- Executive Summary
- Consultation
- Context
- Findings
- Research artefacts at a glance
- Project goals
- Research Objectives
- Hypotheses
- Research Approach
- Use cases
- Methodology
- Research Findings & Insights
- 1. Risk-based Authentication Aligns with Participant Mental Models
- 2. Fall-back Authentication: Decoupled is more Intuitive When an App is Available
- 3. Users are Cautious of QR Codes, though Accept their Usage with Caveats
- 4. Consumers Feel Empowered And In Control When Corporations Act Responsibly
- 5. Participants are Wary Of The Potential For Security Breaches
- 6. Extra Authentication Factors Are Appreciated Even When Unexpected
- 7. Participants Are Aware And Educated Regarding Risks And Scams Online
- 8. The Term “Decoupled” Was Not Widely Recognised, Though Participants Were Familiar With The Method
- Research Outputs
- Global Performance: Radial Graph
- Decoupled
- Recall & Input (3.75)
- Familiarity & Completion (3.25)
- Comfort & Control (3.52)
- Purpose & Outcome (3.36)
- Expectations (3.60)
- Consumer Behavioural Archetypes
- System Usability Scale
- Opportunities
Executive Summary
This report contains findings and recommendations from the third round of CX (Consumer Experience) research conducted as part of the Authentication Uplift project. Round 3 research focussed on Decoupled Authentication and ran in March of 2023. The purpose of the research was to identify consumer experience considerations to support and inform an expanded approach to Consumer Data Right (CDR) authentication. The objective is to give consumers more choice and freedom when authenticating themselves with data holders, while maintaining financial grade security. Round 1 was conducted in September of 2022 and benchmarked the existing ‘Redirect with One Time Password (OTP)’ model. Round 2 was conducted in November of 2022 and focussed on “App/Browser-to-App’ authentication models. In the third round of Authentication Uplift research, the research team tested “Decoupled” authentication, which included elements of “fall-back” models.
In total, 40 consumers participated in round 3 research; 10 consumers participated in 1:1 interview sessions which ran for 90 minutes each, and 30 consumers participated in unmoderated prototype tests which ran 30 minutes. Two prototypes were used to facilitate discussion and generate insights in relation to the authentication models shown, as well as about authentication more generally.
Consultation
This project relates to NP280 and NP296 which were open for consultation from 14 December 2022 to 27 January 2023 and 17 March to 1 May 2023 respectively.
Context
The authentication stage is the second step in The Consent Model and involves a consumer verifying who they are with their Data Holder (DH). This step is required so the data holder can connect the data recipient's authorisation request to the correct CDR consumer.
Authentication in the CDR regime is limited to a single consistent, authentication model, referred to as the 'Redirect with One Time Password' flow. No other flows are currently supported. ‘Redirect with One Time Password’ was previously tested in June 2019 against two other models; ‘Redirect to Known’ and ‘Decoupled’, and was found to be the preferred authentication model by research participants. The outcomes can be accessed in Phase 2 Stream 3 report.
The research now being conducted into CDR authentication uplift has been informed by the following:
- In December 2021, the Government noted support for the Inquiry into Future Directions for the CDR’s recommendation to review the approach to authentication. The Inquiry stated that ‘the convenience and consumer experience of different authentication mechanisms should be considered’ when assessing how to expand CDR authentication support.
- The Independent Information Security Review published in July 2022 separately highlighted that the current approach to CDR authentication does not meet minimum security requirements, and adjustments are warranted.
- The CDR community have also requested changes to the current CDR authentication model, which the DSB is considering as part of this work (see CR405, CR554 and CR542).
- Decision 182 – Information Security Uplift For Write aka action initiation This consultation sought community input on how the info sec profile might evolve to explicitly support write operations.
This third round of research tested Decoupled Authentication with fall-back methods. Decoupled authentication requires the authentication of the user (or ‘challenge’, such as a PIN, password, biometric) to occur outside of the service/channel being accessed. This method verifies the user’s identity and authenticates the transaction via a separate channel — for example, a push notification to their banking app or via an email.
- The service provider sends an Authentication Request message and waits for a notification that the authentication has completed
- The Identity Provider (IDP) confirms if they support decoupled authentication. If supported, the users authenticates themselves and authorises the transaction outside of the service provider channel, usually through the IDP’s app or website
- After authentication and authorisation, the IDP sends the results back through the Results Request message
- The service provider sends confirmation through the Result Response message
Fall-back (or waterfall) authentication is a mechanism that allows for an alternative authentication method/s to be used if the primary authentication method fails. This can be useful in decoupled authentication scenarios where the primary authentication method is unavailable and a fall-back is required to complete the authentication and authorisation process.
For example, if the primary authentication method is through a DH’s app, but the user does not have the app installed, a fall-back option would be logging in with OTP in the browser instead. Fall-back authentication can improve the user experience by providing a backup authentication method in case of issues with the primary method. The research also tested step-up authentication. Step-up authentication requires additional levels of authentication to adapt as the risk profile and sensitivity of the action increases.
Findings
The research found that consumer participants were familiar with methods of decoupled authentication, though they were not familiar with the technical term when asked. They recognised the process for logging in used in the research, having experienced using it at university or work, as well as more commonly with Google.
The findings further support the recommendation for step-up authentication. Many participants were familiar with step-up authentication, and expected corporations to implement 2-Factor Authentication (2FA) and step-up models regardless of the sensitivity of the data being accessed. This awareness and desire for tighter security may be related to recent high profile data breaches. Of all participants tested, 35% mentioned data breaches, and some referred specifically to the Optus, Medibank, and Latitude breaches. Despite a desire for 2FA for sensitive data, participants did not mind platforms they did not deem as sensitive asking for extra factors. They appreciated the security, and the friction was not viewed as negative. Rather, they appreciated that the provider was putting stops in place to protect data, with 8 out of 10 moderated participants preferring security over convenience.
Consumer participants had reservations about using QR codes in the context of sharing their data, irrespective to the number or combination of authentication factors tested. Most participants would only use QR codes for a low-risk, compelling value proposition or if there were no alternative methods available to them. There was a strong preference to be taken to an existing, pre-installed app which had been downloaded from a reputable source as users would have a pre-established level of trust and confidence. Consumer participants were not as comfortable with being redirected to a website in their browser, as they perceived it as rife with security risks, such as the potential for fraudulent websites, malicious code, fake QR codes or landing on different URLs with no way of checking whether they were taken to the correct link. We also note that when being redirected to a website, it was not immediately clear to participants why they couldn’t simply continue the process on the originating device (desktop in the instances tested), adding to the lack of transparency and trustworthiness. This perception of flawed security was true both for brands participants had not previously established trust with, and large corporations they were familiar with.
Many consumer participants had their banking provider’s mobile app installed on their phones, and used the app regularly. This contrasts with less digitally mature sectors, such as the energy sector, where the use of mobile apps is less common. As such, decoupled experiences that require switching from an originating device to an app may be more successful for the financial sector in the interim, but this may improve over time as app adoption increases in other sectors.
Research artefacts at a glance
The following artefacts have been produced to help visualise the research findings. Each artefact is explored in further detail in the Research Outputs section of this report.
Global Performance
Consumer Behavioural Archetypes
System Usability Scale (SUS)
Project goals
This research project aimed to:
- Identify appropriate authentication models to support in the CDR;
- Provide CX input to the authentication framework to assess incoming/supported models;
- Strike a balance between security, consumer experience and value delivery;
- Help organisations provide intuitive, informed, trustworthy consent experiences with positive outcomes.
Research Objectives
- Understand current consumer behaviours, pain points and needs regarding authentication
- Identify appropriate consumer experience criteria and metrics to assess authentication models
- Inform the development and proposal of new standards, and/or the revision of existing standards
- Identify appropriate models to be considered for adoption that are interoperable, flexible and adaptable
- Uplift authentication standards to offer improved experience, choice, convenience, inclusivity and security as well as alignment to consumers' existing digital experiences
- Understand how consumer behaviours and attitudes may shift for different use cases (e.g. banking vs energy) using the same authentication method
- Explore the impacts of different elements and mechanisms
Hypotheses
These hypotheses have been tested in all three rounds of Authentication Uplift research:
- Authenticating without needing to recall or manually enter information is preferred by users
- A familiar authentication method is perceived as more intuitive and will increase the likelihood of task completion
- If a user is informed of the next steps and contextual requirements of an authentication flow, then they will feel more comfortable and in control
- Informed user authentication can be supported by stating the purpose and outcome of the authentication. ("Why and what for?")
- The model meets or exceeds the user's expectations of friction, security and experience
In addition to the standard hypotheses, the research also looked to validate the following:
- Users are not averse to using a QR Code to authenticate
- Users find it more intuitive to use their device camera to scan the QR code over accessing a camera from their Data Holder’s app
- Users prefer to continue the journey back on their desktop browser than on their mobile browser for OTP (One Time Password)
- Effective messaging is needed to close the loop (for users to return to their desktop from their mobile device) and complete the journey
Consistent with the first two rounds of testing, hypotheses 1-4 were largely validated by the research. Hypotheses 5 and 8 were validated in use cases where the QR code took the participant to their Data Holder’s app, but not in the cases where it redirected them to a browser on their device. Hypotheses 6, 7 and 9 were validated by the research.
Research Approach
The following 4 major components of authentication were explored:
- Channel: This is the channel where authentication is performed. For example: mobile, desktop, kiosk etc.
- Modality: Modalities are the inputs used for authentication. For example: Biometric, Pin code etc.
- Authentication method: This is the method by which an authentication is performed. Out of many factors of authentication methods, these 3 are mostly recognised:
- Knowledge-based: Something the user knows, such as a password or the answer to a security question
- Inherence-based: Something that the user is, as represented by a fingerprint or iris scan
- Possession-based: Something the user possesses such as a one-time password generator, certificate, or smart card
- Notification method: This is the different ways a user is alerted about the authentication requirement. For example: Push notification, Email notification etc.
Combination of elements tested in Round 3
Channel | Modality | Authentication method | Notification method |
Decoupled: Web-2-Web | One Time Password | Possession based | Text/SMS |
Decoupled: Web-2-App
| Biometric + PIN Code | Inherence + Knowledge based | N/A |
Use cases
The research team developed 2 use cases that would be tested across 2 flows. The use cases included:
- Getting indicative interest rates for a car loan through a fictional non-bank lender called Lendify (ADR). The participant was told they bank with a real world banking data holder.
- Comparing energy plans from various providers using a fictional comparator service called Switch (ADR) to get a better deal on energy. The participant was told their provider was a real world energy data holder.
These use cases were tested across two prototypes. The first prototype tested a decoupled scenario where a participant began their journey on Lendify’s desktop website and scanned a QR code using a mobile phone which opened the DH’s app installed on the mobile device. They then authenticated and authorised in-app on the mobile device and were then prompted to return to their desktop browser to complete the journey.
In the second prototype, the participant began the journey on Switch’s desktop website, and scanned a QR code using a mobile phone. In this use case, no energy app was available on the device, so the fall-back was triggered. The browser was automatically opened with the DH’s log in page, where a participant authenticated with an OTP before returning to the desktop.
Use case 1
Use case 2
Methodology
Data was collected throughout various points in the research. The research team conducted both moderated and unmoderated testing sessions, both feeding in to the final outputs. Moderated testing sessions involved a facilitator guiding the participants through tasks. Unmoderated test participants completed the test independently as they would in a natural environment.
Moderated sessions: 1-on-1 interviews
- Number of participants: 10
- Activities: Screener, Interview, Prototype test, In-depth interview, Post-task Survey
- Duration: 1.5 hours
Unmoderated sessions: Maze Online platform
- Number of participants: 30
- Activities: Screener, Prototype test, Post-task Survey
- Duration: 30 minutes
Our approach to recruitment
A broad and diverse range of participants were recruited to help reduce bias and research out risk. A ‘no edge cases’ approach is taken to support the design of an inclusive CDR. Instead of focusing on those who are already likely and able to adopt CDR, our research focuses on removing the barriers to CDR being inclusive and accessible, which will make CDR easier and simpler to access for everyone.
The recruitment process strives to reflect the demographic percentages outlined in the Australian Bureau of Statistics 2016 Census Data, and explicitly recruits those who may be experiencing vulnerability or disadvantage.
Participants have varying levels of:
- Digital ability, financial and data literacies and experiences
- Privacy awareness
- Confidence in the English language
- Trust in Government and commercial organisations
Detailed demographics
Age | Number of participants | % | Notes |
18-24 | 6 | 16% | young person defined as 12-24 years of age (ref: 2010 National Strategy for Young Australians) |
25-34 | 8 | 22% | |
35-44 | 11 | 30% | |
45-54 | 5 | 14% | |
55-64 | 4 | 11% | |
65-74 | 1 | 3% | older person defined as 65+ years of age (ref: 2018 Australian Bureau of Statistics) |
75 and over | 2 | 5% |
State or territory | Number of participants | % |
ACT | 1 | 3% |
NSW | 12 | 32% |
NT | - | 0.9% |
QLD | 6 | 16% |
SA | 5 | 14% |
TAS | 1 | 3% |
VIC | 9 | 24% |
WA | 3 | 8% |
Rural vs metro | Number of participants | % |
Metropolitan/Inner City | 9 | 24% |
Suburban/Outer City | 21 | 57% |
Large town | 3 | 8% |
Small or remote town | 3 | 8% |
Rural location | 1 | 3% |
Gender | Number of participants | % |
Man | 13 | 35% |
Woman | 24 | 65% |
Non-binary/gender fluid | - | - |
Notification preference
Preferred notification method | Number of participants | % |
Push | 14 | 38% |
SMS | 21 | 57% |
Email | 2 | 5% |
Device preference
Preferred device | Number of participants | % |
Push | 27 | 73% |
SMS | 1 | 3% |
Email | 6 | 16% |
Banking
Method | % |
Through app | 57.41% |
Through website on mobile | 16.67% |
Through website on computer | 25.92% |
Other |
Superannuation
Method | % |
Through app | 26.5% |
Through website on mobile | 20.4% |
Through website on computer | 51% |
Other | 2.1% |
Telco
Method | % |
Through app | 42.86 |
Through website on mobile | 26.53 |
Through website on computer | 28.57 |
Other | 2.1 |
Energy
Method | % |
Through app | 14.28 |
Through website on mobile | 30.61 |
Through website on computer | 53.06 |
Other | 2.1 |
For the hypothesis expectations to be effectively met, we assume that the research participant:
- Owns a smart phone and a computer
- Has their DH’s app installed and has previously logged in
- Knows how to use a QR code
Research Findings & Insights
Research findings and insights include key observations and themes identified during moderated research sessions, supported by participant quotes. Some findings may go beyond the scope of the research topic, but have been included for completeness. Recommendations to uplift the CX may also be included – though this has not been the focus for the research team – as the goal is to identify appropriate authentication models for the CDR.
1. Risk-based Authentication Aligns with Participant Mental Models
The research generally found that consumer participants expected authentication to adapt based on the associated level of risk when accessing certain data. Participants were familiar with risk-based authentication because it is common in industries such as banking, where providers have employed two-factor authentication (2FA) to occur when adding a new payee, as an example. Step-up authentication was highly valued by participants who prefer an extra layer of security, even if it means more steps (and time) to authenticate, as we discuss in Insight #6.
Research indicated that 8/10 moderated participants valued security over convenience. Examples of step-up authentication shared by consumer participants during research included requiring a higher level of authentication when transferring money. An example of a less risky action included accessing a social media account. Step-up authentication aligned with participant expectations of security and demonstrates the importance of security measures that are tailored to meet individual user actions. The extra layers and steps in the security process go far in giving participants comfort and peace of mind.
"I think that's fine because it's all they're gonna get is energy data. They're not gonna get my bank account and my all of that. They're just gonna see my energy data and how I prefer to pay. And I think that's sort of, I don't think it's that risky providing that because there's not anything else they can do with it.”–R3P9
"I just think of telco as like a lot less important [than banking]. Like for me, my telco, I pay via PayPal so I feel protected with PayPal. Like there's not that much they can get from me, they can get my phone number, my email, my address, but they could get a lot of that anywhere. So banking data to me just seems a lot more like important than telco data.”–R3P8
"Yeah, so I think it sort of depends on the caliber of information collected. If you are accessing things like health related data, banking related data to the extent that the other one was like it wanted all of my transactions and descriptions of my transactions. So it knows that like I've gone to Coles and brought croissants six times this week or something ridiculous. That's quite a detailed amount of data. You can actually track my movement looking at data like that. My energy bills, you're able to see how much electricity I use. You can see that I like to run the heater in winter. I'm okay with that. It's got my address, which is uncomfortable but is data I'd expect to have to hand over for this particular process to Switch directly. So they would like, I would expect to fill a form out with my name, phone number, email address and address. I guess there's just different levels of data security I expect from different types of information. Financial and health information I think needs to be more secure than my energy billing information.”–R3P2
"I would like to think that banking [data] is, no matter what I'm doing, that it's secure. Even checking a balance is as secure as transferring, I suppose probably transferring a large sum of money there are probably other levels, like it might be that you've gotta change, you know, what your maximum transfer amount is and stuff like that. So yeah, which I suppose actually means that there is additional levels of security.”–R3P5
"Mmm, I guess I am okay with that because once again, it comes to the level of risk. I'm only comparing [energy providers], I still have a choice to make a decision and on the scale of risk, this is a low risk transaction.”–R3P4
2. Fall-back Authentication: Decoupled is more Intuitive When an App is Available
Within Decoupled Authentication there are several ‘fall-back’ options which must be considered. Fall-back authentication serves as a backup method in case one of the primary authentication methods fails or is unavailable. In the instance of the research, two decoupled user flows were tested, both originated on a desktop browser and presented a QR Code for participants to scan with a mobile device. In one flow, the QR Code triggered the DH app to open, and in the second flow there was no DH app available so – as a fall-back – One Time Password authentication occurred in the mobile browser.
The research revealed that when participants authenticated through a DH app which was already installed on the device, they felt more comfortable and in control due to an established, pre-existing trust. Participants knew they were the one who installed the app from a reputable source and could log in with existing and preferred authentication methods. In the instance where no app was available and participants were directed to the mobile browser, they felt confused and irritated. Confused, because it was not clear to participants why they needed to authenticate on their mobile browser and couldn't simply continue the process on their initial desktop browser; and irritated because of a poorer user experience on mobile compared to web browser. There was also some concern around the validity and security associated with using QR codes, particularly when being redirected to a webpage (for more detail, see Insight #3 of this report).
Furthermore, the research found that only two of the ten consumer participants interviewed actually had their energy app installed on their mobile device. This highlights the importance for fall-back options to be considered for various use cases – particularly if the DH does not offer a mobile app – to ensure the authentication process is optimised and avoids unnecessary confusion and frustration.
There was a strong preference from participants to continue the authentication journey on the initial desktop browser if no app was available. This was due to an improved user experience on desktop; larger font size, more screen real estate, a keyboard and, for some, a preference to conduct banking and utility related activities on a desktop. Lastly, because participants couldn’t rationalise the requirement for two devices instead of one, there was feedback that switching between devices involved extra effort and friction and didn’t necessarily improve security.
"Okay. Now I'm irritated because I'd rather have the website through my laptop rather than phone because it's much easier to use. I've started using the laptop, I mean I can do it on the phone, but it's tedious and painful and if I started this whole process on my laptop because it's easier on a laptop, then I would rather do the [authentication] thing on a laptop if I don't have the app already.”–R3P3
“I don't like too much chopping and changing between devices. I'd probably rather stay on one device.”–R3P5
"Well, based on the scenario really, like if there is a need to do it on the app or not. If not, then I prefer to just stick with the same platform.”–R3P7
"I don't know… to me I find it hard to use a mobile phone. The letters are too small. I can't see. I can't type properly on a phone. It's just too clumsy. I prefer desktop. It's a bigger screen you can read comfortably. You got nice keyboard to type on. I mean, these are not the security issue, but more to do with comfort and maybe my eyesight and all those things.”–R3P1
"For convenience mainly and I can see better on the laptop, so I don't want to. I don't know, maybe it makes no difference but I don't want to do Banking on the laptop and Banking on the phone. I just think it's another thing that somebody could pick up on, right. If you're using various devices, maybe I'm completely wrong, but I prefer to just do it through the laptop.”–R3P9
"Because it didn't use an app in this example I feel it could have easily have just been done on the one desktop and also I didn't need something specifically on my phone to authenticate me logging in. So I didn't really see the point of having to use my phone for that example. Yeah, I mean I'd do it if I was doing it and that was how I was to do it, but I don't necessarily see any advantage in it.”–R3P8
3. Users are Cautious of QR Codes, though Accept their Usage with Caveats
Consumer participants were not familiar with the use of QR codes to initiate an authentication, but cautiously accepted it with certain caveats. As explored in Insight #2, consumer participants preferred the use of QR codes to log in if they have their DH’s app already installed on their device. However, the fall-back flow where a participant was directed to a browser on a mobile device generated a totally different response.
Firstly, there were concerns from participants around the lack of security associated with QR codes, with some participants having experienced data breaches relating to the use of QR codes for COVID check-ins. One participant also experienced what they described as ‘fake QR codes’ which were stuck on top of legitimate QR codes in a bid to collect user data. Participants also expressed concern around the lack of visibility of where a QR code would take them, and not knowing whether the redirection would take them to a spoofed website or potentially inject malicious code. The security and privacy of QR codes are opaque, and there was a shared perception that the process was not commonly experienced by consumer participants in the past.
Consumer participants found it suspicious when they saw the desktop website update after they authenticated on the mobile device. This was based on the desktop website using "asynchronous calls” – a process which allows different parts of a website to update independently without the need for a full page reload. Though this usually contributes to an improved user experience, in this instance it was not immediately clear to participants how the devices had communicated with one another.
Using a QR code to authenticate may meet user expectations of security if it is used to open a DH app for authentication, or to open a webpage on the users mobile browser only for low-risk scenarios with compelling use cases if opening a web page.
"I think sometimes when you are redirected it can be questionable. I feel like what you've agreed to on the original website then you’re redirected and that might not be what you want to happen. But in this sense where I scanned a QR code and it opened an app, it's something that I already have on my phone so I've already set those permissions for that app as to what it can access and what it can't access.”–R3P8
"As I said, QR codes I'm always a bit iffy about because of the different redirection that happens with it.”–R3P6
"I feel weird about it cause it's not super common and it's something that I would expect [DH] to have a help article about or something to say. What do you do if something, something wants your QR code scan to log into our app. I think there's a lot of potential for malicious code to be injected into QR codes, which is why I'm feeling so sketched out by this [ADR] I don't think of as a particularly reputable company. They've got no reason to do the right thing by me. I guess I'm missing that pretext from [DH] or even from a more reputable company to be doing that QR code process.”–R3P2
"When we had covid really badly we had to sign in everywhere using the QR code and that's how people remember that. And maybe there has to be a bit more of an explanation or introduction using the QR code with methods like this, using it as a method”–R3P10
"I don't really know that much about QR codes that I would know how safe they are. Maybe they extremely safe. If they are, I'll be very happy to use it in the future. But I just don't know cause I haven't had much experience with it.”–R3P9
"For me, it's a bit uncommon to use the QR code for something sensitive like this. I'm quite open-minded to try something new, but it's a bit unexpected to use a QR code for this.”–R3P4
"I don't find QR code is that secure because I, I can never able to identify whether that is the value QR code until I actually click on that link.”–R3P7
4. Consumers Feel Empowered And In Control When Corporations Act Responsibly
The research highlighted participant opinions on the importance of corporate responsibly and ‘holding up their end of the bargain’ in order to build trust and assist participants in feeling more in control of their online security. Consumer participants believed that more needs to be done by corporations to keep user data safe from hacking attempts, while also implementing functional security measures to encourage best practice from customers. For instance, balancing password complexity and strength requirements so users aren’t creating low-quality passwords (i.e. Password123!) simply to satisfy the requirements.
While the participants take measures such as implementing strong passwords, updating them regularly, and monitoring credit reports for credit applications following data leaks, they felt that they can only do so much to protect their privacy and data online. Participants felt strongly that data protection can only rely so much on the consumer, and the majority of the onus should fall on the corporates. Participants expect corporations to act in their best interests, hire expert cyber security teams, and implement the latest and greatest security measures to protect customer data from breaches, while also finding a balance between security and convenience. Although larger brands are perceived as being more trustworthy, participants recognised that their data is not guaranteed safety. Participants cited Optus, Medibank and Latitude as examples of companies whose recent data breaches have shaken consumer trust.
Overall, participants want to feel more in control of online security and expect corporations to take responsibility for data protection. Keeping customers updated on data security, breaches, methods to keep accounts safe and any compromises in data should be swiftly and regularly communicated to account holders in order to assist participants to feel more in control. Consumer participants noted they generally only create accounts out of necessity and want their data to be protected, so it is crucial for corporations to prioritise security measures to build and maintain consumer trust and build systems which withstand any attempts by hackers.
"[I expect] that the provider or the website that I'm going to is a trustworthy website. If I'm going to their website, I believe they are trustworthy people. They've done all their homework, they’ve got proper data security programs and people to look after my data. It won't be stolen easily. They're doing the right thing. They can afford it and, and hopefully they're doing it.”–R3P1
"What is the responsibility of corporate Australia to ensure that they have, you know, extra added mechanisms put in place to protect consumer's privacy in light of what is happening and how do they build that trust with the community that uses their service.”–R3P4
"I expect the organisation to implement the right level of security for the risk. So not go over the top when it's not important and not under-do it when it is. And I expect them to keep abreast of changes in technology and risk so that they're looking after everything properly and that they are properly updating their systems as they need to. And I expect them never to keep any passwords and not to keep any other information that relates to authentication that they don't need to keep.”–R3P3
"I will expect the company actually taking their best to protect and maintain their system in terms of security vulnerabilities and also the informations that they store in in their system.”–R3P7
"I’m with Optus with my telephone and I was one of the people that had my information released. It wasn't as serious as some had it, but it was bad enough that it gave me a lot of mistrust with Optus because giving out information - even it doesn't really affect my day to day or my accounts or anything like that - it's still a breach of privacy.”–R3P6
"I do think that there is a point where if things aren't convenient, users, including myself will do stupid things like set shorter passwords than they should because they have to type in six passwords. So I'll just make them all really low quality for example. So I definitely think there's, there needs to be some level of convenience attached to make security functional.”–R3P2
"That it's secure. That my information isn't gonna be accessed. That's if it’s accessed that it’s reported to me and if possible, whatever website or whatever account or whatever has been accessed, they have taken measures to make sure that doesn't get any worse. Being responsible for their part of it, basically.”–R3P6
"Well I suppose I'm trusting all the data protection things that I'm trusting those sites to fulfil their part of the contract, which is the, the data part protection part. And I suppose I'm trusting that my computer is not being, my keystrokes are not being followed by someone out in the cloud somewhere.”–R3P5
"No, I never have that feeling [of control]. I'm sorry. And I don't think anybody should feel that way. We are never in control. Look what happened with Optus, they're a large corporation. They are dealing with the telecom – they know they have people's very serious data there was a leakage. It doesn't matter how big the organisation is, doesn't matter how big their security programs are. One can never feel secure.”–R3P1
"I hope that the providers are doing what they're supposed to do to keep it safe. But I mean, I don't think anybody's safe anymore really. I mean obviously they have to keep ahead of the hackers and whatever and that's what they should be doing. But I suppose the world we live in that it's happening, isn't it?.”–R3P5
5. Participants are Wary Of The Potential For Security Breaches
Participants are highly aware of potential security breaches while using the internet – the recent highly publicised data breaches of well-known Australian companies has meant online security is top of mind for participants. Several participants raised these data breaches in the research sessions, with a number of them involved or impacted by the breaches and subsequently changing their behaviour online to safeguard their data.
Participants are conscious of the risks and the possibility of security breaches when accessing information online, particularly when using QR codes to initiate authentication. Participants seemed to be okay when the QR code opened a DH which was installed on the device (as touched on in Insight #2 of this report), but they were far more concerned about the lack of credibility of QR codes when redirected to a browser. Participants had concerns about the credibility of QR Codes and were worried they may be taken to a fake website, the potential for malicious code to be injected into the QR redirect URL, or keystrokes being recorded after opening a bad webpage. In addition to feeling uneasy, some participants also expressed discomfort with the possibility that their device's camera could be accessed without their consent beyond the period of scanning.
"I think I felt a bit out of control with, with that I sort of, I think there's a lot of security risks associated with QR codes and I felt suspicious of where they had taken me and why it was on my phone and have I been directed to the provider's website or somewhere else. That would be true even if I trusted the websites we were using cuz I, there was an element of trust missing there, but I think I would still be mindful that that would be a really easy attack vector was to spoof up the wrong QR code for one of these web pages. Yeah, that that it just made me more suspicious. So I felt a little bit less like I had control over where I was going.”–R3P2
"Always. Always. It doesn't matter who the company is, what the website is, there's always that risk [of a breach].”–R3P6
"I know what QR code is and I mean I come from India where the QR code is very common. Everybody uses QR code to pay, even for if they're buying a pack of cigarettes or whatever it is. Everybody, every vendor, even if roadside vendor selling cucumber, which is worth probably 20 cents in our language, you buy a cucumber and there'll be QR code, you scan with your phone and your payment is done. How we have ApplePay, they have some local apps; one is called Phone Pay a that is I think the most common they use. So that Phone Pay deduct money from their account and, and creates into the vendors account. And it's instant. In fact, some of them don't even have any authentication, nothing. You just scan it and it's done. Nothing else required you log on to open your phone, get rid of the password to the phone, and then you scan it and it's done. I'm worried about that because in less than two seconds they're be scanners that'll be in the market with hands of the scammers who can scan it from two meters and then they'll be going to a shopping mall and and scanning everybody's phones without them even knowing about it. I'm talking to somebody on my phone and my phone has been scanned.”–R3P1
"First of all, like with the QR code, I have no clue where it will be directed me to until I click on it and then saw the landing page. Yeah. So as with privacy wise, I was hoping that it landed me to a page which I'm familiar with like as as the provider that I'm using. So I understand about like their privacy.”–R3P7
6. Extra Authentication Factors Are Appreciated Even When Unexpected
Consumer participants appreciated extra authentication factors even when they were not expected. Although two or more factors were expected for high-risk scenarios such as banking or health related data, participants also appreciated extra factors for actions they deemed as lower-risk, such as energy data. Even when 2FA was not required, participants were not bothered by the extra step, extra time or the increased level of friction. On the contrary, participants perceived the extra layers of security as the brand or corporation’s effort to prioritise consumer privacy and data safety, and demonstrate that they take customer data security seriously. Implementing extra factors provided participants with a sense of security and comfort. As explored in Insight #1, a use case such as social media log in does not warrant MFA, however riskier user cases like financial transactions were perceived by participants to carry some level of risk. Research indicated that the extra factors or increased friction should be in context and relevant to the use case.
"Yeah, so the thing that I like is more secure, like using the apps, the, the one that at this line is that you have to first set up the apps on your phone and then get yourself signed into the account using the apps. So it is a bit more effort to do that, but then I see it's much secure.”–R3P7
"Oh, I definitely feel secure, but it takes a just takes a a bit more time. It can be a bit of a pain, but at the end of the day if your information is secure, it's worth it. Really.”–R3P6
"It can be inconvenient sometimes, but it's, it's not a negative inconvenience, if you know what I mean. Cause it's there for a reason. At the end of the day, it's there to protect you.”–R3P6
"It seems like really two factor authentications is just the way you've gotta go really. I suppose I've started to expect that that's the way everything's gonna be.”–R3P5
7. Participants Are Aware And Educated Regarding Risks And Scams Online
This round of research produced similar findings to Round 1 research Insight #4 “Users Rely on Visual Trust Markers”. Consumer participants tested were conscious of the risks involved with using the internet and implement practices and habits to ensure the safety and security of their data. Similar to Round 1, this round of research found that participants were aware of and looked for visual cues to assess whether a site or experience was secure and trustworthy. Examples of these cues include checking URLs to ensure their legitimacy, not clicking on random links in text messages (even if the SMS has come through in the text-thread from their bank), and looking for SSL certificates on websites.
Participants noted that any activity or action which they personally initiated is preferred (such as opening an app on their own accord rather than receiving a SMS with a link to open) as it gives participants peace of mind. They also appreciate being informed and educated about online risks and scams by the business they engage with. Those who have been impacted by previous security breaches are proactive in their approach to online safety and actively seek out information and advice on how to protect themselves, with one participant even enrolling in an InfoSec TAFE course to learn more. While consumer participants were cautious, they also understood and accepted that there are inherent risks with using the internet. Overall, participants felt that they are well-informed and educated when it comes to online safety and take steps to ensure their security.
"Yeah, multifactor authentication definitely gives me a feeling of security, but also if I initiate the connection, that gives me the most.”–R3P3
"Yeah. I change regularly, my passwords. Every month I set myself a reminder on my calendar and that's what I'm doing. And there are apps which actually save passwords, but that's another problem. If that is hacked and then all your passwords are revealed. So I don't use those apps usually.”–R3P10
"If the website actually shows SSL certificates on the website and then the URL I see actually it's a correct URL that I'm get directed to. Or if I enter it I'll see whether that is a correct URL. Also I will check whether the website's actually giving me the ability to log in to my account using a secure authentication method. Most likely is a username password.”–R3P7
"Okay the first thing I've done is just check the URL and it's dot com dot au. So I don't actually bank with the [DH], but I will assume, as I really do, so that I know that that is the genuine URL. So that gives me confidence around the QR code.”–R3P3
"A notification, at the moment, I wouldn't be touching a text on my phone from any bank just because of the data breach.”–R3P6
"I mean, you look at all the scams that are happening. You keep on getting constant text messages, random phone calls… How did they get my number? I didn't give them permission to have my number. So they've clearly gotten it from somewhere or the other. And I've questioned that because I have concerns only Optus, you know, my service provider, Optus has my number and other places I've shared it. Then it gets me to question where did I share it? How did these scammers get access to my number?”–R3P4
8. The Term “Decoupled” Was Not Widely Recognised, Though Participants Were Familiar With The Method
The term "Decoupled” authentication was not widely recognised among participants, although they were familiar with the method and had used it before when prompted. While most consumer participants had not heard of the term "decoupled," they recognised the process once it was explained to them. Participants who were not familiar with the term said they had used the method frequently in the past or currently used a form of it.
"Okay. There's a term I'm not actually that aware of. I'm assuming decoupled means it's across two channels that aren't connected. So yes, I do it all the time.”–R3P3
"Yeah. Look, my, I'm with [Bank], I'm using three different banks and [Bank] does that, they basically sent an a message through the app. They'll send a text that you have a message. So I have to sign, log onto my app to get the message, the code.”–R3P1
"Decoupled, is… I don’t know that word?” “Oh cool. I've definitely used that before.”–R3P2
" have not heard of that term, no.” “Yes, I have that set up. My university uses that.”–R3P8
“Mmm, I think I've done this once, but it wasn't really common. Usually I'm on my mobile phone when I sign in somewhere and then it's sending me an email, authentication link I have to take, message or call to my phone number and it's mostly done on one device. I think I have done this once and I couldn't do it for my phone where I was initially signing in.”–R3P10
"I'm not sure what a decoupled authentication method means… I suppose I've logged in on a computer and so to Google or whatever and my phone will ring or something will come up on my phone and oh, I dunno, it says like, you can authenticate by using clicking yes. On your phone. So I assume that's the sort of scenario you are talking about.”–R3P5
Research Outputs
Global Performance: Radial Graph
Global Performance is a measure developed by the research team to define success for various authentication models, made up of five separate measures:
- Recall & input
- Familiarity & completion
- Comfort & control
- Purpose & outcome
- Expectations
Each of these five measures consists of 3 different metrics (as demonstrated in the ‘Measures & Metrics in detail’ table) collected throughout the research and then collated to determine a quantifiable outcome for each measure. These 5 measures are then reflected on a five-point radial graph, demonstrating the global performance for the respective authentication model.
Recall &/input | Familiarity & completion | Comfort & control | Purpose & outcome | Expectations |
Information a user needs to recall | Familiarity | User feeling in control | Benefit awareness | User security expectations |
Users’ perception of length of time | Brand influence | Awareness of next step | Sensitivity of value proposition | Perceived security |
Number of user inputs | Current authentication models | Trustworthiness | Level of positive-friction | Sector |
- Information a user needs to recall: how much information is a user required to recall to successfully authenticate themselves (eg. Customer ID, lengthy and complicated passwords)
- Users perception of length of time: how long did the user perceive the length of time it took them to authenticate, and, did they find it appropriate
- Number of user inputs: how many fields were users required to successfully input throughout the authentication process
- Familiarity: how familiar a user is with a specific authentication model, and, do/have they used it frequently
- Brand influence: is user trust influenced by the brand they are authenticating with (eg. do they place more trust in a Big 4 bank than they do a smaller player)
- Current authentication models: what model/s does the user currently use
- User feeling in control: what element/s of the authentication method gives the user the feeling of being in control
- Awareness of next step: could the user accurately anticipate what would happen at each step based on the information provided to them in the flow
- Trustworthiness: how trustworthy did the user find the authentication method
- Benefit awareness: was the user aware of the benefit of the authentication method in conjunction with the use case in which it was applied
- Sensitivity of value proposition: was the user influenced by the value proposition (e.g. did they feel more likely or less likely to authenticate with the method due to the value they derived)
- Level of positive-friction: did the user feel the authentication method was easy enough for them to complete and hard enough for someone else who was wrongfully trying to access their data
- User security expectations: how did the authentication method meet or exceed the user’s expectation of security, if not, why did it fail
- Perceived security: how secure did the user perceive the security of the authentication model and what elements contributed to this perception
- Sector: was the user influenced by the sector in which the use case occurred (e.g was the user more or less trusting of a specific authentication model when accessing banking data vs energy data)
Decoupled
Decoupled metrics and measures outcomes. A score above 4 is considered excellent, above 3.75 is considered very good, a score below 3.25 is considered poor and below 3 is bad.
Measures and metrics | Score |
Recall & input | 3.76 (score for measure) |
Information a user needs to recall | 4.14 (score for metric) |
Users perception of length | 3.02 (score for metric) |
Number of user inputs | 4.12 (score for metric) |
Familiarity & completion | 3.25 (score for measure) |
Familiarity | 3.06 (score for metric) |
Brand influence | 3.22 (score for metric) |
Current authentication models | 3.47 (score for metric) |
Comfort & control | 3.52 (score for measure) |
User feeling in control | 3.33 (score for metric) |
Awareness of next step | 4.29 (score for metric) |
Trustworthiness | 2.94 (score for metric) |
Purpose & outcome | 3.36 (score for measure) |
Benefit awareness | 3.33 (score for metric) |
Sensitivity of value prop | 3.54 (score for metric) |
Level of positive-friction | 3.22 (score for metric) |
Expectations | 3.60 (score for measure) |
User security expectations | 3.55 (score for metric) |
Perceived security | 3.56 (score for metric) |
Sector | 3.69 (score for metric) |
Decoupled Global Performance for Moderated vs. Unmoderated outcomes, and combined
Decoupled | Moderated | Unmoderated | Combined |
Recall & input | 3.88 | 3.63 | 3.75 |
Familiarity & completion | 3.52 | 2.98 | 3.25 |
Comfort & control | 3.48 | 3.56 | 3.52 |
Purpose & outcome | 3.39 | 3.33 | 3.36 |
Expectations | 3.62 | 3.58 | 3.60 |
Recall & Input (3.75)
Overall, most participants agreed that there was an appropriate or minimal amount of information required to be recalled.
Moderated outcomes
- 7 out of 10 users agreed or strongly agreed that there was an appropriate amount of information they needed to recall to complete the login process for either prototype.
- Most respondents indicated that they did not need to recall much or anything at all to complete the login process for either prototype.
“I didn't feel that I had to recall anything actually.”–R3P5
“Nearly nothing.”–R3P2
Unmoderated outcomes
- More than half of participants tested agreed they felt there was an appropriate amount of information needed to be recalled to complete the log in process. One third said they neither agreed nor disagreed.
Overall, it was a fairly even split between perceptions that the process was fast or it was time consuming, possibly due to the subjective nature of time.
Moderated outcomes
- 6/10 participants described the length of time it took them to authenticate as either 'Slightly time consuming' or 'Extremely time consuming' noting the requirement for two devices as time consuming and extra effort. Only 1 participant said it was 'very fast'.
“The needs of using different platforms to complete the process takes extra time and efforts.”–R3P7
“The provision of data access was quite speedy for both prototypes, though the addition of an extra device in the energy scenario added time that was unnecessary given I didn't have the app.”–R3P2
Unmoderated outcomes
- 18 of 30 participants said they found the time it took to authenticate as very or extremely fast.
“It was quite quick. However in real life I would NEVER use a QR code to access my provider. NEVER EVER.”–R3P22
“It was easy to follow and it was brief and to the point, no endless clicking this and that.”–R3P21
Overall, majority of participants felt that there were an appropriate number of fields required for them to fill in during the authentication flow.
Moderated outcomes
- All users agreed there was minimal amount of information required to enter
- 7 out of 10 users agreed or strongly agreed that there was an appropriate number of fields required to input during the process.
“Well really I hardly had to enter anything. I was, I mean like obviously it's a very seamless transfer of data from one system to another with not much work done on by me really.”–R3P5
“Barely anything. It was really easy.”–R3P3
Unmoderated outcomes
- 22 of 30 participants agreed that they felt there were an appropriate number of fields required to fill in during the authentication process.
Familiarity & Completion (3.25)
Overall, only 25% of participants agreed that they had frequently used the authentication method in the past.
Moderated outcomes
- Half of all participants disagreed or strongly disagreed that they'd frequently used this authentication method in the past. Only 2 agreed that they had used it.
- 9/10 participants were familiar with using decoupled methods of logging in before. Though many of them weren't familiar with the term 'decoupled', once prompted they were aware of the process.
“Yeah, I think so, because I suppose I've logged in on a computer and so to Google or whatever and my phone will ring or something will come up on my phone and oh, I dunno, it says like, you can authenticate by using clicking yes. On your phone. So I assume that's the sort of scenario you are talking about.”–R3P5
“Yeah, I've used it before.”–R3P7
Unmoderated outcomes
- Only 8 participants agreed that they had used this authentication method frequently in the past.
Overall, half of all participants tested agreed that they would feel the same way about the authentication process irrespective of how well known the brand was.
Moderated outcomes
- Half of all participants agreed that they would feel the same way about the authentication process irrespective of the brand they were engaging with.
Unmoderated outcomes
- Half of participants agreed they would feel the same way about the authentication process irrespective of the brand.
Overall, just under half of all users tested currently use a form of Decoupled authentication.
Moderated outcomes
- Half of all participants currently used some form of Decoupled authentication method when logging into the apps and platforms they access regularly.
Unmoderated outcomes
- 13 of 30 participants indicated they normally log into the apps and platforms they currently use with Decoupled authentication methods.
Comfort & Control (3.52)
Overall, just under half of all participants tested agreed that they felt in control of their data, privacy and account security throughout the authentication process.
Moderated outcomes
- Half of respondents agreed or strongly agreed that they felt in control of their data, privacy and account security throughout the authentication process. The other half disagreed or strongly disagreed.
“So if I'm, if you're saying in control, if the company actually providing more than one method of logins, so in such case I you can log in using your normal username and password or if you choose to Login using your social media account Yeah. The single sign on thing or if you choose to Login using a code from your apps.”–R3P7
Unmoderated outcomes
- 12 of 30 said they agreed that they felt in control of their data, privacy and account security throughout the authentication process. Another 12 said they neither agreed nor disagreed.
Overall, 90% of participants said it was very or extremely easy to understand the information presented throughout the log in process.
Moderated outcomes
- All respondents said it was very or extremely easy to understand the information presented throughout the log in process.
“Plain simple English. Clear instructions and explanations.”–R3P8
“It was all explained and I was able to access additional information on most steps.”–R3P10
Unmoderated outcomes
- Almost all respondents agreed or strongly agreed that they were aware of what to do at each step of the authentication process.
- Almost all participants said that it was very or extremely easy to understand the information presented throughout the log in process.
“Straightforward and easy to understand.”–R3P14
“Information was easy to comprehend.”–R3P40
Overall, just under a quarter of participants said that the authentication process was trustworthy.
Moderated outcomes
- Only 3 or 10 participants said they found the authentication process to be 'very trustworthy', the others said it was slightly or moderately trustworthy.
“I was happy to proceed, but had my sense of danger switched on. I was looking out for security issues more keenly than I usually do.”–R3P2
“Unclear if the QR code is safe to use.”–R3P7
“I don’t feel QR codes are secure enough”–R3P6
Unmoderated outcomes
- 21 out of 30 participants said the authentication process was moderately trustworthy. 6 said it was very or extremely trustworthy.
- The areas which did inspire trust included redirecting to a DH app the user already had installed on their device.
- The areas which didn’t inspire trust included using a QR code.
- The suggestions users made to improve the trustworthiness of the method.’
“I am comfortable using the QR code 90%. It was prompted and expected. I only give 90% because no online interaction is failsafe right? Look at Optus, Medibank and recently Latitude.”–R3P21
“I can't see what the QR code is doing or where it is going. Even before the recent rash of data breaches I did not trust giving third parties even limited access to my data and/or services especially banking data.”–R3P22
“The original QR codes used could have been generated by anyone on a bogus site. It requires personal attention and understanding to check for dinkum URLs.”–R3P26
“As stated previously, I am not familiar enough with the technology behind QR codes or how difficult it would be to dupe a QR code to have a high or very high level of trust in the technology.”–R3P38
“Bank app use.”–R3P14
“Linking back to my own applications.”–R3P17
“That I logged in directly in with the provider.”–R3P24
“Having to go through a random QR code.”–R3P17
”QR codes a bit sus. Why use a QR in lieu of a URL that is visible in the first instance, and thus allows one to worry or not?”–R3P26
“Accuracy of QR codes.”–R3P36
“Ditch the QR code. Let me login manually.”–R3P22
“Show URL the QR should go to.”–R3P26
“Possibly being able to complete the application form without use of the QR code, if there is such a possibility?”–R3P33
“Providing assurance where the link will go to?”–R3P36
“No QR codes.”–R3P39
Purpose & Outcome (3.36)
Overall, just over half of all participants tested saw benefit in authenticating with decoupled methods to allow access to their data, however, only a small percentage of participants found this log in method to be ‘pleasing’ when compared to their expectations or what they’d experienced in the past.
Moderated outcomes
- Only 2 out of 10 participants found this way of logging in to their providers app/website as ‘pleasing’, compared to what they’d expect or have experienced in the past.
- 6 of 10 respondents saw either slight or moderate benefit in authenticating with the methods tested. They cite convenience however are unsure of the security of the method and pain of switching devices.
“Inconvenient switching of devices.”–R3P6
“QR code is easier, but also takes two devices.”–R3P1
“I don't like QR codes. I can see use cases where this method is faster than other methods. I also don't think moving to my phone is beneficial if I don't have the apps for example.”–R3P2
“Not secure enough to inconvenience of switching devices.”–R3P6
Unmoderated outcomes
- Just over half of respondents found this way of logging into their providers app/website compared to their normal experience as pleasing or slightly pleasing.
- Just over half of respondents said they saw authenticating with the tested method to allow their data to be accessed as either very or extremely beneficial.
“Too much 'clever' is off putting. The most common denominator remains the web sites and they have traditional logins. Needing two devices is off putting especially when the phone service creates delays or fails. What about folks in the black spots?”–R3P26
“It is beneficial, but there are risks when it comes to data sharing... I am concerned about that aspect”–R3P12
“The time saved using this process.”–R3P21
Overall, just over half of all participants said they may use the log in process. To bolster user attitudes toward usage, participants would need a reputable company, more security features and information on the technology involved.
Moderated outcomes
- All users agreed they would expect the log in process to adapt depending on what they're trying to do (e.g. logging in to transfer a large sum of money vs logging in to check an account balance).
- Only 2 of 10 participants said they would definitely use the method of logging it if it was available, while 5 said they may use it.
“I would like to think that Banking is, no matter what I'm doing, that it's secure. Even checking a balance is, is as secure as transferring, I suppose probably transferring a large sum of money there, there are probably other levels, like it might be that you've gotta change, you know, what your maximum transfer amount is and stuff like that. So yeah, which I suppose actually means that there, there is additional levels of security.”–R3P5
“Yes. If it's going to be like carry out a transactions across to a different account, I'll expect to have a much secure Authentication.”–R3P7
“It depends on the organisations involved and how much I want to use the service.”–R3P3
“I will use it if I am left with no other options.”–R3P7
Unmoderated outcomes
- If this authentication method was available; 7 participants wouldn't use it and 18 may or would probably use it.
“It would depend on the scenario and the company.”–R3P29
“The process is highly efficient and would present a lot of time saving opportunities. I think there are enough security features included to alleviate any security/privacy concerns that I may have. However, saying that I would still like to personally know more about the technology and security features of QR codes themselves.”–R3P38
Overall, less than half of the participants tested agreed that the process was easy enough for them and hard enough for someone else to steal their data.
Moderated outcomes
- 4 of 10 participants said they agreed they felt the authentication process was easy enough for them, and hard enough for someone else to steal their data. 2 participants disagreed.
Unmoderated outcomes
- 12 of 30 participants agreed that the authentication process was easy enough for them, and hard enough for someone else to steal their data. 14 said they neither agreed or disagreed.
Expectations (3.60)
Overall, just over half of all participants agreed that the authentication method met their expectations of security.
Moderated outcomes
- Half of participants felt that authenticating with the tested method met their expectations of security.
Unmoderated outcomes
- 17 of 30 participants agreed or strongly agreed that the authentication method met their expectations of security.
Overall, only very few participants saw authenticating with this method to carry no risk at all. Majority agreed that the method was moderately risky.
Moderated outcomes
- 2 of 10 participants said they saw ‘no risk at all’; when authenticating with this method to allow their data to be accessed, while the rest said it was moderately risky.
“I can see QR codes being tampered with to allow malware/ransomware, I can see redirection to insecure websites to enter details, I can see bad actors piping up to misuse these methods to trick people who are less security minded into sharing authentication data …”–R3P2
“If you're not careful about checking the URL, you could be fooled into using your credentials on a spoof site.”–R3P3
“Recent data breaches and fake QR code scams would make me somewhat weary.”–R3P8
Unmoderated outcomes
- Half of all respondents tested believed there to be only a slight risk in authenticating with the tested method, whereas a quarter saw it as moderately risky.
“DO not trust the QR codes. Do not trust third parties (hello data breaches).”–R3P22
“Still can be given a fake QR code or as such so a bit risky if the third party is untrustworthy or is hacked.”–R3P27
“QR codes are not trustworthy to me.”–R3P17
Overall, just under two thirds of participants agreed that they felt the authentication method was appropriate for the type of data they were accessing.
Moderated outcomes
- All users agreed they would expect the log in process to adapt depending on what they're trying to do (e.g. accessing banking data vs accessing electricity usage data).
- Half of participants felt the authentication method was appropriate for the type of data they were accessing.
“Look, I think I would, I wouldn't mind if every time I log in it, it is a two step process for a bank compared to a utility company where we just checking our, you say bill or paying a bill.”–R3P1
“Oh, just again, it's assessing what the risk is, assessing the value of the data.”–R3P3
“Of course Banking data's information are much more sensitive than the electricity account.”–R3P7
Unmoderated outcomes
- 19 participants agreed that they felt the authentication method was appropriate for the type of data they were accessing.
Consumer Behavioural Archetypes
Each Archetype has specific needs for how authenticating to share CDR data should work in order for them to trust and understand it.
➊ Sceptics (36% of participants) are less trusting of organisations and/or technology. They generally value control, and are averse to sharing data based on experience with current practices.
➋ Assurance Seekers (51% of participants) want to read additional information. They generally value familiarity and external reference/support, and are apprehensive to new experiences.
➌ Sensemakers (13% of participants) need to understand how the process works. They generally value details, and can trust the process if given enough valuable information.
➍ Enthusiasts (0% of participants) are excited to get the benefits of authenticating to share CDR data. They generally value simple experiences once trust is established.
System Usability Scale
The overall SUS (System Usability Scale) score for Decoupled authentication with QR code was 74.29, which is considered ‘good’ but not great – anything above 80.3 is well-performing. The coloured markers depicted in the graph above correspond to the Consumer Behaviour Archetypes (Sceptics, Assurance seekers, Sense makers, Enthusiasts) as described to the left of the graph. The raw SUS scores were widely distributed for this round of research. When reviewing the SUS scores against the Consumer Behaviour Archetypes, researchers observed a trend: most of the Sceptics consistently scored lower in SUS compared to other archetypes; thus characterising their consumer archetype. Generally speaking, Sense Makers recorded higher scores, while Assurance Seekers had mixed results. Out of all consumer participants, 38% rated their experience as ‘excellent’, 31% as ‘good’, 15% as ‘okay’ and other 15% as ‘poor’ or ‘very poor’.
The System Usability Scale (SUS) is a Likert scale of 10 questions that users answer. Participants rank each question from 1 to 5 based on how much they agree with the statement they are reading. 5 means they agree completely, 1 means they disagree vehemently. SUS questions alternate between positive and negative statements, which is on purpose so respondents can’t arbitrarily agree to them all. Once data is collected and synthesised, a score can range from 0 to 100, however it isn’t a percentage. The average SUS score is 68, so while that may indicate 68% of the total maximum score, it’s actually more appropriate to call it 50%.
- 80.3 or higher is well-performing and bodes well
- 68 or thereabouts is average and needs some work to improve
- 51 or under is a problem and needs addressing
SUS is not used as a diagnostic and will not highlight any specific problems with a flow however it will give an indication of how usable a product is. In our case, SUS has been used to assess how usable a method is. Read more about SUS
Opportunities
The research found that consumer participants were not entirely comfortable with the use of QR codes for authentication, with concerns around their safety and the need for more instructions on the process. The method could be supported by the CDR with the following constraints in order to meet user expectations of comfort, control and trust:
- Only switch devices if an app is available: Implementing a step within the Consent Flow for users to input whether they have access to their DH app may mitigate the unnecessary routing to a mobile and allow users to continue the journey solely on their desktop. As participants were found to prefer not switching devices unless it was to authenticate in an existing, downloaded DH app they had established trust with. Participants would prefer an option to continue the authentication process on their desktop if they did not have access to the DH’s app on their device.
- Provide contextual information on the QR code and process: It is important that more contextual information is shared by DHs on how QR codes work and where they will be taken before scanning the QR code. This could help increase user confidence and comprehension and provide a greater sense of comfort and control. Participant suggestions included displaying URL link for users to match to that in their browser, an alternative to QR codes such as a code to enter into their DH app, or a URL link to manually copy and paste into their mobile browser. Participants wanted to know where they were going and the signs to look out for to ensure the redirect was legitimate and secure.
- Remedy concerns regarding the safety of QR codes: More information should be provided from the Data Holder to inform the user of the security and safety measures associated with QR code usage, and to explain the mechanisms which facilitate communication between the ADR and DH. While authenticating after using a QR code is quick, easy, and intuitive, it does not counter the participant perception of poor security. Therefore, it is important to address these concerns and provide users with the necessary information to improve their trust and satisfaction in the process.
- The model may be successfully adopted as part of Step-up Authentication: The research further supports implementing Step-up Authentication to improve user perceptions of security and trust and match mental models. This could be implemented across the Consumer Data Right irrespective of sector, and go far in meeting and exceeding user perceptions of security and trust.
The study concludes with this third round of research. The research team will now focus on preparing a report on the outcomes and compare the findings across the three models tested along with a recommendation for consultation. Overall, this Authentication Uplift research has provided many valuable insights into participant perceptions of various authentication methods and how they may be improved to provide informed, intuitive and trustworthy consent experiences.
Quick links to CX Guidelines: