This report contains findings and recommendations based on Round 1 of CX research that was conducted on the ‘Redirect with One Time Password’ (OTP) in September of 2022 as part of the Authentication Uplift project. The purpose of the research is to identify consumer experience considerations to support and inform an expanded approach to Consumer Data Right (CDR) authentication. The objective is to give consumers more choice and freedom when authenticating themselves with data holders, while maintaining financial grade security.

Twenty-two consumers participated in the research in total; ten consumers participated in 1:1 interview sessions which ran for 90 minutes each and twelve consumers participated in unmoderated prototype testing. Prototypes of the Redirect with One Time Password flow were used to facilitate discussion and generate insights in relation to authentication more generally.

This project relates to NP280 which is open for consultation from 14 December 2022 to 27 January 2023.

The authentication stage is the second step in The Consent Model and involves a consumer verifying who they are with their Data Holder (DH). This step is required so the data holder can connect the data recipient's authorisation request to the correct CDR consumer.

Authentication in the CDR regime is limited to a single consistent, authentication model, referred to as the 'Redirect with One Time Password' flow. No other flows are currently supported. ‘Redirect with One Time Password’ was previously tested in June 2019 against two models; ‘Redirect to Known’ and ‘Decoupled’, and was found to be the preferred authentication model by research participants. The outcomes can be accessed in Phase 2 Stream 3 report.

This research has been informed by the following:

The research found OTP to be a generally well-performing authentication method. Consumers are typically familiar with the verification requirements having regularly used the OTP model in various contexts, with banking platforms specifically matching their mental models. Consistent exposure to this method means users across the board are confident with the flow and aware of what to do at each step, making it a fast and easy process to complete. OTP offers a level of convenience to users by removing the need to recall lengthy and complex passwords, and (in some instances) quickly auto-fills passwords from SMS text messages. From a security perspective, users appreciate the OTP expiration window and prefer entering a one time password in place of their actual password; subsequently reducing drop-off rates.

While OTP is satisfactory for most use cases, there are several areas where the current process could be improved. Customer ID is potentially problematic, with only half of all participants interviewed able to recall their banking Customer ID number off the top of their head; the other half find their banking Customer ID either by entering the relevant banking app with biometrics to find it, or store it on their device in the notes or contacts app. The practice of storing a Customer ID on a device brings rise to concerns around security and the ease in which OTP can be breeched if your device falls into the wrong hands, many participants having experienced theft or loss of their mobile phones. The research found giving consumers extra security features, such as options for multi-factor authentication and automatic log-out, can contribute to feelings of being in control. The inclusion of educational elements, for instance explaining how a DH triggers an SMS, can be beneficial for those with lower levels of digital literacy. An improvement to consumer experience could see App-to-App included as a supported authentication model; striking a balance between convenience and security, as it’s perceived by users to be more trustworthy than redirect or browser-based methods.

One Time Password is a sufficient authentication model and could offer better consumer experience with some minor improvements, however, there are several shortcomings which could be addressed with the introduction of other models. Across the board, OTP did not match user expectations contextually; as most participants were familiar with the model as a second factor of authentication and did not perceive it as strong enough when used as a primary, stand alone model. Implementing OTP as a step-up, secondary form of verification when used in conjunction with a gold standard primary authentication method could go far in exceeding user perceptions of security and trust. Step-up authentication requires additional levels of authentication to adapt as the risk profile and sensitivity of the action increases, and could be implemented across the Consumer Data Right, irrespective of sector. We explore early stage recommendations in the summary section of this report.

The following artefacts have been produced following the research and represent our findings. Each artefact is explored in further detail in the Research Outputs section of this report.

Global Performance

Consumer Behavioural Archetypes

System Usability Scale (SUS)

Fogg Behaviour Model

This research project aimed to:

Hypotheses 1-4 were largely validated by the research. Hypothesis #5 remains to be validated by further research and investigation.

The following 4 major components of authentication were explored:

Combination of elements tested in Round 1

The use case tested involved a consumer going through a fictional phone app flow to get an indicative interest rate for a car loan. The participant was told they bank with a real-world DH.

Data is being collected throughout various points in the research. We are running both moderated and unmoderated testing sessions, both feeding in to the final outputs. Moderated testing sessions involve a moderator to be present to guide the participants through tasks. Unmoderated tests do not involve moderators and as such participants run through the test independently as they would in a natural environment.

Moderated sessions: 1-on-1 interviews

Unmoderated sessions: Maze Online platform

Research findings and insights include key observations and themes identified during moderated research sessions, supported by participant quotes. Some findings may go beyond the scope of the research topic, but have been included for completeness. Recommendations to uplift the CX may also be included – though this has not been the focus for the research team – as the goal is to identify appropriate authentication models for the CDR.

The research found the principle of friction to be multifaceted, with factors manifesting in various ways. The first, unsurprisingly, is that friction can be viewed by participants as negatively or positively impacting on an authentication experience, i.e. there are ‘healthy’ or ‘unhealthy’ levels of friction in a given flow. Furthermore, the research revealed friction can occur both online and offline for users.

Many participants in particular raised frustrations around one-time passwords interrupting their workflow when having to search for devices (mobile phones, DigiPasses) in order to receive their one time codes. In more complex scenarios, several participants shared details around having lost access to previous mobile numbers (either through theft, loss, moving/travelling overseas, or simply updating numbers) and the challenges this presented when accessing platforms which require one time passwords delivered to mobile numbers.

One may hypothesise that higher levels of friction create more frustrating experiences for users, however the research does not support this. On the contrary, many research participants expressed discomfort in regard to the speed and few required steps in which they were able to authenticate when granting access to financial data; they believed more steps involved in authentication processes offered higher barriers to entry and subsequently improved security. So while participants experienced some frustrations when accessing devices to receive one time passwords, they generally appreciated lengthier processes when accessing sensitive data. This highlights the importance of assessing context when determining appropriate authentication models.

The research found participant perceptions and expectations of security in authentication models extends beyond the steps involved in ‘logging on’. While participants rely heavily on visual cues (covered in insight #4 “Users rely on visual trust markers”), customisation options and additional security features beyond the initial ‘log in’ impact their perceptions of security throughout the entirety of a given use case flow.

Participants expressed preferences for authentication customisation; having the ability to control how they access a given platform with authentication methods that suit them and the option for additional factors. Participants will use multi-factor authentication when it’s available, if they feel it’s appropriate for the platform. Many users enjoyed the convenience single login to access multiple services (such as MyGov account) offered, however also expressed concerns if this single login is compromised, it’ll also compromise all services linked to that one login. This insight brings forth the design challenge to create an authentication experience which walks the line between convenience and security.

Surprisingly, participants also noted automatic log out as a feature which made them feel in control, as they didn’t need to remember to do this themselves.

We found significant differences among the generations in feelings of comfort as well as in the level of perceived security. An unsurprising insight when considering younger generations are generally considered to be more digitally literate than older generations. In particular these differences were also observed when looking at use-case benefit vs reward.

Typically, older generations did not see the benefit in the use case (a fictional app to get an indicative interest rate for a car loan) and expressed preferences to; speak to someone on the phone; visit a brick and mortar store; or submit a paper-trail application via post. Participants in younger demographics were more likely to see the benefit in the use case, and noted their preference to complete tasks online or unassisted (such as using self-service checkout at the supermarket) instead of having to go into a branch or speak to someone.

Participants in older generations notably also felt the authentication process was too fast and did not have enough steps, making them feel uneasy in regard to sharing their banking data. It may seem those in older generations may sit at two ends of the spectrum, with some hyper-aware of risks online and others blissfully unaware. Those in the former group were more likely to assess the trustworthiness in a flow on the visual cues and noted their habits online involve checking URLs (correct addresses and ‘HTTPS’ connections), padlock icons, an ensuring websites match their visual expectations (colours, typography), however these practises are not unique to older generations and were evident across all generations interviewed.

The research found users across all age demographics heavily relied upon visual cues and markers to determine whether they could trust and feel comfortable using a platform, with many citing the presence of certain visual features paramount to whether they would proceed using a digital product.

While we do not believe this list is exhaustive, the following visual trust markers appeared repetitively in the research and go far in denoting to users whether a site or platform is trustworthy, secure and legitimate. They are as follows:

As these trust markers are all visual, further research could be undertaken to better understand how those with accessibility needs assess trustworthiness.

Almost all participants were familiar with using One Time Password to authenticate, with many expressing thoughts in regard to the expiration window and delivery to a registered phone number as positive security measures. Users also preferred using a one time password in the context of the use case (consenting to sharing banking data) as they perceived it as less risky than having to enter their actual banking password and the single-use nature of the OTP adds assurance. Many participants shared they would not complete the flow if it required their real password, no matter how much they trusted their data holder.

Interestingly, the consensus from users is that one time password is seen as ‘an added layer’ or ‘extra step’ of security. Users certainly trust and feel comfortable using this form of verification, however they do not perceive it as the primary method of authenticating.

By and large, participants inherently placed more trust in larger and more established brands. This view is held in particular to government bodies and banking sectors because of the rigid compliance requirements prevalent in these industries. This shared sentiment is based on an assumption that larger corporations have the financial means and professional resource to follow best practices, won’t on-sell their data, and are subsequently less likely to fall victim to hacking or breaches. There is also an element of reputational risk which participants believe leads established businesses to act within the best interests of customers data.

Despite the fact users placed more trust in established brands, they also have higher expectations of how brands use and store their data. They expect financial institutions and government to treat customer data as securely as possible, remain up to date with cybersecurity best practice to prevent hacking, direct adequate funding to build strong back-end systems and hire talented teams, and never share their data with third parties. When it came to other platforms (such as social media sites) participants were more accepting and had lower expectations in their security protocol and data treatment, were aware their information was being monetised, and subsequently less likely to share important data about themselves.

Participants generally had a firm understanding of the requirements of multifactor authentication, and the friction, or “extra layers”, present were considered positive, many participants typically using one time password as a secondary factor (as covered in insight #5 OTP is known (and trusted) as a second factor) in particular within banking apps.

When considering multifactor authentication in the context of sectors, it was evident in the research that most participants expected authentication to adapt and become more rigorous as the sensitivity of their data increased, as this is what occurs in their present digital experiences and matches their mental models. Users classified their personal, health and banking data as sensitive information. While not all participants shared the view that authentication should adapt, it was not because they thought less-sensitive data (such as energy data) required less stringent authentication methods. Rather, these participants believe all data to be sensitive; citing fears around the potential for hackers to piece together granular information from several data points into a much larger, detailed view of their information.

This finding further supports the recommendation for a gold standard of authentication to be implemented across the Consumer Data Right, irrespective of sector, to meet consumer expectations of security.

Global Performance is a measure developed by the research team to define success for various authentication models, made up of five separate measures:

Each of these five measures consist of 3 different metrics (as demonstrated in the ‘Measures & Metrics in detail’ table) collected throughout the research and then collated to determine a quantifiable outcome for each measure. These 5 measures are then reflected on a five-point radial graph, demonstrating the global performance for the respective authentication model.

The initial radial graph will showcase the global performance for One Time Password authentication method, and act as a benchmark for subsequent models.

Redirect with One Time Password metrics and measures outcomes. A score above 4 is considered excellent, above 3.75 is considered very good, a score below 3.25 is considered poor and below 3 is bad.

The research found One Time Password to be a generally well-performing authentication method. Consumers are typically familiar with the verification requirements having regularly used the OTP model in various contexts; banking platforms specifically matching their mental models. Consistent exposure to this method means users across the board are confident with the flow and aware of what to do at each step, making it a fast and easy process to complete. OTP offers a level of convenience to users by removing the need to recall lengthy and complex passwords, and quickly auto-fills passwords from SMS text messages on some newer devices. From a security perspective, users appreciate the OTP expiration window and prefer entering a one time password in place of their actual password; subsequently reducing drop-off rates.

Each Archetype has specific needs for how authenticating to share CDR data should work in order for them to trust and understand it.

➊ Sceptics are less trusting of organisations and/or technology. They generally value control, and are adverse to sharing data based on experience with current practices.

➋ Assurance Seekers want to read additional information. They generally value familiarity and external reference/support, and are apprehensive to new experiences.

➌ Sensemakers need to understand how the process works. They generally value details, and can trust the process if given enough valuable information.

➍ Enthusiasts are excited to get the benefits of authenticating to share CDR data. They generally value simple experiences once trust is established.

The raw SUS score was evenly distributed for Redirect with One Time Password. The overall SUS score of 82.5 is considered very high. The coloured markers correspond to the Consumer Behaviour Archetypes as described above.

All research participants have been categorised into archetypes based on their behaviours, and then mapped using the Fogg Model Diagram above. The coloured markers correspond as described in the Consumer Behaviour Archetypes section.

The Fogg Behaviour Model (FBM) compares consumer ability to complete authenticating to share CDR data against their motivation to do so in this context. Based on the chart, for most participants, the desired behaviour (progressing with the login using OTP) will happen when prompted (presented with OTP to continue). Surprisingly, some participants lacked both the ability and motivation to continue with OTP when prompted by the option to do so. This can be inferred in the diagram above by those who fall under the red ‘Action line’. Those who fall below the Action line are not likely to have the desired behaviour when prompted, while those who fall above it are more likely to act when prompted. Almost all Sense Makers (yellow) fall above the action line, there is only 1 that is just below the action line. For the Assurance Seekers (orange) who fell below the action line, there is potential for them to move above the threshold by increasing their ability, this can be achieved by simplifying the flow, for example.

Action line Considerations

Note that the Action line is indicative of the likelihood of a behaviour to happen when prompted in this context, but Fogg does not offer a hard and fast formula to plot it's exact location.

Redirect with One Time Password is satisfactory for most use cases, however there are several areas where the current process and consumer experience could be uplifted, such as:

One Time Password is a sufficient authentication model and could offer better consumer experience with some minor improvements, however, there are several shortcomings which could be addressed with the introduction of other models.

These changes could go far in exceeding user perceptions of security and trust across the Consumer Data Right. Further research is being undertaken to determine other models to support.