- Executive Summary
- Consultation
- Context
- Findings
- Research artefacts at a glance
- Project goals
- Research Objectives
- Hypothesis
- Research Approach
- Use cases
- Methodology
- Research Findings & Insights
- 1. Findings from Round 1 are reaffirmed
- 2. Biometric authentication is still maturing
- 3. Protecting vulnerable customers is paramount
- 4. Access to one is access to all
- 5. Redirect to app is preferred when compared to browser, but with caution
- 6. Control is found through self-initiated action
- 7. Step up authentication feels good
- 8. Accessibility and inclusion are continuing factors in uplifting authentication experiences
- Research Outputs
- Global Performance: Radial Graph
- App/Browser-to-App with Biometric
- Recall & Input (3.93)
- Familiarity & Completion (3.84)
- Comfort & Control (3.74)
- Purpose & Outcome (3.53)
- Expectations (3.56)
- Consumer Behavioural Archetypes
- System Usability Scale
- Summary
Executive Summary
This report contains findings and recommendations from the second round of CX research conducted as part of the Authentication Uplift project. Round 2 research focussed on ‘App/Browser-to-App with Biometric’ and ran in November of 2022. The purpose of the research was to identify consumer experience considerations to support and inform an expanded approach to Consumer Data Right (CDR) authentication. The objective is to give consumers more choice and freedom when authenticating themselves with data holders, while maintaining financial grade security. Round 1 was conducted in September of 2022 and benchmarked the existing ‘Redirect with One Time Password (OTP)’ model.
In total, 90 consumers participated in round 2 research; 10 consumers participated in 1:1 interview sessions which ran for an hour and a half each and 80 consumers participated in unmoderated prototype tests which ran for half an hour. App-to-app and Browser-to-App prototypes were used to facilitate discussion and generate insights in relation to the authentication models shown, as well as to authentication more generally.
Consultation
This project relates to NP280 which is open for consultation from 14 December 2022 to 27 January 2023.
Context
The authentication stage is the second step in The Consent Model and involves a consumer verifying who they are with their Data Holder (DH). This step is required so the data holder can connect the data recipient's authorisation request to the correct CDR consumer.
Authentication in the CDR regime is limited to a single consistent, authentication model, referred to as the 'Redirect with One Time Password' flow. No other flows are currently supported. ‘Redirect with One Time Password’ was previously tested in June 2019 against two models; ‘Redirect to Known’ and ‘Decoupled’, and was found to be the preferred authentication model by research participants. The outcomes can be accessed in Phase 2 Stream 3 report.
This research has been informed by the following:
- In December 2021, the Government noted support for the Inquiry into Future Directions for the CDR’s recommendation to review the approach to authentication. The Inquiry stated that ‘the convenience and consumer experience of different authentication mechanisms should be considered’ when assessing how to expand CDR authentication support.
- The Independent Information Security Review published in July 2022 separately highlighted that the current approach to CDR authentication does not meet minimum security requirements, and adjustments are warranted.
- The CDR community have also requested changes to the current CDR authentication model, which the DSB is considering as part of this work (see CR405, CR554 and CR542).
- Decision 182 – Information Security Uplift For Write aka action initiation This consultation sought community input on how the info sec profile might evolve to explicitly support write operations.
Findings
The research found that biometric authentication methods (such as FaceID) weren’t as widely accepted as the research team had initially anticipated, though all 90 participants were familiar with them and frequently used them. We observed preferences for its usage over traditional passwords in some use cases because of its uniqueness and inherence, but this was in scenarios where there was little-to-no risk involved in successful authentication. While there was general agreement that authentication should adapt based on the scenario (i.e. accessing sensitive vs. non-sensitive data), similar to the findings in Round 1, not all participants shared this view that authentication should adapt. This was not because they thought less-sensitive data (such as telco or energy data) required less stringent authentication methods, rather, these participants had an expectation that all of their data should be kept secure and private. Many participants expected a standardised approach to authentication; with consistent and strong authentication required to login irrespective of the use case or sensitivity of data. Participants unanimously preferred Multi-Factor Authentication (MFA) over any specific authentication model using only one factor to authenticate.
From the 2-Factor Authentication (2FA) use cases tested (FaceID + OTP, FaceID + PIN) the research team observed a preference for step-up authentication (step-up authentication requires additional levels of authentication to adapt as the risk profile and sensitivity of the action increases). Some participants found back-to-back authentication overwhelming (back-to-back authentication asks two factors of authentication in a row) and step-up authentication was perceived to be the more gentle approach and considered as a confirmation of an action; leaving the participant feeling confident and in control. This is covered further in Insight #7 of this report.
There were a few issues raised by participants about redirecting from a consumer app or website to a Data Holder app for authentication and authorisation; with several participants saying they may flag automatic redirection in the real world as a suspicious “phishing attempt” if they were engaging with a brand they had not yet established trust with. Participants also stated they would feel more in control if there was an alert such as a push notification or a call to action button prior to moving over to their Data Holder app (rather than being redirected automatically) especially in the instances where the authentication method was FaceID as a single factor. This was because several participants had experiences historically where they unintentionally authenticated with FaceID just because they were looking at their phone at the point of the prompt. Lastly, for the use cases where biometric methods were used as a single factor, participants desired higher levels of friction when there was more risk involved in the action they were taking.
The research found that, while scores were not significantly different, redirecting to a DH app from an ADR app was considered more trustworthy and had slightly higher participant confidence compared to redirecting from a browser-based website. However, this finding is only true for apps that have been downloaded from a reputable source and have a pre-established level of user trust and confidence – thus making it a strong option particularly for the banking sector, with many participants having installed and regularly using their banking providers’ mobile app. For the scenarios where a participant didn’t have a Data Holder’s app installed on their device, there were two groups of expectations for what should occur; the first was that the user would be taken to a browser where they could access the web-version of the service to authenticate, and the second was that they would be taken to the AppStore or GooglePlay to download the application.
Accessibility and inclusivity continue to play a key role in how users authenticate to a platform. This round also found participants advocating for a risk-based model to protect vulnerable consumers such as those who experience Domestic and Family Violence, as there is a risk of one party taking on debt without their knowledge, or coerced consent.
We explore these findings in depth throughout this report and provide some early-stage, high-level recommendations in the summary section of this report
Research artefacts at a glance
The following artefacts have been produced following the research and represent our findings. Each artefact is explored in further detail in the Research Outputs section of this report.
Global Performance
Consumer Behavioural Archetypes
System Usability Scale (SUS)
Project goals
This research project aimed to:
- Identify appropriate authentication models to support in the CDR;
- Provide CX input to the authentication framework to assess incoming/supported models;
- Strike a balance between security, consumer experience and value delivery;
- Help organisations provide intuitive, informed, trustworthy consent experiences with positive outcomes.
Research Objectives
- Understand current consumer behaviours, pain points and needs regarding authentication
- Identify appropriate consumer experience criteria and metrics to assess authentication models
- Inform the development and proposal of new standards, and/or the revision of existing standards
- Identify appropriate models to be considered for adoption that are interoperable, flexible and adaptable
- Uplift authentication standards to offer improved experience, choice, convenience, inclusivity and security as well as alignment to consumers' existing digital experiences
- Understand how consumer behaviour/attitude may shift for different use cases (e.g. banking vs energy) using the same authentication method
- Explore the impacts of different elements and mechanisms
Hypothesis
- Authenticating without needing to recall or manually enter information is preferred by users
- A familiar authentication method is perceived as more intuitive and will increase the likelihood of task completion
- If a user is informed of the next steps and contextual requirements of an authentication flow, then they will feel more comfortable and in control
- Informed user authentication can be supported by stating the purpose and outcome of the authentication. ("Why and what for?")
- The model meets or exceeds the user's expectations of friction, security and experience
Consistent with Round 1, hypotheses 1-4 were largely validated by the research. Hypothesis #5 was validated in some use cases, but not in others. The use cases which involved a second factor of authentication as well as a Biometric method exceeded user security expectations, but failed to meet expectations in scenarios where Biometric was used alone.
Research Approach
The following 4 major components of authentication were explored:
- Channel: This is the channel where authentication is performed. For example: mobile, desktop, kiosk etc.
- Modality: Modalities are the inputs used for authentication. For example: Biometric, Pin code etc.
- Authentication method: This is the method by which an authentication is performed. Out of many factors of authentication methods, these 3 are mostly recognised:
- Knowledge-based: Something the user knows, such as a password or the answer to a security question
- Inherence-based: Something that the user is, as represented by a fingerprint or iris scan
- Possession-based: Something the user possesses such as a one-time password generator, certificate, or smart card
- Notification method: This is the different ways a user is alerted about the authentication requirement. For example: Push notification, Email notification etc.
Combination of elements tested in Round 2
Channel | Modality | Notification method | Authentication method | Elements of authentication |
App-to-App | Biometric only | Push | Inherence | - Something the user is (FaceID) |
App-to-App | Biometric + OTP (step-up) | Text/SMS | Inherence + possession | - Something the user is (FaceID)
- Something the user has (Phone/OTP) |
Browser-to-app | Biometric only | Push | Inherence | - Something the user is (FaceID) |
Browser-to-app | Biometric + PIN (back-to-back) | Push | Inherence + knowledge | - Something the user is (FaceID)
- Something the user knows (PIN) |
Use cases
The research team developed 2 use cases that would be tested across 4 different user flows. The use cases included:
- Getting indicative interest rates for a car loan through a fictional non-bank lender called “Lendify” [ADR]. The participant was told they bank with a real-world Data Holder (DH).
- Comparing telco plans from various providers using a fictional comparator service called “TelCompare” [ADR] to get a better deal on home internet. The participant was told their provider was a real-world DH.
These two use cases were each then extrapolated into two user flows, the first saw the ADR experience on a website (”Browser-to-App”), and the second had the ADR experience in a mobile app (”App-to-App”). This resulted in a total of four prototypes which were tested with research participants. These have been broken down below:
NB: All of the following flows involve a user authenticating in their Data Holder’s app, and assume the DH app has been pre-installed and previously used on the device.
App-to-App
Banking: User gets indicative interest rates using the Lendify app and shares data from a real-world DH.
Telco: User compares their home internet plan with more competitive telco providers on the market, using the TelCompare app.
Browser-to-App
Banking: User gets indicative interest rates using the Lendify website and shares data from a real-world DH.
Telco: User compares their home internet plan with more competitive telco providers on the market, using the TelCompare website.
Use case 1 (Banking)
Use case 2 (Telco)
Methodology
Data was collected throughout various points in the research. The research team conducted both moderated and unmoderated testing sessions, both feeding in to the final outputs. Moderated testing sessions involved a moderator guiding the participants through tasks. Unmoderated test participants complete the test independently as they would in a natural environment.
Moderated sessions: 1-on-1 interviews
- Number of participants: 10
- Activities: Screener, Interview, Prototype test, In-depth interview, Post-task Survey
- Duration: 1.5 hours
Unmoderated sessions: Maze Online platform
- Number of participants: 80
- Activities: Screener, Prototype test, Post-task Survey
- Duration: ~30 minutes
We aim to reduce our bias by engaging with a diverse and broad audience reflective of the Australian population.
Proposed requirements:
- Mix of age, gender, location
- Explicitly aim to include people with non-English speaking backgrounds
- Explicitly aim to include people with a range of accessibility needs
- Mix of digital, financial, and data literacies and experiences
- Mix of consumer adoption types
For the hypothesis expectations to be effectively met, we assume that the user:
- Owns a smart phone
- Has their DH’s app installed and has previously logged in
Research Findings & Insights
Research findings and insights include key observations and themes identified during moderated research sessions, supported by participant quotes. Some findings may go beyond the scope of the research topic, but have been included for completeness. Recommendations to uplift the CX may also be included – though this has not been the focus for the research team – as the goal is to identify appropriate authentication models for the CDR.
1. Findings from Round 1 are reaffirmed
The second round of research further validated all findings generated in the first round of research. We’ve explored how they manifested in round 2 below:
- Friction is multifaceted
- Secure authentication goes beyond just logging in
- Authentication through a generational lens
- Users rely on visual trust markers
- OTP is known (and trusted) as a second factor
- Users trust established brands, but expect more from them
- Users perceive multi-factor adaptive authentication as the norm
Round 2 finding “2. Biometric authentication is still maturing” validates this finding by shedding light on unhealthy friction users experience when using Touch or FaceID.
In this initial round 1 finding, we explored user desires for features like automatic logout. This round 2 finding “7. Control is found through self-initiated action” gives credence to this initial finding, and provides more detail about the kind of controls which contribute to positive user experiences.
Whilst not a major recurring theme, we do see generational perspectives appear in the round 2 insight “2. Biometric authentication is still maturing”, finding that older participants typically mistrust or dislike biometric forms of authentication.
This insight is inherently implied in a lot of the exploration from round 2, rather than explicitly validated. We know the indicators and triggers that users look to time and time again, to verify the integrity and trustworthiness of an app or website.
Several new insights from round 2 speak to this insight; particularly “8. Step up authentication feels good”, with users viewing biometric as a first factor when paired with a second factor such as OTP or PIN code.
Similar to insight 4, this insight still rang true in round 2 research as a belief users unconsciously and inherently held.
This statement was further demonstrated in round 2 in insights “8. Step up authentication feels good” and “4. Access to one is access to all”.
2. Biometric authentication is still maturing
Our findings revealed all participants were familiar with biometrics methods of authentication, though many participants – particularly those in older generations – either didn’t have devices that support fingerprint or FaceID and more commonly didn’t trust the method. This mistrust is partly caused by the events of data breaches.
User attitudes toward biometric authentication walk a line between convenience and frustration. Several participants cited frustrations with biometric methods for various reasons. The most commonly raised issues related to physical impacts, like having wet hands or wearing face-masks or glasses which prevented successful verification; and accidental verification, opening apps or actioning tasks by way of looking at the device at the point of biometric authentication without intentionally authenticating. The participants who had experienced accidental facial authentication anticipated a secondary method such as PIN, a theme which re-appeared throughout the prototype testing, many participants expecting a second verification to access data or confirm actions.
While the majority of participants were familiar with using Fingerprint or FaceID to access their smartphones, many felt more comfortable using other authentication methods to access their banking and data-sensitive apps. Biometrics alone weren’t perceived as secure enough, until paired with a secondary factor, particularly for banking use cases.
One interesting point to note is that biometric methods were preferred by participants who had mental health challenges and physical disabilities, as they found it faster and less challenging to authenticate.
"I have some concerns about biometrics because you still have to identify owner of the biometric and if it's hacked, if getting your identity documents is difficult, getting your biometric record back could be even more difficult.”–R2P8
"I mean for myself it's fine. Thinking on a broader scale, I think they [biometrics] could pose some challenges. I think there needs to be a way that it's not discriminative, so everybody has the same ability and ease to use it. You know, maybe if I had wrinkly fingers or something TouchID wouldn’t work – whatever your situation is, you don’t want to feel like you’re the odd person out, that it wasn't made for you. So I think there needs to be different layers of acceptance. Somebody could be blind, I guess it's just making sure that everybody feels like they have their own ability to be able to complete tasks and they're included. So I think that's on a larger scale, nobody thinks about that because the common denominator is everybody; but then obviously there are individuals that are left out of that. So how to overcome that? I guess it really needs to be tried and tested on all, all peoples abilities: if they can hear, if they can see, if they can read, if they can write… whatever may be their interpretation of whatever language that they're reading or interpreting that there's enough allowance for that, that it's acceptable for everybody.”–R2P1
"Yes, my mobile phone has thumbprint and I have chosen it as an option in certain apps like say Afterpay or the Google wallet and so on. So yeah, fingerprint primarily I have had face ID as well, although I find as a glasses-wearer FaceID can be very fussy at times if it decides that you know, “oh you have new glasses” or “you are not wearing your glasses” or “you're on slightly the wrong angle”; it can get fussy – which is good – I'd rather it be fussy than lax because it being fussy means it's doing its job. But yeah, so fingerprint is usually the primary one I've preferred.”–R2P2
3. Protecting vulnerable customers is paramount
What may have been one of the most alarming findings from the research to date was the risk authentication poses to vulnerable users. One research participant with a background as a financial counsellor shared their experience working with victims of financial abuse. These cases are varied in nature, but regularly involve Domestic and Family Violence, which extends to one partner suffering financial abuse at the hands of another. This can also extend to elder abuse, particularly in communities where English is a second language. These cases can often involve the victim taking on debt for the perpetrator and have significant and long-lasting impacts on the victim; mentally, emotionally and financially.
Such cases can occur from the perpetrator having access to the victim’s smartphone; knowing their PIN code or being registered as a secondary user with biometric capabilities. This means they can access the victim’s device, and easily action tasks with or without the victim’s understanding, knowledge or consent. These risks obviously go beyond just authenticating, and expand to the actions an intruder can take after the authentication has occurred. Actions can involve applying for loans or other lines of credit, purchasing goods through online stores, and approving transfers of money, to name a few. This highlights an issue far greater than the need for secure authentication, and identifies a systemic and widespread societal issue, one which secure authentication can’t solve, but can do its part in reducing potential suffering.
"My concerns are for people who are experiencing financial abuse. There can be multiple FaceIDs that can be set up on a device – that gives you access to logging onto someone else's banking app – by just using their credentials. So as an example, my husband and I have FaceID on my phone. He's got his, I've got mine. So he can use my Banking app and it will allow him to go into the app rather than putting my password in. And for those instances where someone is in a financially abusive relationship, there's a risk. How do you find out it's the same person? How do you find out it's the same person who's actually approved or authorised that that transaction”–R2P4
"And I guess in my work I see so many instances where women have been, and I will say men as well, have been placed into debt without their understanding or their consent. And where English is a second language, how about how is this going to work for people when there's no digital inclusion for them? They might not have access to a phone, they might not have access to technology. So are we actually creating a, a further digital divide for those people.”–R2P4
"So I can log on to a website and I can apply for a credit card, I can apply for a personal loan, I can apply for a car loan, I can apply for any Buy Now, Pay Later products. All I need to put in is a driver's license, sign it and you know, give any whatever a hundred points of ID are required and give access to my bank details. It's all approved. Where is my right? Where's my choice when I haven't even agreed to any of those things and someone's just misused my identity to do all of that and has put me into debt. And how am I then going to go and prove that it wasn't me”–R2P4
4. Access to one is access to all
Across the board it was apparent that participants advocated for consistent and strong authentication requirements, irrespective of the data they were accessing. The notion that even seemingly insensitive data such as an energy account profile or account balance can be stitched together with other innocent information to create a holistic view of the person continues to give rise to concern around privacy and security. These feelings are further exacerbated by the recent cases of data leaks and hacking in Australia; accessing even minor personal information can give hackers access to more important, higher-risk data. Participants feel their data should be kept private and secure regardless of how sensitive; further highlighting the importance of a gold-star authentication process.
There is little evidence to support extra factors of authentication negatively impacting a user’s experience. There may be an initial and brief annoyance at the second verification step, but these feelings are quickly counteracted with reassured comfort for the safety and security of their account. With this considered, we can confidently proceed with implementing multiple factors of authentication aware that participants recognise the benefit and appreciate the security.
"I'd probably expect maybe a second factor just because of the sort of data that our telcos do have these days – between our licenses and passports – they have a fair bit of detail. I'd probably prefer they had some form of secondary kind of passcode or factor.”–R2P5
"I think it would be better to have the two factor whatever it's called, Authentication system. Like even though I feel less protective of my telco data than my banking data, I think it's still good to take those extra measures. It just sort of like gives me more confidence I guess in the company that they give a shit about security.”–R2P7
"I think I've noticed like more of a shift with all of the organisations I deal with shifting to two factor authentication. It was really annoying me initially because it's just like an extra thing to do, but I have come to appreciate it and I don't see any reason why we shouldn't just have that with everything. Especially when, like for me it's often, you know, they send a code to your phone and then with the smartphone it sort of, you know, self populates, so it's still pretty straightforward. I don't see why we can't just make that a general thing. Yeah, I don't think it can hurt to have extra security”–R2P7
"I think the fact that it is obviously an application that I've already got on my phone that I'm familiar with. It hasn't asked me to download anything. It hasn't asked me to click on any links that I'm not familiar with. I was comfortable with it. I'm assuming [in the prototype] that the FaceID worked for logging in into my phone app because that's something that must have already been set up previously, so that must be how I’d normally access my phone app in that instance. So, yeah, I would be comfortable with that process. It's just that, whether because I'm doing more than what I would normally do in my phone app and I am providing that consent for that third party to access that information, I probably would've liked to see, either straightaway or at the end of the process, a second authentication. It sort of then emphasises to people that ‘you are doing more than what you normally do when you’re on your app’. I think it's just good – whether people do pick up on it or not – but it's just that subtle cue of this is something a little bit more than normal actions.”–R2P10
5. Redirect to app is preferred when compared to browser, but with caution
The research found that participants feel more comfortable when redirecting from an app or website to a trusted app on their device when compared to redirection to a new tab on their browser. Unsurprisingly, this is because users have already established trust with pre-existing apps and know they have come from a reputable source (such as the AppStore or Google Play) and aren’t going to be redirected to a fraudulent website. They can also authenticate on their existing apps in ways that are consistent with their existing experiences. As such the flow will more closely match their mental models. The added bonus of this process when compared to methods such as OTP, means that users aren’t required to remember complicated strings of information such as their banking user ID – they can simply authenticate and access.
There were various views on how participants wanted to access their app to consent to data sharing; some liked that the flow automatically took them to their app and others said they would feel more in control if they had the option to open their app themselves. There were concerns around phishing and lack of clarity regarding the mechanisms that trigger the app to open, and similar to findings from round 1, participants wanted to log out or know they would be automatically logged out when leaving their data holder app.
In the instances where participants did not have an app installed on their device, their expectation was to be taken to the AppStore or GooglePlay and be prompted to download or that a new browser window would open to facilitate log in.
"I mean obviously it's an automated process, you're not manually exiting the browser and going into the app. But I did like that I could see it going to my home screen, finding the application and opening up the app as opposed to, you know, opening up a browser and going, Where did this come from? What is it? So whilst it's the control level of control is minimal in terms of you know, your intervention, you're not really, well, you're not really intervening in the process. Like it is an automated process. I like the fact that I could see what was the steps that were happening, if that makes sense.”–R2P10
"There is some very select instances in which I can think that that would potentially be a little more uncertain than logging in using username and password. But I think for 99% of circumstances, that's perfectly reasonable. Face ID or biometric IDs are set up initially when you start using the app and to set them up it requires you to use your username and password. So it's kind of not like it just comes outta nowhere. It's something you've authorised in the past and through authorising it in the past, you then have basically said “I am okay with this biometric ID being used as a replacement for logging in”. Because it is logging in, it's just doing it a very slightly different way.”–R2P2
"I didn't necessarily feel particularly not in control. It was just surprising because that's not a process I'm used to doing. Once again, as I said, in instances where I've done things like this in the past, it will send me to a webpage that opens up within either the initial app I was using in the first instance or as say a new page in my browser.”–R2P3
6. Control is found through self-initiated action
This round of research further highlighted the importance participants place on having control over their experience. Participants reported they would feel more comfortable and trust a product more if they had more control over their experience. This applies to how and when they authenticate, and in context to the consent flow, what information they share with ADRs.
Specifically, participants enjoyed controls such as; choosing what kind of authentication models they wanted to use to access their data, how many layers of security (i.e. the combination of factors), ability to opt in or out of specific features and options, alerts to when data security may have been compromised and easy processes to securely reset passwords.
Further to a point shared in insight “2. Biometric authentication is still maturing”, participants who reported accidental successful authentication with FaceID wanted the ability to control how FaceID was triggered, some suggesting an ‘I’m ready to authenticate’ button might be a good workaround. While some controls may not be feasible to implement into flows, forewarning users of the next steps will forearm them and thus increase feelings of control. This finding may support improvements to the consent flow including more stepped and clear instructions so users can confidently anticipate next steps and avoid any surprises during the flow. Giving users control and choice during their experience can increase feelings of trust and comfort.
"I think for the FaceID, I think I’d prefer to go in myself because when it just directs you to, when it opens the app itself, if it's just a FaceID, it logs you in automatically just cause you're looking at the screen. So you kinda have no control over that, before you know what's going on you’re logged in. So yeah, I think for FaceID I would prefer to open it myself.”
”Being able to choose my method of two factor that does help. I appreciate if it is a choice of “hey you can receive a text or you can be emailed”. Also the app or website itself having a good set of security settings and options. So that's more of a, once I'm logged in, if I feel at any point I want to alter those. Being able to see that it has firstly requesting my Login again when I enter the security settings, I do appreciate applications and websites who ask for that, but also ones that just have good options and even if it may not request my Login to access them, at least if it requests it to confirm changes, that does also help.”
"I don't mind a password Login rather than a FaceID or something. I guess it's just a bit more of an active, like you have to actively do something rather than accidentally touch it. You know, like a fingerprint or something, instead you have to go into the app and then, and then enter your details so it's a bit more on purpose. You can't sort of accidentally log in to say online Banking or something.”
"It made me think that the app it was directing to had some control over it, you know, that it had linked to this website to this company. I just think the sharing back step could be authenticated or better. So you have to log into the Data Holder, but the Data Holder didn't ask, like you didn't have to authenticate to share back, you know.”
7. Step up authentication feels good
Our findings from round 1 found that participants wanted two factors of authentication. In round 2 we endeavoured to uncover the order that best suited participants and we subsequently tested two common processes of 2FA; step-up and back-to-back. Both processes request an initial authentication, but the stage at which the second authentication is different. For step-up, the second factor is requested after a user performs an action. This method is consistent with many banking apps, where the second factor may be triggered after a transfer is initiated or a new payee added. Back-to-back is as the name implies, and one factor is requested straight after the initial factor.
Participant preferences were as varied as the two options; with a roughly even split between the two. We can, however, identify step-up as the recommended option, when considering this finding in context to user existing mental modes and does not overload the participants at the beginning of the flow.
However, back-to-back may still be a favoured option as problems such as accidental authentication can be avoided; increasing user trust at the beginning of the authenticate and authorise journey and providing a secondary layer for those who don’t totally trust biometrics. Back-to-back may also act effectively in heightening the barrier to entry and better protecting vulnerable customers.
"I don't mind a password login rather than a FaceID or something. I guess it's just a bit more of an active; like you have to actively do something rather than accidentally touch it. You know, like a fingerprint or something, instead you have to go into the app and then, and then enter your details so it's a bit more on purpose. You can't sort of accidentally log in to say online banking or something.”–R2P3
"I think considering the FaceID isn't almost instantaneous. It's not a manual process. Like I don't think that's too cumbersome. I don't think it's unreasonable to provide two points of Authentication given that you are accessing bank information and then you're also allowing another company to access that bank information and it's not a daily transaction. Like it's not every time. I understand sometimes people go “oh the security's annoying” if every time you access your bank account and you have to do it. But this is not something that you're gonna be doing on a daily basis. Like it's sort of a one-off transaction. So I actually probably prefer that there are multiple stages of Authentication and there's also that element of you didn't accidentally click on something and your app opens, you're looking at it to see what's happened and you've accidentally unlocked it. Like here you've got that sort of instantaneous one where there's not much manual involvement but now you're actually manually having to do something as well.”–R2P10
"Do you mean like having a sort of a sandwich of Authentication at the beginning and then at the end? Good. I think that's a good thing. I think on either side is a good double check.”–R2P7
"Once it loads everything like in a list that you're consenting to, once you press consent, like it come up with a code or a double check to make sure that you are definitely consenting.”
8. Accessibility and inclusion are continuing factors in uplifting authentication experiences
The research reiterated the importance of accessibility in authentication. All users across the spectrum of human diversity should have access to robust and easy-to-use authentication methods, which match their expectations of security.
Both permanent and temporary disability impact how users prefer – and have ability – to authenticate online. Disability may be cognitive, developmental, intellectual, mental, physical, sensory, or some combination of these. This finding is particularly pertinent to biometric methods. Several research participants who experienced various mental health challenges cited a preference for biometric methods due to their lower barriers-to-entry and absent cognitive requirements. For other participants, physical impairment could often create frustrating experiences when using biometric; such as having scratched finger-tips after physical yard work or facial wound dressing which wasn’t recognised by FaceID for example.
Further findings included people who can not read or write, or those with English as a second language, who may find it hard to comprehend complex information presented to them, reiterating the importance of providing alternative ways to authenticate where possible which conform to the latest Web Content Accessibility Guidelines.
"Like for me, I don't use a screen reader or anything, there was no issues with recognising like what was there. It's more just my tolerance and cognitive capacity to be on the screen looking at information like that, I get a bit impatient.”–R2P7
"I find biometric ID extremely convenient, as somebody who has issues with memory and motivation. I find looking at something and being able to access what I need, or if I have to pay a bill and I can do it by using PayPal for example, and it just recognises my face and I don't have to manually log in, I'm going to do it because it's easy. If I can't access it easily, then I will put it off and probably forget and then get in trouble.”–R2P7
"I'm not confident with FaceIDs because of the reliability of facial recognition as a general technology. It's documented that it's especially problematic for various minorities.”–R2P9
Research Outputs
Global Performance: Radial Graph
Global Performance is a measure developed by the research team to define success for various authentication models, made up of five separate measures:
- Recall & input
- Familiarity & completion
- Comfort & control
- Purpose & outcome
- Expectations
Each of these five measures consists of 3 different metrics (as demonstrated in the ‘Measures & Metrics in detail’ table) collected throughout the research and then collated to determine a quantifiable outcome for each measure. These 5 measures are then reflected on a five-point radial graph, demonstrating the global performance for the respective authentication model.
Recall &/input | Familiarity & completion | Comfort & control | Purpose & outcome | Expectations |
Information a user needs to recall | Familiarity | User feeling in control | Benefit awareness | User security expectations |
Users’ perception of length of time | Brand influence | Awareness of next step | Sensitivity of value proposition | Perceived security |
Number of user inputs | Current authentication models | Trustworthiness | Level of positive-friction | Sector |
- Information a user needs to recall: how much information is a user required to recall to successfully authenticate themselves (eg. Customer ID, lengthy and complicated passwords)
- Users perception of length of time: how long did the user perceive the length of time it took them to authenticate, and, did they find it appropriate
- Number of user inputs: how many fields were users required to successfully input throughout the authentication process
- Familiarity: how familiar a user is with a specific authentication model, and, do/have they used it frequently
- Brand influence: is user trust influenced by the brand they are authenticating with (e.g. do they place more trust in a Big 4 bank than they do a smaller player)
- Current authentication models: what model/s does the user currently use
- User feeling in control: what element/s of the authentication method gives the user the feeling of being in control
- Awareness of next step: could the user accurately anticipate what would happen at each step based on the information provided to them in the flow
- Trustworthiness: how trustworthy did the user find the authentication method
- Benefit awareness: was the user aware of the benefit of the authentication method in conjunction with the use case in which it was applied
- Sensitivity of value proposition: was the user influenced by the value proposition (e.g. did they feel more likely or less likely to authenticate with the method due to the value they derived)
- Level of positive-friction: did the user feel the authentication method was easy enough for them to complete and hard enough for someone else who was wrongfully trying to access their data
- User security expectations: how did the authentication method meet or exceed the user’s expectation of security, if not, why did it fail
- Perceived security: how secure did the user perceive the security of the authentication model and what elements contributed to this perception
- Sector: was the user influenced by the sector in which the use case occurred (e.g was the user more or less trusting of a specific authentication model when accessing banking data vs energy data)
App/Browser-to-App with Biometric
App/Web-to-App metrics and measures outcomes. A score above 4 is considered excellent, above 3.75 is considered very good, a score below 3.25 is considered poor and below 3 is bad.
Measures and metrics | Score |
Recall & input | 3.93 (score for measure) |
Information a user needs to recall | 4.56 (score for metric) |
Users perception of length | 3.58 (score for metric) |
Number of user inputs | 3.64 (score for metric) |
Familiarity & completion | 3.84 (score for measure) |
Familiarity | 3.91 (score for metric) |
Brand influence | 3.45 (score for metric) |
Current authentication models | 4.14 (score for metric) |
Comfort & control | 3.74 (score for measure) |
User feeling in control | 3.53 (score for metric) |
Awareness of next step | 4.37 (score for metric) |
Trustworthiness | 3.33 (score for metric) |
Purpose & outcome | 3.53 (score for measure) |
Benefit awareness | 3.70 (score for metric) |
Sensitivity of value prop | 3.45 (score for metric) |
Level of positive-friction | 3.43 (score for metric) |
Expectations | 3.56 (score for measure) |
User security expectations | 3.50 (score for metric) |
Perceived security | 3.82 (score for metric) |
Sector | 3.38 (score for metric) |
App/Browser-to-App with Biometric Global Performance for Moderated vs. Unmoderated outcomes, and combined
App/Browser-to-App | Moderated | Unmoderated | Combined |
Recall & input | 4.02 | 3.83 | 3.93 |
Familiarity & completion | 3.95 | 3.72 | 3.84 |
Comfort & control | 3.54 | 3.94 | 3.74 |
Purpose & outcome | 3.46 | 3.60 | 3.53 |
Expectations | 3.35 | 3.77 | 3.56 |
The research found App/Browser-to-App with Biometric to be a generally well-performing authentication method. The majority of participants tested were familiar with Biometric methods of authentication and currently use them on a regular basis. The highly automatic process of the App/Browser-to-App flow and use of Biometrics meant participants had very little information to recall or input throughout the flow, demonstrated by the high score in the ‘Recall & Input’ measure.
‘Purpose and Outcome’ and ‘Expectations’ were the poorer performing measures, this can be attributed to the lack of positive friction in the flows tested, with participants expecting and desiring a second factor of authentication to meet their expectations of security. Among all metrics, Trustworthiness (Comfort & Control) earned the lowest score with many participants reiterating that a second factor of authentication would have made them feel more comfortable and in control of the process.
Participants appreciated the ease with which they could authenticate with this method, and although they like authenticating with biometric means, they believe it is not always the most appropriate method for sensitive use cases when used as a single factor.
Recall & Input (3.93)
Overall, almost all participants agreed that they did not have to recall very much, if any, information to successfully authenticate with FaceID. This sentiment was seen in the biometric-only use cases, and use cases that included FaceID and a secondary factor, such as PIN or OTP.
Moderated outcomes
- All unmoderated participants agreed they did not have to recall any information for Biometric-based authentication.
Unmoderated outcomes
- 95% of unmoderated participants agreed they did not need to remember very much information to complete the log in process across all use cases.
“Very minimal. No password was required, only Face ID & a PIN number which is a lot easier to remember than a password.”
“NIL - all FaceID and automatically populated SMS verification.”
“Not much at all, it all pulled across from the app which made it simple.”
Overall, it does not seem participants have negative thoughts or feelings toward the length of time it takes to authenticate in the use cases tested. While just over half described the time it took them to authenticate as either 'very fast' or 'extremely fast’, a great portion described it as 'neither time consuming nor fast' and in minor cases ‘slightly time consuming’; the qualitative data collected does not give credence to negative or poor user experiences despite these poorer ratings.
Moderated outcomes
- 6/10 participants rated the time that it took to authenticate as either 'very fast' or better when authenticating with FaceID alone.
- When authenticating with a second factor, such as OTP or PIN, participants recognised that the process was slightly longer but appreciates the inclusion of a second factor.
- For those who rated the time it took to authenticate as 'neither time consuming nor fast' and 'slightly time consuming', it seems biometric authentication is not their normal way of authenticating, subsequently drawing out the process as they familiarise themselves with it.
“It was very quick – FaceID took only seconds.”
"Only FaceID was required which is an almost instantaneous process.”
”I didn't need to do anything. The website took me to the app and I was logged in just because I was looking at the screen.”
“Its part and parcel of logging in, I don't mind how long it takes as long as it is secure.”
“As one becomes familiar with the sign in/authentication process, it would take less time.”
Unmoderated outcomes
- 50% of unmoderated participants described the time it took them to authenticate as either 'very fast' or 'extremely fast’.
- 42% described it as 'neither time consuming nor fast’.
- And while 5% of participants said that it was ‘slightly time consuming’, none had anything particularly negative to say about the experience.
“Facial recognition doesn't require extra effort so faster than passwords, verification links etc.”
“The level of automation ensured it was as quick as possible. I didn't have to navigate myself or think about where to go.”
“Providing it works seamlessly in real life it is exactly as I'd expect.”
“It was simple, super easy (I didn’t have to manually enter lots of numbers/codes/verifications).”
“Seems par for the course these days.”
“It was so quick and easy, much quicker than I expected.”
“When I was taken to the bank or network retailer, the authentication popped up quickly and was easy to access. The process was seamless and I was given access to my information very quickly.”
Overall, close to 75% of all participants tested felt that there were an appropriate number of fields required for them to fill in during the authentication flow.
Moderated outcomes
- 2/10 participants felt there weren't an appropriate amount of fields required to fill in during the authentication process.
- All participants said very little information was required from them to input during the authentication processes tested.
“Minimal. I only had to input the authentication code and clicking the checkboxes and continue buttons etc”
”Very little. It’s a good thing for simplicity but its suspiciously very easy”
”I didn’t really need to know any of my own information which is probably a bad thing because of the sensitive and personalised information”
Unmoderated outcomes
- 73% of unmoderated participants either 'agreed' or 'strongly agreed' that they felt there were an appropriate number of fields required to fill in during the authentication process.
- The 14% who said they ‘disagreed’ or ‘strongly disagreed’ indicate in other areas of the data gathered that they felt there should be more friction in the flow. We can assume they disagree not because they think there are too many fields, but perhaps because they feel there are not a sufficient amount for a secure and trustworthy authentication experience.
Familiarity & Completion (3.84)
Overall, 70% of research participants had used FaceID authentication methods frequently in the past.
Moderated outcomes
- ALL moderated participants were familiar with FaceID authentication but only 7/10 participants had used the method frequently in the past.
“My mobile phone has thumbprint and I have chosen it as an option in certain apps like Afterpay or the Google wallet. I find as a glasses wearer face ID can be very fussy at times if it decides you have new glasses or you are not wearing your glasses or you're on slightly the wrong angle. I'd rather it be fussy than lax because it being fussy means it's doing its job. So fingerprint is usually the primary way I've preferred.”
”I used to use Touch ID on the older iPhones and now I use FaceID.”
”I use FaceID to access couple of different apps like my bank and super etc.”
Unmoderated outcomes
- Over 66% of unmoderated research participants 'agreed' or 'strongly agreed' that they had used biometric FaceID authentication method frequently in the past.
- Almost 30% said they 'disagreed' or 'strongly disagreed' to using the method frequently in the past.
Overall, just over half of all participants tested agreed that they would feel the same way about the authentication process irrespective of whether they were using a well-known brand or a lesser-known one.
Moderated outcomes
- When asked how they would feel if it wasn’t a familiar bank and instead was a lesser known financial provider they were authenticating with 7/10 moderated research participants said they would feel less comfortable.
- Those who were fine with it cited they wouldn't be sceptical so long as they didn't have large assets tied up with the provider and if they already had a relationship with the provider they would be okay.
- Just over half of participants would feel the same way about the authentication process irrespective of the brand they were using
“I don’t have any trust in ..any of the Big 4, I’d actually be more inclined to trust the smaller banks.”
”I’d probably feel more more uncomfortable and more suspicious.”
“Depends on assets with that company, if it was a throwaway account I’d not be worried.”
”If I was banking with them and already had an app with them, then yeah, I’d feel fine about it.”
Unmoderated outcomes
- Just over 55% of unmoderated participants said they 'agree' or 'strongly agree' that they would feel the same way about the authentication process irrespective of the brand they were using.
- And 23% said they 'disagree' or 'strongly disagree’ that they would feel the same way about the authentication process irrespective of the brand they were using.
Overall, close to 80% of participants currently use biometric authentication methods to access apps or platforms. This may include methods such as include FaceID, TouchID and voice recognition.
Moderated outcomes
- 8/10 participants normally log in to the apps or platforms they currently use with biometric methods.
Unmoderated outcomes
- 77% of unmoderated research participants said they normally use biometric means to authenticate on platforms and apps they currently use.
Comfort & Control (3.74)
Overall, around 68% of all participants tested said they felt in control of their data, privacy and account security throughout the authentication process.
Moderated outcomes
- Half of participants interviews said they felt in control of their data, privacy and account security throughout the authentication process.
- Some examples participants provided for things which give them the feeling of being in control are: choosing the level of authentication (i.e. multiple factors) and the ability to switch on/off extra layers of security; clarity over why certain information is required, and security requirements relevant to the value of the assets contained.
“I like being able to enter in my own details and being able to customise my approach, like toggling ON/OFF different authentication methods and having levels of choice for how I log on or access the platform. The security levels don’t have to be as high when the asset isn’t as valuable.”
“The ability to opt in as well as opt out of things. Unfortunately with the move to two factor it's getting increasingly difficult to opt out. So your choice basically is to go with what they demand or not to do it. And if you don't do it, you can be severely hampered in your day-to-day life. For example, let's say I, for some reason I don't have a smartphone or I don't have a phone or I'm out of range of the phone and they're sending me the code and I can't get the code. Why can't they send me an email? They won't do this because emails are not secure, even though a phone is not necessarily secure either.”
Unmoderated outcomes
- Just over 70% of unmoderated participants said they 'agree' or 'strongly agree' that they felt in control of their data, privacy and account security throughout the authentication process.
Overall, this was the highest scoring metic, with 96% of participants across both moderated and unmoderated test groups reporting they agreed that they felt aware of what to do at each step of the authentication process. This high score can be attributed to the automatic nature of the flow.
Moderated outcomes
- 9/10 participants ‘agreed’ or ‘strongly agreed’ that they felt aware of what to do at each step of the authentication process
- Several participants cited the flows as having clear language in a way that was easy to read and follow
“It was written and show in a way that was easy to follow and had ways to get clarification.”
“It was clear as to what was required next and it was a familiar process.”
“I didn't have any problems understanding what was being requested.”
Unmoderated outcomes
- Almost all participants (97.3%) said they found the information presented throughout the authentication process as either 'very easy to understand' or 'extremely easy to understand'.
- The remaining participants said it was 'moderately easy to understand’.
“It was clear and concise, but given the heightened security alert people are on I did wonder if there needed to be a note on the security measures to protect data included.”
“It was all very easy to nav navigate.”
“It was very thorough, but in a way that it wasn't overwhelming. I found it detailed and trustworthy.”
“Some information was sparse - e.g. what the client app [ADR app] was requesting and why.”
We observed a marked difference between perceptions on trustworthiness between the moderated and unmoderated testing groups. When describing how trustworthy the authentication process was, only 20% of moderated participants described it as ‘very trustworthy’ compared to 63% of unmoderated participants. We believe this may be due to the nature of the tests, with research participants questioned throughout the moderated test, giving them more opportunity to think about the implications of the authentication method. Whereas, unmoderated tests more accurately reflect real-world usage and may give a more accurate representation of the greater public perception of the method’s trustworthiness.
Moderated outcomes
- In regard to the level of trust participants place in the authentication process, only 2/10 said it was very trustworthy. For the others who selected 'moderately trustworthy' or 'slightly trustworthy', they said they would have liked a second authentication factor either at the start or end of the process, such as an OTP or PIN code.
- Interestingly, 2/10 participants expressed concerns around FaceID and did not particularly trust it. We note these two participants were in an older demographic (retirees) compared to the other participants.
- The parts of the experience which did inspire trust for participants related to automatically being taken to an existing app the participant already had on their device.
“Would have liked a second authentication required at some point in the process.”
“I would've expected to authorise again at the end of the process.”
“I would have preferred to see a second-stage of authentication.”
“FaceID is inherently unreliable.”
“I liked being transferred to my telco's official app.”
“The fact that the website took me to an application already on my phone as opposed to a browser.”
Unmoderated outcomes
- Just over 63% of unmoderated participants described the authentication process as 'very trustworthy' or 'extremely trustworthy’.
- Just under 30% described it the process as 'moderately trustworthy’, citing that they would feel more comfortable with the process if there were a second factor of authentication involved.
- And lastly, 7% of participants described it as 'slightly trustworthy’.
- For the participants who did not find the process to be trustworthy, some of the most salient themes from their feedback related to how the experience could have inspired more trust.
- Less automation between apps, so participants know they are being logged out.
- More than 2 factors of authentication.
“Given the recent data breach, I cannot say that I now 100% trust any authentication process.”
“I believe these high ranking companies would have the best security measures and therefore I trust them to do the right thing by me.”
“Multi-factor authentication gives me greater confidence in the security and data protection of the system”
“I still think I might like to see a phone or device security linked access code as well.”
“Don't like PIN, would prefer number being SMS'd.”
“I would feel more comfortable with two factors of authentication”
“In general, I don't have a lot of trust in AI, let alone AI-generated logins.”
“It’s better than nothing but I prefer MFA and self-directing my own affairs”
“Let you manually enter information and manually log in and out.”
“Not automatically opening apps perhaps, but that also might just be a bit annoying. Maybe less 'instant' logging in”
“Including a pop up that says you will be transferred to your banking/telco app.”
“Seeing myself being logged out & if I have a complaint or want my details deleted how long would that take once an email request is submitted.”
“I think there should be a three-step verification process.”
“3 factor or more ID authentication.”
“Maybe include option of three step authentication for those who may want to use this”
Purpose & Outcome (3.53)
Overall, 70% of those tested found the CDR way of sharing in the tested use cases pleasing compared to how they have typically experienced it in the past. Further, 68% of participants tested found authenticating with Face ID (alone or with a second factor) to be beneficial to authorise the sharing of their data.
Moderated outcomes
- 8/10 participants found the CDR use cases tested (getting competitive interest rates and comparing telco plans) better than ways they had done before. Reasons given included: personalised benefits, reduction in manual inputs and speed.
- 4/10 saw the benefit in authenticating via biometric means to share their data. The other 6 participants felt it was adequate but could be improved and would have liked stronger or more authentication factors.
“It was very tailored, it was automated and I didn't need to speak to anyone - there is sometimes pressure when you are dealing with people to proceed with their services.”
“It was based on my account data, so could be a benefit to me based on my criteria.”
“The level of authentication should be commensurate with the info/service being sought.”
Unmoderated outcomes
- Almost 70% found this way of authenticating to share their data as either ‘pleasing’ or ‘slightly pleasing’ compared to what they have experienced in the past.
- When asked “How much benefit do you see in authenticating with this method to allow your data to be accessed?” 71% of participants responded with 'extremely' or 'very beneficial’.
- Only about 10% participants said it was 'slightly beneficial’ or ‘not at all beneficial’.
“It was very quick and very simple compared to others. And it worked on mobile which isn’t usually something I would use to do this.”
“Again although I am worried about security and the reputation of the business, it did make things a lot more quick and simple. I wouldn't do this feature to any old brand I came across on the internet though - they would need to be well known, well proven and well trusted.”
“I wouldn't feel secure knowing that the data could be accessed with no authentication.”
“As per previous comments - using multiple factors or multiple methods to verify one's identity is always reassuring and gives me confidence. Furthermore, going through the process of authenticating with this method seems credible and trustworthy due to the information/assurances provided to the user throughout the experience. It also gives the user control of agree/disagree and authorise/deny as they feel comfortable.”
“It is very difficult/impossible to get into another person's face ID AND via their phone using 2 factor authentication unless you had kidnapped them, so this made me feel very confident.”
“I am uncomfortable with this method of authenticating my data. I don't believe the phone is the most secure method of authentication.”
“It is quick, but I don't trust it.”
Overall, 46% of those tested said they would ‘probably’ or ‘definitely’ use biometric authentication methods if they were available for streamlining the process of getting interest rates or comparing their telco plans.
Moderated outcomes
- 4/10 moderated participants said they would 'probably' or 'definitely' use biometric authentication methods if they were available for streamlining the process of getting an indicative interest rate or comparing telco plans today.
- 7/10 participants interviewed thought the authentication process should adapt depending on what they were trying to do, for instance logging in to transfer a large sum of money or simply checking their account balance. Several also felt that when doing something financial or banking related, they would expect a second factor and would not feel comfortable with just FaceID alone.
- Findings in round 2 reiterated the consumer perception around a gold-standard level of account security. For the participants who don’t think the authentication should adapt, it is not because they view data as more or less sensitive, but because they think all data should be protected.
“It's very easy! and I'm very time-poor.”
“I’d much prefer if they ask for PIN that is linked to that account.”
”I’d expect when changing security settings in account, or any sensitive actions, to re-request my password or second factor of authentication.”
“I think I would probably expect the same level of protection because it is the same platform and if for whatever reason if it was easy enough to get into my Banking app for somebody else to check my bank account, well then how much of a stretch is it for them to be able to then transfer money?”
Unmoderated outcomes
- Just over 74% of participants responded that they would 'probably' or 'definitely' use biometric authentication methods if they were available for streamlining the process of getting an indicative interest rate or comparing telco plans today.
- Almost 20% of unmoderated participants said they wouldn't use it.
“I would definitely use this authentication method because I have seen it in real life before this prototype.”
“I would definitely use it, just ensure that there is a second layer of verification.”
“This seems so much more secure and trustworthy than traditional methods where I'd have to manually input data and my data would be stored for years after the inquiry.”
“It would depend on the extent to which this new method has been proven to be a safe, secure and trustworthy process, as well as whether it's formally and publicly backed by reputable entities (e.g. government) as being a legitimate and credible way of doing things.”
“I want to know all the bugs are ironed out and this isn't often the case with new technology – there are issues always.”
Overall, 58% of those tested agreed that they felt the authentication method was easy enough for them to complete but hard enough for someone else to steal their data. Similarly to Trustworthiness, we saw a marked difference between the respondent score for moderated (30%) compared to unmoderated (62%). Again, this may be attributed to the nature of the test and the opportunity for participants to think more critically during moderated research sessions.
Moderated outcomes
- Only 3/10 participants agreed or strongly agreed that they felt the authentication process was easy enough for them and hard enough for someone else to steal their data.
- 7/10 participants expected to be asked to authenticate again after clicking authorise in the flow.
“I’d like to see another authentication whether it’s a OTP to you phone or something else.”
”Yeah? It would make me feel a bit more secure that I had to do it a couple of times. An enter this code situation.”
”It should, but it probably wouldn’t. Depends how rigorous it is. FaceID isn’t rigorous check it could be followed by password or an OTP.”
Unmoderated outcomes
- Just over 62% of unmoderated participants either 'agreed' or 'strongly agreed' that they felt the authentication process was easy enough for them, and hard enough for someone else to steal their data.
- Almost 25% said they 'disagreed' or 'strongly disagreed’ with that sentiment, suggesting there is not enough friction present in a biometric authentication flow.
Expectations (3.56)
Overall, 62% of participants felt that authenticating with biometrics (as a single or when paired with another factor) met their expectations of security.
Moderated outcomes
- Only 3/10 participants agreed that they felt that authenticating with biometric met their expectations of security.
- When asked how biometric authentication stacked up against their security expectations, participants said: FaceID is unreliable, but because they already had the app installed on their device they felt more comfortable with it but did not believe it was sufficient for the kind of data they were accessing.
- In general, participants had expectations in regard to security in authentication such as: friction which matches the sensitivity of the data they're accessing, that companies will treat their data respectfully and policies that protect it, and the ability to customise levels of security based on user preference.
“It, as I mentioned, seemed like a smooth process. But was I comfortable with it? Not at all.”
“I think the fact that it is obviously an application that I've already got on my phone that I'm familiar with. It hasn't asked me to download anything. It hasn't asked me to click on any links that I'm not familiar with. I was comfortable with, I'm assuming that the FaceID worked for logging in into my phone app, but that's something that I must have already set up previously. So I would be comfortable with that process.”
“I would want the provider to confirm back.”
“I expect my data wouldn’t be shared. I would expect it all listed out at the start before signing up where my data would be shared.”
“I expect the companies that I engage with to have really strong policies and measures around how my data is handled.”
“My expectation, my, my desire is that I can opt in or opt out and that they're a variety of options available to me for my selection beyond a two FA that demands one, have a smartphone that's fully charged.”
Unmoderated outcomes
- Of the unmoderated participants, 62% 'agreed' or 'strongly agreed' that authenticating with this method met their expectations of security.
Overall, almost three quarters of all participants viewed authenticating with Face ID (with or without a second factor) as ‘not at all risky’ or ‘slightly risky’ when asked how much risk do they see in authenticating with this method to allow their data to be accessed.
Moderated outcomes
- Only 1 out of the 10 moderated participants tested viewed authenticating with Biometric means as ‘very risky’. 2 out of 10 participants thought it carried a moderate amount of risk and the remaining 7 participants believed it to be only slightly or not at all risky.
- When it came to participant thoughts in regard to security, participants cited the fact that they do not have other people registered for biometric access on their devices.
“I am not across the accuracy of FaceID - ie I am not sure if basic FaceID on an iPhone can be tricked by a high resolution photo etc.”
“In a practical sense it is possible although improbable someone would have account and FaceID matches. Without a backup authentication it could become a problem.”
“I think it’d be pretty trustworthy though. I’ve never heard of someone able to log into someone else’s phone using FaceID.”
“No, I haven’t unlocked anyone else’s phone and no ones been able to log into mine.”
Unmoderated outcomes
- When asked "How much risk do you see in authenticating with this method to allow your data to be accessed?", 74% said 'slightly risky' or 'not at all risky'.
- 23% said 'very risky' or 'extremely risky’, and the rest chose ‘moderately’.
- In response to the statement “I felt that logging in with FaceID was secure” 73% of participants tested 'agreed' or 'strongly agreed', just over 21% said that they 'disagreed' or 'strongly disagreed’.
“Everything always has risk, but having two-methods to authenticate someone is important.”
“There is of course a small chance that things could go wrong, and this information gets leaked. But it's not a primary concern of mine.”
“I think the authentication methods (two factor) is not too risky.”
“The phone is vulnerable. Particularly, if users are not using own data ie public wifi - dangerous warning all over it.”
“I personally do not know the companies that is accessing my data and feel that going through with this process is very risky. I realise that there was a prompt able these companies conforming to strict Australian laws but should things go wrong, I will be the one bearing the consequences.”
“I feel neutral. Ask previously stated, the recent data breach at Optus has caused me to have a decreased trust in technology.”
Overall, 56% of all participants tested either ‘agreed’ or ‘strongly agreed’ that they felt logging in with FaceID (with or without a second factor) was the right method for them to authenticate for the use case tested. 15% either ‘disagreed’ or ‘strongly disagreed’ with this.
Moderated outcomes
- 6/10 participants did not expect a log in process to adapt between checking their financial data vs checking their electricity usage data. They expected both accounts to be secure, regardless of the type of data they are accessing. For those 4 who did expect it to change, they thought banking data needed heftier authentication processes.
- 3/10 participants thought the authentication method was appropriate for the type of data they were accessing. 5/10 neither agreed or disagreed.
“Yeah this is interesting. I think your banking data is more sensitive because your energy data isn’t going to transfer $1000 a week. But at the same time, if there is a direct debit set up then there is a connection between your banking and telco data.”
“I don’t really care much about my electricity data but then I'm also probably don't know enough and I don't know whether having access to say data like that, it could potentially lead to identity theft.”
“These days nothing is safe; look at the Optus breach.”
Unmoderated outcomes
- Just under 60% of unmoderated participants either 'agreed' or 'strongly agreed' that they felt logging in with FaceID was the right method for them to authenticate, about 15% 'disagreed' or 'strongly disagreed’.
- When asked “I felt the authentication method was appropriate for the type of data I was accessing” 69% of unmoderated participants either 'agreed' or 'strongly agreed' with the statement, 11 either ‘disagreed’ or ‘strongly disagreed’.
Consumer Behavioural Archetypes
Each Archetype has specific needs for how authenticating to share CDR data should work in order for them to trust and understand it.
➊ Sceptics (22% of participants) are less trusting of organisations and/or technology. They generally value control, and are adverse to sharing data based on experience with current practices.
➋ Assurance Seekers (51% of participants) want to read additional information. They generally value familiarity and external reference/support, and are apprehensive to new experiences.
➌ Sensemakers (27% of participants) need to understand how the process works. They generally value details, and can trust the process if given enough valuable information.
➍ Enthusiasts (0% of participants) are excited to get the benefits of authenticating to share CDR data. They generally value simple experiences once trust is established.
System Usability Scale
The overall SUS score for App/Browser-to-App (Biometric) was 82.88, which is considered very high. The coloured markers depicted in the graph correspond to the Consumer Behaviour Archetypes (Sceptics, Assurance seekers, Sense makers, Enthusiasts) as described previously. The raw SUS scores were widely distributed for this round of research. When reviewing the SUS scores against the Consumer Behaviour Archetypes, researchers observed a trend: most of the Sceptics consistently scored lower in SUS compared to other archetypes; thus characterising their consumer archetype. Generally speaking, Sense Makers recorded higher scores, while Assurance Seekers had mixed results. Out of all consumer participants, 67% rated their experience as ‘excellent’, 18% as ‘good’, 5% as ‘okay’ and only 10% as ‘poor’ or ‘very poor’.
The System Usability Scale (SUS) is a Likert scale of 10 questions that users answer. Participants rank each question from 1 to 5 based on how much they agree with the statement they are reading. 5 means they agree completely, 1 means they disagree vehemently. SUS questions alternate between positive and negative statements, which is on purpose so respondents can’t arbitrarily agree to them all. Once data is collected and synthesised, a score can range from 0 to 100, however it isn’t a percentage. The average SUS score is 68, so while that may indicate 68% of the total maximum score, it’s actually more appropriate to call it 50%.
- 80.3 or higher is well-performing and bodes well
- 68 or thereabouts is average and needs some work to improve
- 51 or under is a problem and needs addressing
SUS is not used as a diagnostic and will not highlight any specific problems with a flow however it will give an indication of how usable a product is. In our case, SUS has been used to assess how usable a method is. Read more about SUS
Summary
The research found App/Browser-to-App with Biometric to be a sufficient method of authentication for some use cases where there is little risk involved in successfully authenticating. The method is familiar and found to be very easy to use by most participants. This method could be supported by the CDR with the following constraints in order to meet and exceed user expectations of control, trust and security:
- App/Browser-to-App with Biometric as part of a 2-factor, step-up authentication model: the research found many participants expected a standardised approach to authentication; with consistent and strong authentication required to access any type of data, no matter the sensitivity. This expectation can be met by implementing multi-factor authentication (MFA), and further increasing user trust and comfort using a step-up model. Research participants reported greater feelings of control and confidence when more than one factor was required as a ‘confirmation’ of action. The user expectation is that this standardised approach would be in place across all sectors and types of data, regardless of the sensitivity; to meet this expectation we recommend forming a ‘gold-standard’ authentication to be implemented across the CDR.
- More warning before automatic redirection: Users prefer redirecting to an app from a trusted app than from a website because they are more trusting of apps on their devices. Users generally liked the automation, however across the board there was a desire from participants for an alert, or user-triggered action, before redirecting from the ADR to the DH platform. Giving users more forewarning would make them feel more in control and reduce the risk of accidentally authenticating with FaceID just by looking at the device. Users would also feel more aware of the next step if information was provided about the journey if they do not have the DH installed, this would manage their expectations about being taken to AppStore or GooglePlay.
- Commitment to accessibility, inclusivity and protecting vulnerable consumers: the research findings reiterated the importance of assessing risk-based models to protect vulnerable consumers, while also continuing to consider accessibility and inclusivity as paramount to supported authentication approaches.
Continuing research is being undertaken in 2023 to determine other models to support.
Quick links to CX Guidelines: