This report contains findings and recommendations from the third round of CX (Consumer Experience) research conducted as part of the Authentication Uplift project. Round 3 research focussed on Decoupled Authentication and ran in March of 2023. The purpose of the research was to identify consumer experience considerations to support and inform an expanded approach to Consumer Data Right (CDR) authentication. The objective is to give consumers more choice and freedom when authenticating themselves with data holders, while maintaining financial grade security. Round 1 was conducted in September of 2022 and benchmarked the existing ‘Redirect with One Time Password (OTP)’ model. Round 2 was conducted in November of 2022 and focussed on “App/Browser-to-App’ authentication models. In the third round of Authentication Uplift research, the research team tested “Decoupled” authentication, which included elements of “fall-back” models.

In total, 40 consumers participated in round 3 research; 10 consumers participated in 1:1 interview sessions which ran for 90 minutes each, and 30 consumers participated in unmoderated prototype tests which ran 30 minutes. Two prototypes were used to facilitate discussion and generate insights in relation to the authentication models shown, as well as about authentication more generally.

This project relates to NP280 and NP296 which were open for consultation from 14 December 2022 to 27 January 2023 and 17 March to 1 May 2023 respectively.

The authentication stage is the second step in The Consent Model and involves a consumer verifying who they are with their Data Holder (DH). This step is required so the data holder can connect the data recipient's authorisation request to the correct CDR consumer.

Authentication in the CDR regime is limited to a single consistent, authentication model, referred to as the 'Redirect with One Time Password' flow. No other flows are currently supported. ‘Redirect with One Time Password’ was previously tested in June 2019 against two other models; ‘Redirect to Known’ and ‘Decoupled’, and was found to be the preferred authentication model by research participants. The outcomes can be accessed in Phase 2 Stream 3 report.

The research now being conducted into CDR authentication uplift has been informed by the following:

This third round of research tested Decoupled Authentication with fall-back methods. Decoupled authentication requires the authentication of the user (or ‘challenge’, such as a PIN, password, biometric) to occur outside of the service/channel being accessed. This method verifies the user’s identity and authenticates the transaction via a separate channel — for example, a push notification to their banking app or via an email.

Fall-back (or waterfall) authentication is a mechanism that allows for an alternative authentication method/s to be used if the primary authentication method fails. This can be useful in decoupled authentication scenarios where the primary authentication method is unavailable and a fall-back is required to complete the authentication and authorisation process.

For example, if the primary authentication method is through a DH’s app, but the user does not have the app installed, a fall-back option would be logging in with OTP in the browser instead. Fall-back authentication can improve the user experience by providing a backup authentication method in case of issues with the primary method. The research also tested step-up authentication. Step-up authentication requires additional levels of authentication to adapt as the risk profile and sensitivity of the action increases.

The research found that consumer participants were familiar with methods of decoupled authentication, though they were not familiar with the technical term when asked. They recognised the process for logging in used in the research, having experienced using it at university or work, as well as more commonly with Google.

The findings further support the recommendation for step-up authentication. Many participants were familiar with step-up authentication, and expected corporations to implement 2-Factor Authentication (2FA) and step-up models regardless of the sensitivity of the data being accessed. This awareness and desire for tighter security may be related to recent high profile data breaches. Of all participants tested, 35% mentioned data breaches, and some referred specifically to the Optus, Medibank, and Latitude breaches. Despite a desire for 2FA for sensitive data, participants did not mind platforms they did not deem as sensitive asking for extra factors. They appreciated the security, and the friction was not viewed as negative. Rather, they appreciated that the provider was putting stops in place to protect data, with 8 out of 10 moderated participants preferring security over convenience.

Consumer participants had reservations about using QR codes in the context of sharing their data, irrespective to the number or combination of authentication factors tested. Most participants would only use QR codes for a low-risk, compelling value proposition or if there were no alternative methods available to them. There was a strong preference to be taken to an existing, pre-installed app which had been downloaded from a reputable source as users would have a pre-established level of trust and confidence. Consumer participants were not as comfortable with being redirected to a website in their browser, as they perceived it as rife with security risks, such as the potential for fraudulent websites, malicious code, fake QR codes or landing on different URLs with no way of checking whether they were taken to the correct link. We also note that when being redirected to a website, it was not immediately clear to participants why they couldn’t simply continue the process on the originating device (desktop in the instances tested), adding to the lack of transparency and trustworthiness. This perception of flawed security was true both for brands participants had not previously established trust with, and large corporations they were familiar with.

Many consumer participants had their banking provider’s mobile app installed on their phones, and used the app regularly. This contrasts with less digitally mature sectors, such as the energy sector, where the use of mobile apps is less common. As such, decoupled experiences that require switching from an originating device to an app may be more successful for the financial sector in the interim, but this may improve over time as app adoption increases in other sectors.

The following artefacts have been produced to help visualise the research findings. Each artefact is explored in further detail in the Research Outputs section of this report.

Global Performance

Consumer Behavioural Archetypes

System Usability Scale (SUS)

This research project aimed to:

These hypotheses have been tested in all three rounds of Authentication Uplift research:

In addition to the standard hypotheses, the research also looked to validate the following:

Consistent with the first two rounds of testing, hypotheses 1-4 were largely validated by the research. Hypotheses 5 and 8 were validated in use cases where the QR code took the participant to their Data Holder’s app, but not in the cases where it redirected them to a browser on their device. Hypotheses 6, 7 and 9 were validated by the research.

The following 4 major components of authentication were explored:

Combination of elements tested in Round 3

The research team developed 2 use cases that would be tested across 2 flows. The use cases included:

These use cases were tested across two prototypes. The first prototype tested a decoupled scenario where a participant began their journey on Lendify’s desktop website and scanned a QR code using a mobile phone which opened the DH’s app installed on the mobile device. They then authenticated and authorised in-app on the mobile device and were then prompted to return to their desktop browser to complete the journey.

In the second prototype, the participant began the journey on Switch’s desktop website, and scanned a QR code using a mobile phone. In this use case, no energy app was available on the device, so the fall-back was triggered. The browser was automatically opened with the DH’s log in page, where a participant authenticated with an OTP before returning to the desktop.

Use case 1

Use case 2

Data was collected throughout various points in the research. The research team conducted both moderated and unmoderated testing sessions, both feeding in to the final outputs. Moderated testing sessions involved a facilitator guiding the participants through tasks. Unmoderated test participants completed the test independently as they would in a natural environment.

Moderated sessions: 1-on-1 interviews

Unmoderated sessions: Maze Online platform

Research findings and insights include key observations and themes identified during moderated research sessions, supported by participant quotes. Some findings may go beyond the scope of the research topic, but have been included for completeness. Recommendations to uplift the CX may also be included – though this has not been the focus for the research team – as the goal is to identify appropriate authentication models for the CDR.

The research generally found that consumer participants expected authentication to adapt based on the associated level of risk when accessing certain data. Participants were familiar with risk-based authentication because it is common in industries such as banking, where providers have employed two-factor authentication (2FA) to occur when adding a new payee, as an example. Step-up authentication was highly valued by participants who prefer an extra layer of security, even if it means more steps (and time) to authenticate, as we discuss in Insight #6.

Research indicated that 8/10 moderated participants valued security over convenience. Examples of step-up authentication shared by consumer participants during research included requiring a higher level of authentication when transferring money. An example of a less risky action included accessing a social media account. Step-up authentication aligned with participant expectations of security and demonstrates the importance of security measures that are tailored to meet individual user actions. The extra layers and steps in the security process go far in giving participants comfort and peace of mind.

Within Decoupled Authentication there are several ‘fall-back’ options which must be considered. Fall-back authentication serves as a backup method in case one of the primary authentication methods fails or is unavailable. In the instance of the research, two decoupled user flows were tested, both originated on a desktop browser and presented a QR Code for participants to scan with a mobile device. In one flow, the QR Code triggered the DH app to open, and in the second flow there was no DH app available so – as a fall-back – One Time Password authentication occurred in the mobile browser.

The research revealed that when participants authenticated through a DH app which was already installed on the device, they felt more comfortable and in control due to an established, pre-existing trust. Participants knew they were the one who installed the app from a reputable source and could log in with existing and preferred authentication methods. In the instance where no app was available and participants were directed to the mobile browser, they felt confused and irritated. Confused, because it was not clear to participants why they needed to authenticate on their mobile browser and couldn't simply continue the process on their initial desktop browser; and irritated because of a poorer user experience on mobile compared to web browser. There was also some concern around the validity and security associated with using QR codes, particularly when being redirected to a webpage (for more detail, see Insight #3 of this report).

Furthermore, the research found that only two of the ten consumer participants interviewed actually had their energy app installed on their mobile device. This highlights the importance for fall-back options to be considered for various use cases – particularly if the DH does not offer a mobile app – to ensure the authentication process is optimised and avoids unnecessary confusion and frustration.

There was a strong preference from participants to continue the authentication journey on the initial desktop browser if no app was available. This was due to an improved user experience on desktop; larger font size, more screen real estate, a keyboard and, for some, a preference to conduct banking and utility related activities on a desktop. Lastly, because participants couldn’t rationalise the requirement for two devices instead of one, there was feedback that switching between devices involved extra effort and friction and didn’t necessarily improve security.

Consumer participants were not familiar with the use of QR codes to initiate an authentication, but cautiously accepted it with certain caveats. As explored in Insight #2, consumer participants preferred the use of QR codes to log in if they have their DH’s app already installed on their device. However, the fall-back flow where a participant was directed to a browser on a mobile device generated a totally different response.

Firstly, there were concerns from participants around the lack of security associated with QR codes, with some participants having experienced data breaches relating to the use of QR codes for COVID check-ins. One participant also experienced what they described as ‘fake QR codes’ which were stuck on top of legitimate QR codes in a bid to collect user data. Participants also expressed concern around the lack of visibility of where a QR code would take them, and not knowing whether the redirection would take them to a spoofed website or potentially inject malicious code. The security and privacy of QR codes are opaque, and there was a shared perception that the process was not commonly experienced by consumer participants in the past.

Consumer participants found it suspicious when they saw the desktop website update after they authenticated on the mobile device. This was based on the desktop website using "asynchronous calls” – a process which allows different parts of a website to update independently without the need for a full page reload. Though this usually contributes to an improved user experience, in this instance it was not immediately clear to participants how the devices had communicated with one another.

Using a QR code to authenticate may meet user expectations of security if it is used to open a DH app for authentication, or to open a webpage on the users mobile browser only for low-risk scenarios with compelling use cases if opening a web page.

The research highlighted participant opinions on the importance of corporate responsibly and ‘holding up their end of the bargain’ in order to build trust and assist participants in feeling more in control of their online security. Consumer participants believed that more needs to be done by corporations to keep user data safe from hacking attempts, while also implementing functional security measures to encourage best practice from customers. For instance, balancing password complexity and strength requirements so users aren’t creating low-quality passwords (i.e. Password123!) simply to satisfy the requirements.

While the participants take measures such as implementing strong passwords, updating them regularly, and monitoring credit reports for credit applications following data leaks, they felt that they can only do so much to protect their privacy and data online. Participants felt strongly that data protection can only rely so much on the consumer, and the majority of the onus should fall on the corporates. Participants expect corporations to act in their best interests, hire expert cyber security teams, and implement the latest and greatest security measures to protect customer data from breaches, while also finding a balance between security and convenience. Although larger brands are perceived as being more trustworthy, participants recognised that their data is not guaranteed safety. Participants cited Optus, Medibank and Latitude as examples of companies whose recent data breaches have shaken consumer trust.

Overall, participants want to feel more in control of online security and expect corporations to take responsibility for data protection. Keeping customers updated on data security, breaches, methods to keep accounts safe and any compromises in data should be swiftly and regularly communicated to account holders in order to assist participants to feel more in control. Consumer participants noted they generally only create accounts out of necessity and want their data to be protected, so it is crucial for corporations to prioritise security measures to build and maintain consumer trust and build systems which withstand any attempts by hackers.

Participants are highly aware of potential security breaches while using the internet – the recent highly publicised data breaches of well-known Australian companies has meant online security is top of mind for participants. Several participants raised these data breaches in the research sessions, with a number of them involved or impacted by the breaches and subsequently changing their behaviour online to safeguard their data.

Participants are conscious of the risks and the possibility of security breaches when accessing information online, particularly when using QR codes to initiate authentication. Participants seemed to be okay when the QR code opened a DH which was installed on the device (as touched on in Insight #2 of this report), but they were far more concerned about the lack of credibility of QR codes when redirected to a browser. Participants had concerns about the credibility of QR Codes and were worried they may be taken to a fake website, the potential for malicious code to be injected into the QR redirect URL, or keystrokes being recorded after opening a bad webpage. In addition to feeling uneasy, some participants also expressed discomfort with the possibility that their device's camera could be accessed without their consent beyond the period of scanning.

Consumer participants appreciated extra authentication factors even when they were not expected. Although two or more factors were expected for high-risk scenarios such as banking or health related data, participants also appreciated extra factors for actions they deemed as lower-risk, such as energy data. Even when 2FA was not required, participants were not bothered by the extra step, extra time or the increased level of friction. On the contrary, participants perceived the extra layers of security as the brand or corporation’s effort to prioritise consumer privacy and data safety, and demonstrate that they take customer data security seriously. Implementing extra factors provided participants with a sense of security and comfort. As explored in Insight #1, a use case such as social media log in does not warrant MFA, however riskier user cases like financial transactions were perceived by participants to carry some level of risk. Research indicated that the extra factors or increased friction should be in context and relevant to the use case.

This round of research produced similar findings to Round 1 research Insight #4 “Users Rely on Visual Trust Markers”. Consumer participants tested were conscious of the risks involved with using the internet and implement practices and habits to ensure the safety and security of their data. Similar to Round 1, this round of research found that participants were aware of and looked for visual cues to assess whether a site or experience was secure and trustworthy. Examples of these cues include checking URLs to ensure their legitimacy, not clicking on random links in text messages (even if the SMS has come through in the text-thread from their bank), and looking for SSL certificates on websites.

Participants noted that any activity or action which they personally initiated is preferred (such as opening an app on their own accord rather than receiving a SMS with a link to open) as it gives participants peace of mind. They also appreciate being informed and educated about online risks and scams by the business they engage with. Those who have been impacted by previous security breaches are proactive in their approach to online safety and actively seek out information and advice on how to protect themselves, with one participant even enrolling in an InfoSec TAFE course to learn more. While consumer participants were cautious, they also understood and accepted that there are inherent risks with using the internet. Overall, participants felt that they are well-informed and educated when it comes to online safety and take steps to ensure their security.

The term "Decoupled” authentication was not widely recognised among participants, although they were familiar with the method and had used it before when prompted. While most consumer participants had not heard of the term "decoupled," they recognised the process once it was explained to them. Participants who were not familiar with the term said they had used the method frequently in the past or currently used a form of it.

Global Performance is a measure developed by the research team to define success for various authentication models, made up of five separate measures:

Each of these five measures consists of 3 different metrics (as demonstrated in the ‘Measures & Metrics in detail’ table) collected throughout the research and then collated to determine a quantifiable outcome for each measure. These 5 measures are then reflected on a five-point radial graph, demonstrating the global performance for the respective authentication model.

Decoupled metrics and measures outcomes. A score above 4 is considered excellent, above 3.75 is considered very good, a score below 3.25 is considered poor and below 3 is bad.

Each Archetype has specific needs for how authenticating to share CDR data should work in order for them to trust and understand it.

➊ Sceptics (36% of participants) are less trusting of organisations and/or technology. They generally value control, and are averse to sharing data based on experience with current practices.

➋ Assurance Seekers (51% of participants) want to read additional information. They generally value familiarity and external reference/support, and are apprehensive to new experiences.

➌ Sensemakers (13% of participants) need to understand how the process works. They generally value details, and can trust the process if given enough valuable information.

➍ Enthusiasts (0% of participants) are excited to get the benefits of authenticating to share CDR data. They generally value simple experiences once trust is established.

The overall SUS (System Usability Scale) score for Decoupled authentication with QR code was 74.29, which is considered ‘good’ but not great – anything above 80.3 is well-performing. The coloured markers depicted in the graph above correspond to the Consumer Behaviour Archetypes (Sceptics, Assurance seekers, Sense makers, Enthusiasts) as described to the left of the graph. The raw SUS scores were widely distributed for this round of research. When reviewing the SUS scores against the Consumer Behaviour Archetypes, researchers observed a trend: most of the Sceptics consistently scored lower in SUS compared to other archetypes; thus characterising their consumer archetype. Generally speaking, Sense Makers recorded higher scores, while Assurance Seekers had mixed results. Out of all consumer participants, 38% rated their experience as ‘excellent’, 31% as ‘good’, 15% as ‘okay’ and other 15% as ‘poor’ or ‘very poor’.

The research found that consumer participants were not entirely comfortable with the use of QR codes for authentication, with concerns around their safety and the need for more instructions on the process. The method could be supported by the CDR with the following constraints in order to meet user expectations of comfort, control and trust:

The study concludes with this third round of research. The research team will now focus on preparing a report on the outcomes and compare the findings across the three models tested along with a recommendation for consultation. Overall, this Authentication Uplift research has provided many valuable insights into participant perceptions of various authentication methods and how they may be improved to provide informed, intuitive and trustworthy consent experiences.