flow for users to input whether they have access to their DH app may mitigate the unnecessary routing to a mobile and allow users to continue the journey solely on their desktop. As participants were found to prefer not switching devices unless it was to authenticate in an existing, downloaded DH app they had established trust with. Participants would prefer an option to continue the authentication process on their desktop if they did not have access to the DH’s app on their device.
- Provide contextual information on the QR code and process: It is important that more contextual information is shared by DHs on how QR codes work and where they will be taken before scanning the QR code. This could help increase user confidence and comprehension and provide a greater sense of comfort and control. Participant suggestions included displaying URL link for users to match to that in their browser, an alternative to QR codes such as a code to enter into their DH app, or a URL link to manually copy and paste into their mobile browser. Participants wanted to know where they were going and the signs to look out for to ensure the redirect was legitimate and secure.
- Remedy concerns regarding the safety of QR codes: More information should be provided from the Data Holder to inform the user of the security and safety measures associated with QR code usage, and to explain the mechanisms which facilitate communication between the ADR and DH. While authenticating after using a QR code is quick, easy, and intuitive, it does not counter the participant perception of poor security. Therefore, it is important to address these concerns and provide users with the necessary information to improve their trust and satisfaction in the process.
- The model may be successfully adopted as part of Step-up Authentication: The research further supports implementing Step-up Authentication to improve user perceptions of security and trust and match mental models. This could be implemented across the Consumer Data Right irrespective of sector, and go far in meeting and exceeding user perceptions of security and trust.
The study concludes with this third round of research. The research team will now focus on preparing a report on the outcomes and compare the findings across the three models tested along with a recommendation for consultation. Overall, this Authentication Uplift research has provided many valuable insights into participant perceptions of various authentication methods and how they may be improved to provide informed, intuitive and trustworthy consent experiences.
Quick links to CX Guidelines: