This report contains findings and recommendations from the second round of CX research conducted as part of the Authentication Uplift project. Round 2 research focussed on ‘App/Browser-to-App with Biometric’ and ran in November of 2022. The purpose of the research was to identify consumer experience considerations to support and inform an expanded approach to Consumer Data Right (CDR) authentication. The objective is to give consumers more choice and freedom when authenticating themselves with data holders, while maintaining financial grade security. Round 1 was conducted in September of 2022 and benchmarked the existing ‘Redirect with One Time Password (OTP)’ model.

In total, 90 consumers participated in round 2 research; 10 consumers participated in 1:1 interview sessions which ran for an hour and a half each and 80 consumers participated in unmoderated prototype tests which ran for half an hour. App-to-app and Browser-to-App prototypes were used to facilitate discussion and generate insights in relation to the authentication models shown, as well as to authentication more generally.

This project relates to NP280 which is open for consultation from 14 December 2022 to 27 January 2023.

The authentication stage is the second step in The Consent Model and involves a consumer verifying who they are with their Data Holder (DH). This step is required so the data holder can connect the data recipient's authorisation request to the correct CDR consumer.

Authentication in the CDR regime is limited to a single consistent, authentication model, referred to as the 'Redirect with One Time Password' flow. No other flows are currently supported. ‘Redirect with One Time Password’ was previously tested in June 2019 against two models; ‘Redirect to Known’ and ‘Decoupled’, and was found to be the preferred authentication model by research participants. The outcomes can be accessed in Phase 2 Stream 3 report.

This research has been informed by the following:

The research found that biometric authentication methods (such as FaceID) weren’t as widely accepted as the research team had initially anticipated, though all 90 participants were familiar with them and frequently used them. We observed preferences for its usage over traditional passwords in some use cases because of its uniqueness and inherence, but this was in scenarios where there was little-to-no risk involved in successful authentication. While there was general agreement that authentication should adapt based on the scenario (i.e. accessing sensitive vs. non-sensitive data), similar to the findings in Round 1, not all participants shared this view that authentication should adapt. This was not because they thought less-sensitive data (such as telco or energy data) required less stringent authentication methods, rather, these participants had an expectation that all of their data should be kept secure and private. Many participants expected a standardised approach to authentication; with consistent and strong authentication required to login irrespective of the use case or sensitivity of data. Participants unanimously preferred Multi-Factor Authentication (MFA) over any specific authentication model using only one factor to authenticate.

From the 2-Factor Authentication (2FA) use cases tested (FaceID + OTP, FaceID + PIN) the research team observed a preference for step-up authentication (step-up authentication requires additional levels of authentication to adapt as the risk profile and sensitivity of the action increases). Some participants found back-to-back authentication overwhelming (back-to-back authentication asks two factors of authentication in a row) and step-up authentication was perceived to be the more gentle approach and considered as a confirmation of an action; leaving the participant feeling confident and in control. This is covered further in Insight #7 of this report.

There were a few issues raised by participants about redirecting from a consumer app or website to a Data Holder app for authentication and authorisation; with several participants saying they may flag automatic redirection in the real world as a suspicious “phishing attempt” if they were engaging with a brand they had not yet established trust with. Participants also stated they would feel more in control if there was an alert such as a push notification or a call to action button prior to moving over to their Data Holder app (rather than being redirected automatically) especially in the instances where the authentication method was FaceID as a single factor. This was because several participants had experiences historically where they unintentionally authenticated with FaceID just because they were looking at their phone at the point of the prompt. Lastly, for the use cases where biometric methods were used as a single factor, participants desired higher levels of friction when there was more risk involved in the action they were taking.

The research found that, while scores were not significantly different, redirecting to a DH app from an ADR app was considered more trustworthy and had slightly higher participant confidence compared to redirecting from a browser-based website. However, this finding is only true for apps that have been downloaded from a reputable source and have a pre-established level of user trust and confidence – thus making it a strong option particularly for the banking sector, with many participants having installed and regularly using their banking providers’ mobile app. For the scenarios where a participant didn’t have a Data Holder’s app installed on their device, there were two groups of expectations for what should occur; the first was that the user would be taken to a browser where they could access the web-version of the service to authenticate, and the second was that they would be taken to the AppStore or GooglePlay to download the application.

Accessibility and inclusivity continue to play a key role in how users authenticate to a platform. This round also found participants advocating for a risk-based model to protect vulnerable consumers such as those who experience Domestic and Family Violence, as there is a risk of one party taking on debt without their knowledge, or coerced consent.

We explore these findings in depth throughout this report and provide some early-stage, high-level recommendations in the summary section of this report

The following artefacts have been produced following the research and represent our findings. Each artefact is explored in further detail in the Research Outputs section of this report.

Global Performance

Consumer Behavioural Archetypes

System Usability Scale (SUS)

This research project aimed to:

Consistent with Round 1, hypotheses 1-4 were largely validated by the research. Hypothesis #5 was validated in some use cases, but not in others. The use cases which involved a second factor of authentication as well as a Biometric method exceeded user security expectations, but failed to meet expectations in scenarios where Biometric was used alone.

The following 4 major components of authentication were explored:

Combination of elements tested in Round 2

The research team developed 2 use cases that would be tested across 4 different user flows. The use cases included:

These two use cases were each then extrapolated into two user flows, the first saw the ADR experience on a website (”Browser-to-App”), and the second had the ADR experience in a mobile app (”App-to-App”). This resulted in a total of four prototypes which were tested with research participants. These have been broken down below:

NB: All of the following flows involve a user authenticating in their Data Holder’s app, and assume the DH app has been pre-installed and previously used on the device.

App-to-App

Browser-to-App

Use case 1 (Banking)

Use case 2 (Telco)

Data was collected throughout various points in the research. The research team conducted both moderated and unmoderated testing sessions, both feeding in to the final outputs. Moderated testing sessions involved a moderator guiding the participants through tasks. Unmoderated test participants complete the test independently as they would in a natural environment.

Moderated sessions: 1-on-1 interviews

Unmoderated sessions: Maze Online platform

Research findings and insights include key observations and themes identified during moderated research sessions, supported by participant quotes. Some findings may go beyond the scope of the research topic, but have been included for completeness. Recommendations to uplift the CX may also be included – though this has not been the focus for the research team – as the goal is to identify appropriate authentication models for the CDR.

The second round of research further validated all findings generated in the first round of research. We’ve explored how they manifested in round 2 below:

Our findings revealed all participants were familiar with biometrics methods of authentication, though many participants – particularly those in older generations – either didn’t have devices that support fingerprint or FaceID and more commonly didn’t trust the method. This mistrust is partly caused by the events of data breaches.

User attitudes toward biometric authentication walk a line between convenience and frustration. Several participants cited frustrations with biometric methods for various reasons. The most commonly raised issues related to physical impacts, like having wet hands or wearing face-masks or glasses which prevented successful verification; and accidental verification, opening apps or actioning tasks by way of looking at the device at the point of biometric authentication without intentionally authenticating. The participants who had experienced accidental facial authentication anticipated a secondary method such as PIN, a theme which re-appeared throughout the prototype testing, many participants expecting a second verification to access data or confirm actions.

While the majority of participants were familiar with using Fingerprint or FaceID to access their smartphones, many felt more comfortable using other authentication methods to access their banking and data-sensitive apps. Biometrics alone weren’t perceived as secure enough, until paired with a secondary factor, particularly for banking use cases.

One interesting point to note is that biometric methods were preferred by participants who had mental health challenges and physical disabilities, as they found it faster and less challenging to authenticate.

What may have been one of the most alarming findings from the research to date was the risk authentication poses to vulnerable users. One research participant with a background as a financial counsellor shared their experience working with victims of financial abuse. These cases are varied in nature, but regularly involve Domestic and Family Violence, which extends to one partner suffering financial abuse at the hands of another. This can also extend to elder abuse, particularly in communities where English is a second language. These cases can often involve the victim taking on debt for the perpetrator and have significant and long-lasting impacts on the victim; mentally, emotionally and financially.

Such cases can occur from the perpetrator having access to the victim’s smartphone; knowing their PIN code or being registered as a secondary user with biometric capabilities. This means they can access the victim’s device, and easily action tasks with or without the victim’s understanding, knowledge or consent. These risks obviously go beyond just authenticating, and expand to the actions an intruder can take after the authentication has occurred. Actions can involve applying for loans or other lines of credit, purchasing goods through online stores, and approving transfers of money, to name a few. This highlights an issue far greater than the need for secure authentication, and identifies a systemic and widespread societal issue, one which secure authentication can’t solve, but can do its part in reducing potential suffering.

Across the board it was apparent that participants advocated for consistent and strong authentication requirements, irrespective of the data they were accessing. The notion that even seemingly insensitive data such as an energy account profile or account balance can be stitched together with other innocent information to create a holistic view of the person continues to give rise to concern around privacy and security. These feelings are further exacerbated by the recent cases of data leaks and hacking in Australia; accessing even minor personal information can give hackers access to more important, higher-risk data. Participants feel their data should be kept private and secure regardless of how sensitive; further highlighting the importance of a gold-star authentication process.

There is little evidence to support extra factors of authentication negatively impacting a user’s experience. There may be an initial and brief annoyance at the second verification step, but these feelings are quickly counteracted with reassured comfort for the safety and security of their account. With this considered, we can confidently proceed with implementing multiple factors of authentication aware that participants recognise the benefit and appreciate the security.

The research found that participants feel more comfortable when redirecting from an app or website to a trusted app on their device when compared to redirection to a new tab on their browser. Unsurprisingly, this is because users have already established trust with pre-existing apps and know they have come from a reputable source (such as the AppStore or Google Play) and aren’t going to be redirected to a fraudulent website. They can also authenticate on their existing apps in ways that are consistent with their existing experiences. As such the flow will more closely match their mental models. The added bonus of this process when compared to methods such as OTP, means that users aren’t required to remember complicated strings of information such as their banking user ID – they can simply authenticate and access.

There were various views on how participants wanted to access their app to consent to data sharing; some liked that the flow automatically took them to their app and others said they would feel more in control if they had the option to open their app themselves. There were concerns around phishing and lack of clarity regarding the mechanisms that trigger the app to open, and similar to findings from round 1, participants wanted to log out or know they would be automatically logged out when leaving their data holder app.

In the instances where participants did not have an app installed on their device, their expectation was to be taken to the AppStore or GooglePlay and be prompted to download or that a new browser window would open to facilitate log in.

This round of research further highlighted the importance participants place on having control over their experience. Participants reported they would feel more comfortable and trust a product more if they had more control over their experience. This applies to how and when they authenticate, and in context to the consent flow, what information they share with ADRs.

Specifically, participants enjoyed controls such as; choosing what kind of authentication models they wanted to use to access their data, how many layers of security (i.e. the combination of factors), ability to opt in or out of specific features and options, alerts to when data security may have been compromised and easy processes to securely reset passwords.

Further to a point shared in insight “2. Biometric authentication is still maturing”, participants who reported accidental successful authentication with FaceID wanted the ability to control how FaceID was triggered, some suggesting an ‘I’m ready to authenticate’ button might be a good workaround. While some controls may not be feasible to implement into flows, forewarning users of the next steps will forearm them and thus increase feelings of control. This finding may support improvements to the consent flow including more stepped and clear instructions so users can confidently anticipate next steps and avoid any surprises during the flow. Giving users control and choice during their experience can increase feelings of trust and comfort.

Our findings from round 1 found that participants wanted two factors of authentication. In round 2 we endeavoured to uncover the order that best suited participants and we subsequently tested two common processes of 2FA; step-up and back-to-back. Both processes request an initial authentication, but the stage at which the second authentication is different. For step-up, the second factor is requested after a user performs an action. This method is consistent with many banking apps, where the second factor may be triggered after a transfer is initiated or a new payee added. Back-to-back is as the name implies, and one factor is requested straight after the initial factor.

Participant preferences were as varied as the two options; with a roughly even split between the two. We can, however, identify step-up as the recommended option, when considering this finding in context to user existing mental modes and does not overload the participants at the beginning of the flow.

However, back-to-back may still be a favoured option as problems such as accidental authentication can be avoided; increasing user trust at the beginning of the authenticate and authorise journey and providing a secondary layer for those who don’t totally trust biometrics. Back-to-back may also act effectively in heightening the barrier to entry and better protecting vulnerable customers.

The research reiterated the importance of accessibility in authentication. All users across the spectrum of human diversity should have access to robust and easy-to-use authentication methods, which match their expectations of security.

Both permanent and temporary disability impact how users prefer – and have ability – to authenticate online. Disability may be cognitive, developmental, intellectual, mental, physical, sensory, or some combination of these. This finding is particularly pertinent to biometric methods. Several research participants who experienced various mental health challenges cited a preference for biometric methods due to their lower barriers-to-entry and absent cognitive requirements. For other participants, physical impairment could often create frustrating experiences when using biometric; such as having scratched finger-tips after physical yard work or facial wound dressing which wasn’t recognised by FaceID for example.

Further findings included people who can not read or write, or those with English as a second language, who may find it hard to comprehend complex information presented to them, reiterating the importance of providing alternative ways to authenticate where possible which conform to the latest Web Content Accessibility Guidelines.

Global Performance is a measure developed by the research team to define success for various authentication models, made up of five separate measures:

Each of these five measures consists of 3 different metrics (as demonstrated in the ‘Measures & Metrics in detail’ table) collected throughout the research and then collated to determine a quantifiable outcome for each measure. These 5 measures are then reflected on a five-point radial graph, demonstrating the global performance for the respective authentication model.

App/Web-to-App metrics and measures outcomes. A score above 4 is considered excellent, above 3.75 is considered very good, a score below 3.25 is considered poor and below 3 is bad.

The research found App/Browser-to-App with Biometric to be a generally well-performing authentication method. The majority of participants tested were familiar with Biometric methods of authentication and currently use them on a regular basis. The highly automatic process of the App/Browser-to-App flow and use of Biometrics meant participants had very little information to recall or input throughout the flow, demonstrated by the high score in the ‘Recall & Input’ measure.

‘Purpose and Outcome’ and ‘Expectations’ were the poorer performing measures, this can be attributed to the lack of positive friction in the flows tested, with participants expecting and desiring a second factor of authentication to meet their expectations of security. Among all metrics, Trustworthiness (Comfort & Control) earned the lowest score with many participants reiterating that a second factor of authentication would have made them feel more comfortable and in control of the process.

Participants appreciated the ease with which they could authenticate with this method, and although they like authenticating with biometric means, they believe it is not always the most appropriate method for sensitive use cases when used as a single factor.

Each Archetype has specific needs for how authenticating to share CDR data should work in order for them to trust and understand it.

➊ Sceptics (22% of participants) are less trusting of organisations and/or technology. They generally value control, and are adverse to sharing data based on experience with current practices.

➋ Assurance Seekers (51% of participants) want to read additional information. They generally value familiarity and external reference/support, and are apprehensive to new experiences.

➌ Sensemakers (27% of participants) need to understand how the process works. They generally value details, and can trust the process if given enough valuable information.

➍ Enthusiasts (0% of participants) are excited to get the benefits of authenticating to share CDR data. They generally value simple experiences once trust is established.

The overall SUS score for App/Browser-to-App (Biometric) was 82.88, which is considered very high. The coloured markers depicted in the graph correspond to the Consumer Behaviour Archetypes (Sceptics, Assurance seekers, Sense makers, Enthusiasts) as described previously. The raw SUS scores were widely distributed for this round of research. When reviewing the SUS scores against the Consumer Behaviour Archetypes, researchers observed a trend: most of the Sceptics consistently scored lower in SUS compared to other archetypes; thus characterising their consumer archetype. Generally speaking, Sense Makers recorded higher scores, while Assurance Seekers had mixed results. Out of all consumer participants, 67% rated their experience as ‘excellent’, 18% as ‘good’, 5% as ‘okay’ and only 10% as ‘poor’ or ‘very poor’.

The research found App/Browser-to-App with Biometric to be a sufficient method of authentication for some use cases where there is little risk involved in successfully authenticating. The method is familiar and found to be very easy to use by most participants. This method could be supported by the CDR with the following constraints in order to meet and exceed user expectations of control, trust and security:

Continuing research is being undertaken in 2023 to determine other models to support.