- Executive Summary
- Consultation
- Context
- Findings
- Research artefacts at a glance
- Project goals
- Research Objectives
- Hypothesis
- Research Approach
- Use case
- Methodology
- Research Findings & Insights
- 1. Friction is multifaceted
- 2. Secure authentication goes beyond just logging in
- 3. Authentication through a generational lens
- 4. Users rely on visual trust markers
- 5. OTP is known (and trusted) as a second factor
- 6. Users trust established brands, but expect more from them
- 7. Users perceive multi-factor adaptive authentication as the norm
- Research Outputs
- Global Performance: Radial Graph
- Redirect with One Time Password
- Recall & Input (4.01)
- Familiarity & Completion (3.56)
- Comfort & Control (3.53)
- Purpose & Outcome (3.53)
- Expectations (3.68)
- Consumer Behavioural Archetypes
- System Usability Scale
- Fogg Behaviour Model
- Summary
Executive Summary
This report contains findings and recommendations based on Round 1 of CX research that was conducted on the ‘Redirect with One Time Password’ (OTP) in September of 2022 as part of the Authentication Uplift project. The purpose of the research is to identify consumer experience considerations to support and inform an expanded approach to Consumer Data Right (CDR) authentication. The objective is to give consumers more choice and freedom when authenticating themselves with data holders, while maintaining financial grade security.
Twenty-two consumers participated in the research in total; ten consumers participated in 1:1 interview sessions which ran for 90 minutes each and twelve consumers participated in unmoderated prototype testing. Prototypes of the Redirect with One Time Password flow were used to facilitate discussion and generate insights in relation to authentication more generally.
Consultation
This project relates to NP280 which is open for consultation from 14 December 2022 to 27 January 2023.
Context
The authentication stage is the second step in The Consent Model and involves a consumer verifying who they are with their Data Holder (DH). This step is required so the data holder can connect the data recipient's authorisation request to the correct CDR consumer.
Authentication in the CDR regime is limited to a single consistent, authentication model, referred to as the 'Redirect with One Time Password' flow. No other flows are currently supported. ‘Redirect with One Time Password’ was previously tested in June 2019 against two models; ‘Redirect to Known’ and ‘Decoupled’, and was found to be the preferred authentication model by research participants. The outcomes can be accessed in Phase 2 Stream 3 report.
This research has been informed by the following:
- In December 2021, the Government noted support for the Inquiry into Future Directions for the CDR’s recommendation to review the approach to authentication. The Inquiry stated that ‘the convenience and consumer experience of different authentication mechanisms should be considered’ when assessing how to expand CDR authentication support.
- The Independent Information Security Review published in July 2022 separately highlighted that the current approach to CDR authentication does not meet minimum security requirements, and adjustments are warranted.
- The CDR community have also requested changes to the current CDR authentication model, which the DSB is considering as part of this work (see CR405, CR554 and CR542).
- Decision 182 – Information Security Uplift For Write aka action initiation This consultation sought community input on how the info sec profile might evolve to explicitly support write operations.
Findings
The research found OTP to be a generally well-performing authentication method. Consumers are typically familiar with the verification requirements having regularly used the OTP model in various contexts, with banking platforms specifically matching their mental models. Consistent exposure to this method means users across the board are confident with the flow and aware of what to do at each step, making it a fast and easy process to complete. OTP offers a level of convenience to users by removing the need to recall lengthy and complex passwords, and (in some instances) quickly auto-fills passwords from SMS text messages. From a security perspective, users appreciate the OTP expiration window and prefer entering a one time password in place of their actual password; subsequently reducing drop-off rates.
While OTP is satisfactory for most use cases, there are several areas where the current process could be improved. Customer ID is potentially problematic, with only half of all participants interviewed able to recall their banking Customer ID number off the top of their head; the other half find their banking Customer ID either by entering the relevant banking app with biometrics to find it, or store it on their device in the notes or contacts app. The practice of storing a Customer ID on a device brings rise to concerns around security and the ease in which OTP can be breeched if your device falls into the wrong hands, many participants having experienced theft or loss of their mobile phones. The research found giving consumers extra security features, such as options for multi-factor authentication and automatic log-out, can contribute to feelings of being in control. The inclusion of educational elements, for instance explaining how a DH triggers an SMS, can be beneficial for those with lower levels of digital literacy. An improvement to consumer experience could see App-to-App included as a supported authentication model; striking a balance between convenience and security, as it’s perceived by users to be more trustworthy than redirect or browser-based methods.
One Time Password is a sufficient authentication model and could offer better consumer experience with some minor improvements, however, there are several shortcomings which could be addressed with the introduction of other models. Across the board, OTP did not match user expectations contextually; as most participants were familiar with the model as a second factor of authentication and did not perceive it as strong enough when used as a primary, stand alone model. Implementing OTP as a step-up, secondary form of verification when used in conjunction with a gold standard primary authentication method could go far in exceeding user perceptions of security and trust. Step-up authentication requires additional levels of authentication to adapt as the risk profile and sensitivity of the action increases, and could be implemented across the Consumer Data Right, irrespective of sector. We explore early stage recommendations in the summary section of this report.
Research artefacts at a glance
The following artefacts have been produced following the research and represent our findings. Each artefact is explored in further detail in the Research Outputs section of this report.
Global Performance
Consumer Behavioural Archetypes
System Usability Scale (SUS)
Fogg Behaviour Model
Project goals
This research project aimed to:
- Identify appropriate authentication models to support in the CDR;
- Provide CX input to the authentication framework to assess incoming/supported models;
- Strike a balance between security, consumer experience and value delivery;
- Help organisations provide intuitive, informed, trustworthy consent experiences with positive outcomes.
Research Objectives
- Understand current consumer behaviours, pain points and needs regarding authentication
- Identify appropriate consumer experience criteria and metrics to assess authentication models
- Inform the development and proposal of new standards, and/or the revision of existing standards
- Identify appropriate models to be considered for adoption that are interoperable, flexible and adaptable
- Uplift authentication standards to offer improved experience, choice, convenience, inclusivity and security as well as alignment to consumers' existing digital experiences
- Understand how consumer behaviour/attitude may shift for different use cases (e.g. banking vs energy) using the same authentication method
- Explore the impacts of different elements and mechanisms
Hypothesis
- Authenticating without needing to recall or manually enter information is preferred by users
- A familiar authentication method is perceived as more intuitive and will increase the likelihood of task completion
- If a user is informed of the next steps and contextual requirements of an authentication flow, then they will feel more comfortable and in control
- Informed user authentication can be supported by stating the purpose and outcome of the authentication. ("Why and what for?")
- The model meets or exceeds the user's expectations of friction, security and experience
Hypotheses 1-4 were largely validated by the research. Hypothesis #5 remains to be validated by further research and investigation.
Research Approach
The following 4 major components of authentication were explored:
- Channel: This is the channel where authentication is performed. For example: mobile, desktop, kiosk etc.
- Modality: Modalities are the inputs used for authentication. For example: Biometric, Pin code etc.
- Authentication method: This is the method by which an authentication is performed. Out of many factors of authentication method, these 3 are mostly recognised:
- Knowledge based: Something the user knows, such as a password or the answer to a security question
- Inherence based: Something that the user is, as represented by a fingerprint or iris scan
- Possession based: Something the user possesses such as a one-time password generator, certificate, or smart card
- Notification method: This is the different ways a user is alerted about the authentication requirement. For example: Push notification, Email notification etc.
Combination of elements tested in Round 1
Channel | Modality | Notification method | Authentication method | Elements of auth |
App to browser | One time password | SMS | Possession based | - Something the user Knowns (Customer ID)
- Something the user has (Phone/OTP) |
Use case
The use case tested involved a consumer going through a fictional phone app flow to get an indicative interest rate for a car loan. The participant was told they bank with a real-world DH.
Methodology
Data is being collected throughout various points in the research. We are running both moderated and unmoderated testing sessions, both feeding in to the final outputs. Moderated testing sessions involve a moderator to be present to guide the participants through tasks. Unmoderated tests do not involve moderators and as such participants run through the test independently as they would in a natural environment.
Moderated sessions: 1-on-1 interviews
- Number of participants: 10
- Activities: Screener, Interview, Prototype test, In-depth interview, Post-task Survey
- Duration: 1.5 hours
Unmoderated sessions: Maze Online platform
- Number of participants: 12
- Activities: Screener, Prototype test, Post-task Survey
- Duration: ~30 minutes
We aim to reduce our bias by engaging with a diverse and broad audience reflective of the Australian population.
Proposed requirements:
- Mix of age, gender, location
- Explicitly aim to include people with non-English speaking backgrounds
- Explicitly aim to include people with a range of accessibility needs
- Mix of digital, financial, and data literacies and experiences
- Mix of consumer adoption types
Other details:
- Prioritise participants with experiences related to use case, e.g. insurance and/or loan products
- 50% of participants from previous sessions, i.e. prior experience with CDR
For the hypothesis expectations to be effectively met, we assume that the user:
- Owns a smart phone
- Has their DH’s authenticator app installed and has previously logged in
Research Findings & Insights
Research findings and insights include key observations and themes identified during moderated research sessions, supported by participant quotes. Some findings may go beyond the scope of the research topic, but have been included for completeness. Recommendations to uplift the CX may also be included – though this has not been the focus for the research team – as the goal is to identify appropriate authentication models for the CDR.
1. Friction is multifaceted
The research found the principle of friction to be multifaceted, with factors manifesting in various ways. The first, unsurprisingly, is that friction can be viewed by participants as negatively or positively impacting on an authentication experience, i.e. there are ‘healthy’ or ‘unhealthy’ levels of friction in a given flow. Furthermore, the research revealed friction can occur both online and offline for users.
Many participants in particular raised frustrations around one-time passwords interrupting their workflow when having to search for devices (mobile phones, DigiPasses) in order to receive their one time codes. In more complex scenarios, several participants shared details around having lost access to previous mobile numbers (either through theft, loss, moving/travelling overseas, or simply updating numbers) and the challenges this presented when accessing platforms which require one time passwords delivered to mobile numbers.
One may hypothesise that higher levels of friction create more frustrating experiences for users, however the research does not support this. On the contrary, many research participants expressed discomfort in regard to the speed and few required steps in which they were able to authenticate when granting access to financial data; they believed more steps involved in authentication processes offered higher barriers to entry and subsequently improved security. So while participants experienced some frustrations when accessing devices to receive one time passwords, they generally appreciated lengthier processes when accessing sensitive data. This highlights the importance of assessing context when determining appropriate authentication models.
"I do like that they’re convenient. What I don't like is if it's being sent to a device or something that I don't have handy with me for whatever reason. Cause I find I have to get up and go rummaging for it, and at that point it's no longer very convenient.”
"It works good. Sometimes it's annoying if you don't have you phone right in front of it, like if you were logging in on the computer or something and your phone's not right in front of you, you have to jump up and go and get it. But overall yes, it work fine.”
“I don't know if my telephone isn't as good as some of the more expensive ones, but I find fingerprint is great as long as I don't do physical work. If I do physical work and my fingerprints get scratched up they don't work, simple as that. And they can take one to two weeks before they start working properly again.”
2. Secure authentication goes beyond just logging in
The research found participant perceptions and expectations of security in authentication models extends beyond the steps involved in ‘logging on’. While participants rely heavily on visual cues (covered in insight #4 “Users rely on visual trust markers”), customisation options and additional security features beyond the initial ‘log in’ impact their perceptions of security throughout the entirety of a given use case flow.
Participants expressed preferences for authentication customisation; having the ability to control how they access a given platform with authentication methods that suit them and the option for additional factors. Participants will use multi-factor authentication when it’s available, if they feel it’s appropriate for the platform. Many users enjoyed the convenience single login to access multiple services (such as MyGov account) offered, however also expressed concerns if this single login is compromised, it’ll also compromise all services linked to that one login. This insight brings forth the design challenge to create an authentication experience which walks the line between convenience and security.
Surprisingly, participants also noted automatic log out as a feature which made them feel in control, as they didn’t need to remember to do this themselves.
“So you feel like you’re in control that you're not just staying signed into these sites indefinitely, or have to remember to log out either. You're only signed in and then it automatically signs you out.”
“I've started using a password manager so that when I am using password, I can use more complicated passwords. I'm making sure I'm using unique passwords everywhere. If there's options for multifactor authentication, I'll use it. If biometric authentication is an option I'll use it.”
3. Authentication through a generational lens
We found significant differences among the generations in feelings of comfort as well as in the level of perceived security. An unsurprising insight when considering younger generations are generally considered to be more digitally literate than older generations. In particular these differences were also observed when looking at use-case benefit vs reward.
Typically, older generations did not see the benefit in the use case (a fictional app to get an indicative interest rate for a car loan) and expressed preferences to; speak to someone on the phone; visit a brick and mortar store; or submit a paper-trail application via post. Participants in younger demographics were more likely to see the benefit in the use case, and noted their preference to complete tasks online or unassisted (such as using self-service checkout at the supermarket) instead of having to go into a branch or speak to someone.
Participants in older generations notably also felt the authentication process was too fast and did not have enough steps, making them feel uneasy in regard to sharing their banking data. It may seem those in older generations may sit at two ends of the spectrum, with some hyper-aware of risks online and others blissfully unaware. Those in the former group were more likely to assess the trustworthiness in a flow on the visual cues and noted their habits online involve checking URLs (correct addresses and ‘HTTPS’ connections), padlock icons, an ensuring websites match their visual expectations (colours, typography), however these practises are not unique to older generations and were evident across all generations interviewed.
“Just simple stuff that is actually quite easily by-passable; the graphics or the text or how everything's formatted, because, I guess, I'm a millennial, so it's easy for me to work out. But for example, my mom, the older generation get those spam emails and they’ve spelled PayPal wrong or stuff like that. Just really simple stuff like.”
“It's a lot more convenient than having to go through and speak to someone like a broker or like a person at a bank or whatever. And it's more user-friendly. Also, especially in my generation, there's a running joke that we don't want to talk to people on the phone or talk to people, like we like using the self-serve checkouts.”
“I guess if you were doing a paper-trail application, you'd be submitting data from the last three months. I have this perception that collecting that data in a hard form and posting it off would probably give me more of a feeling of control than just immediately entering or downloading and sending off the data that they're asking for. That's an immediate thing. And again, you know, it's all about the data and I get that's what this session is about, but to me, that's off-putting.”
4. Users rely on visual trust markers
The research found users across all age demographics heavily relied upon visual cues and markers to determine whether they could trust and feel comfortable using a platform, with many citing the presence of certain visual features paramount to whether they would proceed using a digital product.
While we do not believe this list is exhaustive, the following visual trust markers appeared repetitively in the research and go far in denoting to users whether a site or platform is trustworthy, secure and legitimate. They are as follows:
- The presence of a padlock icon in the URL bar as well as a ‘HTTPS’ connection and correct URL address
- Pixel-perfect user interfaces which match user expectations of formatting, such as colour palette, typography, branding
- Correct spelling and use of grammar
- No slow loading time or suspicious redirections
- Corporate information such as ABNs or phone numbers, and
- Apps downloaded from trusted sites such as the AppStore
As these trust markers are all visual, further research could be undertaken to better understand how those with accessibility needs assess trustworthiness.
“I think probably the first thing is visual. That what comes up when I’m logging in looks authentic, then probably the spelling, I’m a previous Editor, so I’m pretty good on that. Anything that looks a bit suss...” ”So what I see if what comes up as I'm logging in is what I'm expecting to see or that it comes up immediately that there's not a time lapse or if I'm redirected somewhere else, that immediately sends up alarm bells to me.”
“Okay. So first thing I'm doing as I'm looking at the top, you're all looks correct. It's got a secured logo next to it shows me that this is probably the right website. Everything looks okay. You've got the ABN down the bottom. It all looks pretty straightforward. It doesn't look like it's like it would be a different app. So that's, that's what usually gives me indication that this is the correct sort of application”
”The first thing I look for is the little lock key to show me that it's HTTPS. And then as I said, I like the two factor authentication so that I know that the connection is secure. And then the fact that my login to my data is secure because it's only me that can go into it. So those two things together are the things that I absolutely trust. Or using the one-time password app. So that means that I'm the only one who can get it; the information that passes between us is also secure because the HTTPS, so therefore the conduit is, is secure.“
5. OTP is known (and trusted) as a second factor
Almost all participants were familiar with using One Time Password to authenticate, with many expressing thoughts in regard to the expiration window and delivery to a registered phone number as positive security measures. Users also preferred using a one time password in the context of the use case (consenting to sharing banking data) as they perceived it as less risky than having to enter their actual banking password and the single-use nature of the OTP adds assurance. Many participants shared they would not complete the flow if it required their real password, no matter how much they trusted their data holder.
Interestingly, the consensus from users is that one time password is seen as ‘an added layer’ or ‘extra step’ of security. Users certainly trust and feel comfortable using this form of verification, however they do not perceive it as the primary method of authenticating.
“Is that when they send the code? Oh, so it’s a second step sort of.”
”If I'd already logged into the institution, yes [I'd use OTP]. But for logging in probably not because for something like the scenario I’d expect a stronger security measure.”
“Not to log in. It's usually just to send stuff, to send money and transfer money. It's not usually to log in. I haven't done it to log in.”
“I still think it's important to have to do your email or whatever and your password. I think it's a two factor. I don't know if it'd be quite as good a main factor cause you know, if someone steals your phone or something like that, there they go. You know what I mean? But they might not potentially have your login details. So as a two factor, it's good. But as if it was just solely how to get into it, I think it's a bit of a flaw there.”
6. Users trust established brands, but expect more from them
By and large, participants inherently placed more trust in larger and more established brands. This view is held in particular to government bodies and banking sectors because of the rigid compliance requirements prevalent in these industries. This shared sentiment is based on an assumption that larger corporations have the financial means and professional resource to follow best practices, won’t on-sell their data, and are subsequently less likely to fall victim to hacking or breaches. There is also an element of reputational risk which participants believe leads established businesses to act within the best interests of customers data.
Despite the fact users placed more trust in established brands, they also have higher expectations of how brands use and store their data. They expect financial institutions and government to treat customer data as securely as possible, remain up to date with cybersecurity best practice to prevent hacking, direct adequate funding to build strong back-end systems and hire talented teams, and never share their data with third parties. When it came to other platforms (such as social media sites) participants were more accepting and had lower expectations in their security protocol and data treatment, were aware their information was being monetised, and subsequently less likely to share important data about themselves.
“Depends who you're dealing with. Once again, banks, government I'd want them to be right on the money, right up to date and have it under control. Well, you'd like to think that they're right on top of things.”
“I want the channel to be secure. The stuff we've discussed already, but I also want to know that whoever's holding my data is making that data secure. They should make every effort and to make sure that that no one can get in to that data.” “I want them to treat that data with the same respect as I treat my data.”
“If you’re logging into Facebook you don't really care, but if you're logging into a Government website or a Banking website, you want that as secure as possible.”
“The government departments, banks, it's in their interest to keep your information safe. Whereas, you know, Facebook, they're basically trying the best way to sell your information, to make money. They'll try and use any information that you’ve got as best as they can as will profit them.”
“My expectation is for the companies that I'm using the app for to work out the back end to make sure that their system is protected and not hacked. And because if your system is protected as a high chance that my accounts will be protected.”
7. Users perceive multi-factor adaptive authentication as the norm
Participants generally had a firm understanding of the requirements of multifactor authentication, and the friction, or “extra layers”, present were considered positive, many participants typically using one time password as a secondary factor (as covered in insight #5 OTP is known (and trusted) as a second factor) in particular within banking apps.
When considering multifactor authentication in the context of sectors, it was evident in the research that most participants expected authentication to adapt and become more rigorous as the sensitivity of their data increased, as this is what occurs in their present digital experiences and matches their mental models. Users classified their personal, health and banking data as sensitive information. While not all participants shared the view that authentication should adapt, it was not because they thought less-sensitive data (such as energy data) required less stringent authentication methods. Rather, these participants believe all data to be sensitive; citing fears around the potential for hackers to piece together granular information from several data points into a much larger, detailed view of their information.
This finding further supports the recommendation for a gold standard of authentication to be implemented across the Consumer Data Right, irrespective of sector, to meet consumer expectations of security.
“I have no problems with it. Like I said, more layers you can put in there for security, I'm happy with. With one time password is a fairly standard thing for transferring money. So if you're transferring money, I don't see why I wouldn't be any less secure. The only thing is when you transfer money already gone through an authentication process with your bank, you've logged in using a password and the one-time password coming to your telephone is like a backup. The combination of those two makes me feel much more secured than a single one.”
“Yes. Yeah. So, and this is where CommBank does do this. When I opened the app and want to view my transaction history, for example, I log in with my fingerprint and that's it. There are certain things I do within the app that will ask me to verify with my PIN.”
“Yeah. I think that one should be able to adapt because I mean, that one is relatively safe, I don't know if that's the right word, but I think that that's where the adaptability should come in place. Because, for example, electricity data, the only thing you might have is just your address and your name; it doesn't have like too much personal information for someone to work with.”
Research Outputs
Global Performance: Radial Graph
Global Performance is a measure developed by the research team to define success for various authentication models, made up of five separate measures:
- Recall & input
- Familiarity & completion
- Comfort & control
- Purpose & outcome
- Expectations
Each of these five measures consist of 3 different metrics (as demonstrated in the ‘Measures & Metrics in detail’ table) collected throughout the research and then collated to determine a quantifiable outcome for each measure. These 5 measures are then reflected on a five-point radial graph, demonstrating the global performance for the respective authentication model.
The initial radial graph will showcase the global performance for One Time Password authentication method, and act as a benchmark for subsequent models.
Recall &/input | Familiarity & completion | Comfort & control | Purpose & outcome | Expectations |
Information a user needs to recall | Familiarity | User feeling in control | Benefit awareness | User security expectations |
Users perception of length of time | Brand influence | Awareness of next step | Sensitivity of value proposition | Perceived security |
Number of user inputs | Current authentication models | Trustworthiness | Level of positive-friction | Sector |
- Information a user needs to recall: how much information is a user required to recall to successfully authenticate themselves (eg. Customer ID, lengthy and complicated passwords)
- Users perception of length of time: how long did the user perceive the length of time it took them to authenticate, and, did they find it appropriate
- Number of user inputs: how many fields were users required to successfully input throughout the authentication process
- Familiarity: how familiar a user is with a specific authentication model, and, do/have they used it frequently
- Brand influence: is user trust influenced by the brand they are authenticating with (e.g. do they place more trust in a Big 4 bank than they do a smaller player)
- Current authentication models: what model/s does the user currently use
- User feeling in control: what element/s of the authentication method gives the user the feeling of being in control
- Awareness of next step: could the user accurately anticipate what would happen at each step based on the information provided to them in the flow
- Trustworthiness: how trustworthy did the user find the authentication method
- Benefit awareness: was the user aware of the benefit of the authentication method in conjunction with the use case in which it was applied
- Sensitivity of value proposition: was the user influenced by the value proposition (e.g. did they feel more likely or less likely to authenticate with the method due to the value they derived)
- Level of positive-friction: did the user feel the authentication method was easy enough for them to complete and hard enough for someone else who was wrongfully trying to access their data
- User security expectations: how did the authentication method meet or exceed the user’s expectation of security, if not, why did it fail
- Perceived security: how secure did the use perceive the security of the authentication model and what elements contributed to this perception
- Sector: was the user influenced by the sector in which the use case occurred (e.g was the user more or less trusting of a specific authentication model when accessing banking data vs energy data)
Redirect with One Time Password
Redirect with One Time Password metrics and measures outcomes. A score above 4 is considered excellent, above 3.75 is considered very good, a score below 3.25 is considered poor and below 3 is bad.
Measures and metrics | Score |
Recall & input | 4.01 (score for measure) |
Information a user needs to recall | 3.79 (score for metric) |
Users perception of length | 4.15 (score for metric) |
Number of user inputs | 4.09 (score for metric) |
Familiarity & completion | 3.56 (score for measure) |
Familiarity | 4.14 (score for metric) |
Brand influence | 3.15 (score for metric) |
Current authentication models | 3.40 (score for metric) |
Comfort & control | 3.53 (score for measure) |
User feeling in control | 3.36 (score for metric) |
Awareness of next step | 4.07 (score for metric) |
Trustworthiness | 3.15 (score for metric) |
Purpose & outcome | 3.53 (score for measure) |
Benefit awareness | 3.70 (score for metric) |
Sensitivity of value prop | 3.35 (score for metric) |
Level of positive-friction | 3.53 (score for metric) |
Expectations | 3.68 (score for measure) |
User security expectations | 3.57 (score for metric) |
Perceived security | 3.54 (score for metric) |
Sector | 3.93 (score for metric) |
One Time Password | Moderated | Unmoderated | Combined |
Recall & input | 3.93 | 4.08 | 4.01 |
Familiarity & completion | 3.73 | 3.39 | 3.56 |
Comfort & control | 3.97 | 3.08 | 3.53 |
Purpose & outcome | 3.97 | 3.08 | 3.53 |
Expectations | 4.10 | 3.25 | 3.68 |
The research found One Time Password to be a generally well-performing authentication method. Consumers are typically familiar with the verification requirements having regularly used the OTP model in various contexts; banking platforms specifically matching their mental models. Consistent exposure to this method means users across the board are confident with the flow and aware of what to do at each step, making it a fast and easy process to complete. OTP offers a level of convenience to users by removing the need to recall lengthy and complex passwords, and quickly auto-fills passwords from SMS text messages on some newer devices. From a security perspective, users appreciate the OTP expiration window and prefer entering a one time password in place of their actual password; subsequently reducing drop-off rates.
Recall & Input (4.01)
Overall, only half of participants can recall their Customer ID off the top of their head.
Moderated outcomes
- By and large, user cited that the only information they needed to recall was their Customer ID
- 6/10 participants did know their Customer ID off the top of their head
- For the 4 participants who didn’t know their customer ID, they normally find it:
- Written down and stored in a secure place
- Searching through emails, or logging into their banking app with a fingerprint and then finding it in there
- Having it as a saved contact in their phone
- Going through the notes app on their phone
Unmoderated outcomes
- 5 out of 12 of participants knew their Customer IDs. 3 knew where they could find it easily
Overall, 18/22 participants described the One Time Password authentication process as ‘Very Fast’ or ‘Extremely fast’
Moderated outcomes
- 7/10 participants described the length of time it took them to authenticate as ‘quick’
- 2 participants noted that iPhones have the option to autofill one time passwords and meant they didn’t need to memorise or type anything in
- 9/10 participants selected ‘Very fast’ and ‘Extremely fast’ to describe the length of time it took them to log in using one time password
Unmoderated outcomes
- 9/12 participants selected ‘Very fast’ and ‘Extremely fast’ to describe the length of time it took them to log in using one time password
- Several participants noted the fact some phones autofill the password sped up the process
Overall, most participants agreed or strongly agreed that there were an appropriate number of fields required to fill during the one time password process
Moderated outcomes
- 8/10 participants agreed or strongly agreed that there were an appropriate number of fields they were required to fill out during the one time password process
- However, 4/10 participants expressed they felt there needed to be more steps in regard to accessing bank details, citing the following
“I feel maybe that for something SO important, that there weren’t enough [steps] and yet I’ve just said our generation is used to getting through things quickly… I mean, going on the amount of money I spent for my car, which wasn’t outrageous, if I was applying for a loan, I would probably be wanting a couple more steps than this.”
“I think it's standard. I mean, I would expect some sort of security, not just one click and then into my account. So if I'm going to trust these people to access my accounts, I should think that there’s a few steps. And for someone that is trying to lend money, I'm sure that they wouldn’t mind, they’d just be hoping that they get given the money.”
“I dunno. I feel like they should be more steps. It was very quick to go into, to get all my information. Like convenience-wise, easy, but I dunno to have all my stuff it was very, very simple for them to have everything.”
“It only had two fields, the one-time password and my Netbank [ID]. I guess it depends on the bank as well, you could put like a date of birth or email to have an extra step, but I guess if someone has your phone, they probably to be able to like get to this stage, they probably also have the info already.”
“I feel like it was okay. I feel like it could be better if there was another factor, but I feel like it was it's pretty good. It's adequate to get me to make me feel safe enough to provide it. Obviously it could be a little bit better if there was another factor, it was like I said, someone could steal your phone, you know, someone else might not realise that. So another factor would make it more secure, but I'm not worried about just providing that. That's not an issue for me.”
Unmoderated outcomes
- Only one participant ‘Disagreed’ to the question “I felt there were an appropriate number of fields I was required to fill during the one time password process". All other participants agreed (8) or strongly agreed (3)
Familiarity & Completion (3.56)
Overall, almost all participants have used One Time Password and are familiar with the method
Moderated outcomes
- Only 1 participant hadn’t used one time password frequently in the past
- 3 participants referenced One Time Password as ‘a second verification method’ rather than the primary
“Is that when they send the code? Oh, so it’s a second step sort of. When they send you a code, like my bank does it, if I transfer money to an account, especially a new account that I haven't sent money to before. It's just to verify it's you doing it? Which I think is great.”
“Yeah. I think it's essentially a second verification process. So you're putting your password and then, because I guess people can, your password can be leaked, it could be hacked or whatever. So it needs a second verification or device that only you would have access to that makes sure it's you, so you can login.”
“I still think it's important to have to do your email or whatever and your password. I think it's a two factor. I don't know if it'd be quite as good a main factor cause you know, if someone steals your phone or something like that, there they go. You know what I mean? But they might not potentially have your login details. So as a two factor, it's good. But as if it was just solely how to get into it, I think it's a bit of a flaw there.”
Unmoderated outcomes
- Only one participant ‘Strongly disagreed’ to the question “I’ve used one time password login method frequently in the past". All other participants agreed (6) or strongly agreed (5)
Overall, 50% of participants would feel the same way about using One Time Password to authenticate irrespective of whether they were using a reputable brand or not
Moderated outcomes
- While 5/10 participants rated 4 or more out of 5, their responses varied greatly for the question ‘I would feel the same way about logging in with one time password irrespective of the brand I was using’.
“I'm much more used to using lesser providers nowadays. I tend to steer away from the real newbies, but I certainly have no problems using banks which perhaps Australians aren't used to, but they're quite often, well and truly established banks or owned by Australian banks. So, you know, Rabo Banks been around a long time. Citibank, HSBC, those sort of people are huge. Some of the smaller ones that come up, they take a little while to be around before I'd be confident in using them.”
“I think, yeah. I think a lot of the trust here is because I do trust ..a Bank to do the right thing in terms of my security. I think it's a terrible risk for them to not look after my security. I don't think that extends to all websites and services I use by any means.”
“Maybe slightly less confident I guess. If it was a provider that wasn't known at all, maybe I would feel not very confident, I guess. Yeah. The big name things you have more confidence in. I guess there's a perception of them being more trusted, but when you really think about it, are they? I suppose, you know, there's no reason that smaller places shouldn't be trusted. I guess it's just the general perception, that they're a big name and that they can be trusted.”
Unmoderated outcomes
- Half of participants said they would feel the same way, and the other half disagreed or were indifferent
“I'd hope they all had the same degree of protections.”
“I wouldn't feel any different, all apps and financial providers should offer the same degree of privacy. Hence I won't feel less comfortable using a One Time Password with them.”
Overall, majority of participants use, or have used, One Time Password in the past
Moderated outcomes
- 8/10 participants had used one time password to log in before. For the 2 participants who said that they hadn’t, they cited they'd used OTP as a second factor, rather than to log in
Unmoderated outcomes
- 6/12 participants currently use One Time Password as a method of logging in
Comfort & Control (3.53)
Overall, we saw a marked difference in responses between moderated and unmoderated participants in response to feeling in control of their data, privacy and security. 7/10 moderated participants agreed that they felt in control, whereas only a quarter of unmoderated users felt the same.
Moderated outcomes
- 7/10 participants agreed or strongly agreed that they felt in control of their data, privacy and account security throughout the one time password process. 1 was indifferent.
- 2/10 disagreed, citing discomfort
- Interestingly, the following is what gives participants the feeling of being in control
- The ability to change their password or the way they log in
- Some said they never feel in control
“I felt anxious and I was second guessing myself as to whether I was choosing the right place to share that data.”
“It made me feel uneasy. And then it felt contradictory when I read the first page that saying that they only had it for a day and then that I had to go in to settings to, to stop them using the data. It didn't seem like that they don't have access to it after a day. Then why would I need to stop and having access to it that made me feel a bit uncomfortable and just getting someone to access to my account on it. I didn't, it just doesn't feel right. And I don't know if that's an age thing that I'm not going because I'm 45. So growing up, like, you know, your bank account, you have to like, it's all about being secure and not letting people have access to it and things like that. It just seems very open.”
“That I can change the password when I want to, I guess. Yeah. I guess being able to change a password, but I mean, I don't think there's a way for any system to be infallible at all, just because it is a password and once it's been broken once all the other ones.”
“Well, by virtue of me being the only one who can get in, that means that I'm the only one who can change it, which is the control part.”
“Being able to easily change it, being able to reset it easily. If I forget, because you know, you go to a new website and they all want you to do something different in a different combination of upper case, lower case numbers, letters, symbols, everything. So obviously a lot of times you forget your password. So easy resets is the use is the input. I mean, yeah. Convenience as well. Sometimes you can save your passwords and then, you know, set a pin code it's quite easy.”
“Customisation, being able to choose what data I want to share and also how things are set up for you… like user friendly”.
“I don't think there is ever a feeling of being in control when you're dealing with the internet. You'd like to think that you're getting as much security as you can, but I must admit I don't one hundred percent trust anything in regards to the net.”
“I don't think I ever feel like I'm in control with these apps, to be honest. Like, I feel like it's me and and them with my accounts or whatever, because they can access – someone from the back end can be able to see stuff I’ve put out there. As long as it’s online I don't think I feel like I'm a hundred percent in control of it all.”
I'll use Facebook as an example here. Facebook has these lovely settings that lots of websites do for my privacy controls, where I can switch things on and off theoretically, that would give me a sense of control, except that at the end of the day, I know Facebook has all my data and they can do whatever they want with it. And that's been proven time and time and time again. So I tend to have more security and feelings of trust around platforms that are encrypted, that don't actually store or collect my data. So looking at things like, I think the big one that other people like to use is Telegram. I use Keybase for personal messaging. It's all encrypted K based doesn't access that data, even if they wanted to, they couldn't use it. And so knowing that I'm the only custodian of that data, it gives me total control. Whereas Facebook has buttons that make me feel like I have control when I don't actually.”
Unmoderated outcomes
- Only 4 of 12 participants 'agreed' or 'strongly agreed' that they felt in control of their data, privacy and account security throughout the One Time Password process
Overall, all users agreed they felt aware of what to do at each step.
Moderated outcomes
- All users agreed they were aware of what to do at each step of the one time password. Of these 10 responses, 8 of them strongly agreed.
Unmoderated outcomes
- 100% of unmoderated participants agreed that they were aware of what to do at each step of the one time password process. Interestingly, only 4 of them accurately described the one time password process when asked what they anticipate would happen next
Overall, Moderated users had higher levels of trust in a reputable DH. Trust in One Time Password largely depends on the ADR requesting the data, and not the DH itself. Users have already established trust with DHs through existing relationships.
Moderated outcomes
- When asked ‘How much trust do you place in the process you’ve just been through?’, only 1 participant said they found the process ‘Not at all trustworthy’ because they ‘didn't like that they [data recipient] have access to all my transactions over the past 3 months’
- 5 out of 10 participants responded with ‘Moderately trustworthy’ and another 4 responded with either ‘Very trustworthy’ or ‘Extremely trustworthy’
- For those responding with ‘Moderately trustworthy’, they provided the below rationale
- When asking participants what gives them the feeling of trust:
- Strong verification processes
- Visual trustmarkers
- Brand reputation
“The main issue is with the security of the entire process. I would need to be confident it was secure to proceed. It is basically giving a third party access to your account details so need to be reputable.”
“I would like to have limitations on: obtained data use, Verification that the link to [data recipient] is dropped when logging in to the bank, another verification step before data is transferred”
“I feel like they want to access information that’s isn’t necessarily relevant”
“It was extremely quick, an almost too easy. After all, we are talking about accessing financial records.”
“I can’t trust completely because [data recipient] might be new to me but the process appears secure and I did not have to share my password which was trustworthy.”
“I suppose, as long as they've got some sort of reasonable password requirement on there, that it's not just, you know, something very simple.”
“Oh, I don’t know. That you do have to put in your login and your password and I guess if there's the extra step, the one time PIN. I’m not sure. I wouldn’t like the feeling of not having a password, I guess. Yeah.”
“I've never thought about that before. That's a good question. I think, I think especially with important things like banking and stuff or transferring money that that backup is getting the text message with the code is really, really good.”
“I guess having a verification sent to your mobile or email or something like that. Then you know that they're checking your data and not letting just anyone login – there's like barriers to prevent hacking.”
“Two factor authentication is a big one. Secure login details.”
“The first thing I look for is the little lock key to show me that it's HTTPS. And then as I said, I like the two factor authentication so that I know that the connection is secure. And then the fact that my login to my data is secure because it's only me that can go into it. So those two things together are the things that I absolutely trust. Or using the one-time password app. So that means that I'm the only one who can get it; the information that passes between us is also secure because the HTTPS, so therefore the conduit is, is secure.”
“I think probably the first thing is visual. That what comes up when I’m logging in looks authentic, then probably the spelling, I’m a previous Editor, so I’m pretty good on that. Anything that looks a bit suss… So what I see if what comes up as I'm logging in is what I'm expecting to see or that it comes up immediately that there's not a time lapse or if I'm redirected somewhere else, that immediately sends up alarm bells to me.”
“If the website doesn't look dodgy. I noticed sometimes as well, I'm not super familiar with how it's works but on my browser there'll be a little lock button where the URL is. I don't know what it means but I assume it's good. Just simple stuff that is actually quite easily by-passable; the graphics or the text or how everything's formatted, because, I guess, I'm a millennial, so it's easy for me to work out. But for example, my mom, the older generation get those spam emails and they’ve spelled PayPal wrong or stuff like that. Just really simple stuff like.”
“Websites, again, making sure the URL is correct and making sure it's secure”
“Oh, that's a hard question. Logging into sort of an app or platform or brand that I'm familiar with and that I know enough about to feel like they're probably trying to do legitimate things with my authentication, even if not the rest of my data. I think having options for more secure login, so having the option for multi-factor authentication available, for example, that usually makes me feel a bit better about logging into things.”
“If the app is like, if it's a well known company and that I feel like people have been in operation for years and I trust that the company is it's a legit one. So I would assume that I should feel a bit more secure and safe than just any app that I don't know. For example, if I'm trying to log into Facebook, Instagram, I know that it's a well-known (I mean, I'm not saying they are angels) it’s different than just some random developer trying to get me to login with my details. So I feel more secure when it's something that I know than something I'm just starting off. I'm usually not the first to try out stuff to be on the safe side.”
“If you’re logging into Facebook you don't really care, but if you're logging into a Government website or a Banking website, you want that as secure as possible. The government departments, banks, it's in their interest to keep your information safe. Whereas, you know, Facebook, they're basically trying the best way to sell your information, to make money. They'll try and use any information that you’ve got as best as they can as will profit them.”
“It has to be on the app store or it has to be downloaded from a reputable place. Has to be, if it's carrying sensitive information, a well-known brand, I can't download, you know, sketchy apps and put your details in there. Sometimes the certifications, but as long as it's from the app store or, you know, you're downloading it from a reputable platform and it's from the provider you're actually intending to go to it's, it's pretty safe to me.”
Unmoderated outcomes
- Only 4 out of 12 users described the process as ‘very trustworthy’. All other participants rated 3 or below out of 5. Citing the following reasons
“I trust [a real-world DH], but wasn't 100% confident on [data recipient]”
“Nothing is perfect.”
“Everything that can be devised can be hacked so none of our data is 100% safe”
“I have given a third party access to my banking details. A hard NO for me.”
“I would need to know more about [data recipient] before sharing any data.”
“Only slightly trustworthy, because I don't know this app. It's not coming from a reputable financial institution. And I'm giving them access to my bank account.”
Purpose & Outcome (3.53)
Overall, almost all participants responded with ‘moderately beneficial’ or better when asked ‘How much benefit do you see in logging in with one time password to allow your data to be accessed to obtain an indicative interest rate from [data recipient]?’
Moderated outcomes
- All moderated participants responded with ‘Moderately beneficial’ or better. Reasons include the following
- Speed & convenience
- Security
- Offers Lenders correct data
“It saves using your own password to get access”
“It's convenient and secure and allows [data recipient] to offer me an informed rate quickly”
“It is very easy and quick but I would prefer to share the information I choose to share rather than every single detail of each financial transaction I make”
“Very convenient and streamlined process especially as the data is only available for one day”
“Makes it more secure to give them permission to access information”
“It makes me feel secure”
“Again, increasing the trust of using this app and make life easier”
“It reduces the effort hugely, and it ensures that the data available is correct”
“This is beneficial as it is an easy way for the lender to access the credit documentation they need to provide an accurate quote”
Unmoderated outcomes
- 10 of 12 unmoderated participants responded with ‘Moderately beneficial’ or better.
Overall, 15/22 of users saw value in the use case, however it was dependant on what they were trying to do. Reiterating the importance of context for users – the value must be worth the risk.
Moderated outcomes
- In regard to user expectations of the log in process adapting depending on what they’re trying to do, 7 out of 10 participants would expect the process to change. From the rationale they provided, it seems they expect this because it aligns to their current experiences:
- For those who answered no, they believe all information is important, and wouldn’t want their data getting into the wrong hands regardless of how sensitive it is:
- All respondents answered ‘Yes’ to whether they would use One Time Password again if it were to perform a financial transaction; such as making a payment or applying for a home loan
- When asked ‘If the one time password login method was available for streamlining the process of getting an indicative interest rate today, what would you do?’, 50% of participants said they would definitely use it again, and 20% said they wouldn’t use it. Of those who said they wouldn’t use it again, they shared that they had a preference for their current method
- 8/10 respondents said they wouldn’t use [data recipient] again, most of them saying they have no need to borrow or take out a loan
“Yes. It does even in the current circumstances. Banking will generally have a limit, which you can raise or lower the transfers – which we always keep on the minimum. You have to go in and actually enter your account details and authorise and increase your actual transfer amount. Most places will have a limit of, you know, $20,000, $25,000 or it might be more, $50,000 bucks. If you go over that, you've actually got to contact the branch or the bank itself and they'll give you a one time or 24 hour period of time in which to do those transfers and then you to drop back to your normal arrangement.”
“Yes. Yeah. So, and this is where CommBank does do this. When I opened the app and want to view my transaction history, for example, I log in with my fingerprint and that's it. There are certain things I do within the app that will ask me to verify with my PIN. So recently I did have fraudulent transactions on my card. Awful, had to cancel my debit card and I needed to use cardless cash. And so in order to access that I did have to actually put in my PIN to sort of verify well we’re triple checking it to you before we let you proceed. So I do tend to expect that if I'm doing something super spooky, that there will be additional layers. I don't always see that though.”
“Yeah definitely there should be a different degree of it. What you described is actually exactly what my bank does. So to transfer money, you actually have to log in, but to view my balance, I don't even have to put in a password. I can just check it. I mean, at the end of the day, if someone steals my phone and sees how much money I've got in the account, it doesn't really bother me. But if I steal it and transfer money, obviously that's going to bother me. So yeah, definitely. I one hundred percent agree with that. It should scale based on the amount of information and the situation.”
“Yeah. I think it should be different. There should be a difference. I think, especially if you're transferring money, there should be more of a backup check to make sure it's the right person. Yeah. I mean, like I know even with my bank, when I'm called, I can give them my details and they say, what's your verbal password? Which no one would know because it's not written down, which I think is really good. Like sending a code through or having the verbal password, maybe a security question. Something that they ask you before it's done to ensure that it's you doing the transfer.”
“I guess what I'd expect would be that you would log in and that would be a level of logging in. So if you logged in and then went to check my balance or check my accounts, that would be adequate. But if you're going to be transferring large sums of money, that there could be another authentication process, another login process. It does happen with my bank, you know, I can log in and do the everyday stuff, but if I'm wanting to change amounts that I can transfer or reinvest as an example or change details of re-investing, there is another level of authentication there.” “I think that makes me feel safer that you know, that initial log-in, if someone did somehow hack my details… sure, they could find out what I have and there'd be a limit to the destruction that could probably wreak.”
“Yes. So if they can provide me, if transferring money, definitely send me in a message to confirm. And then enter the password, like the ways that HSBC used to do. When you send even to a person you know, they will still ask you to enter the code from a little device and then so that you can transfer the money.”
“No, I don't. To me, if I'm logging into a bank, then it doesn't matter what I'm trying to do – the information I use to log in is the same and once someone's into my account, it makes no difference, they can get at it. So if I'm just going into look at my balance, I want the same security as if I want to transfer a thousand dollars or a million dollars.”
“I wouldn't really. I'm not quite sure if all banks are the same, I imagine they would be, but my bank, for example, has a daily limit and if you wanted to transfer money, you can set it reasonably low, and if you want to change it you ring the bank and make it higher. I think that's a better system than having different log in processes. I think it's best to have one. I mean, there's already so many things that you're logging to and remembering different passwords or different ways to log in. I personally like it better if it's just one way, if there's other measures that can be taken, like I said with the transferring of money.”
“No, I think it should still be the same. I mean, I don’t want someone to know how much I own, you know what I mean? It doesn't matter if I'm about to transfer money to someone or not. If someone's seen how much you have (someone that's not supposed to) there's a high chance they're start thinking of how to rob you, or not rob you, or think you’re pretty much useless to them. So then you see it and then think ‘oh, she's got money and maybe I need to do this’, or ‘she's broke, why waste my time?’.”
Unmoderated outcomes
- Out of 12 participants asked ‘If the one time password login method was available for streamlining the process of getting an indicative interest rate today, what would you do?’ 3 of said they wouldn’t use it, 4 said they may use it and 5 said they probably or definitely would use it, for the following reasons respectively
“The whole concept of giving a third party access to my banking data is a hard NO. The convenience or speed is not worth the risk in my opinion.”
“No, Due to security concerns and it being a very new concept to me.”
“Maybe, if it was a faster process id be more inclined.”
Interestingly, less than half of unmoderated respondents selected ‘agree’ when asked whether they felt the one time password process was easy enough for them, and hard enough for someone else to steal their data, compared to 6/10 respondents in the moderated sessions.
Moderated outcomes
- When asked whether participants thought they would need to authenticate again upon clicking the ‘authorise’ button in the test, 7/10 responded said they did not expect it. Most believed One Time Password was sufficient, however wouldn’t mind if they were asked for a second verification for the extra security.
- More generally speaking, when asked whether “additional factors on top of One Time Password are required”, 8/10 participants thought it was beneficial but not required. Most cited they would like to see it for banking related use cases.
- 6/10 participants ‘Agreed’ or ‘Strongly agreed’ that they felt the one time password process was easy enough for them, and hard enough for someone else to steal their data.
“I wouldn't mind if they send another code to you, but I wouldn't think it was probably necessary.”
“It would put a bit more trust in the service that there are barriers, that the information isn’t that easy to leak.”
“I don't think so. I think the one-time password would have been enough. If I was asked to again, it would be fine but I would've preferred to do that upfront. You know what I mean? I would've preferred to do two upfront as opposed to doing one and then reading the disclaimer and then doing another one.”
“Yes I would like that. Yes. To be sure, to be sure. That’s a double check before we finally do this; one more step to check.”
“I would think so. That's how I normally experience online banking is usually there's again, not just one authentication. There's actually a couple, depending on what you're doing.”
“I think I’d probably feel more secure, but at this stage I don’t think that’s going to happen.”
“I would like to see it, yes. You're dealing with banking. So the more authentication levels you have in there, the security makes up for any hassle there is in actually logging in properly. Because I was just sort of thinking about the bank producing a code like that, I didn't remember there being a process for me actually authenticating myself with the bank in any way, because they sent me the code. The only authentication was them sending the code to my telephone. So I wouldn't mind another process in there.”
“Yes, I would like to have. I would feel better if I then had to put in face recognition or had to put in an extra PIN code or something to verify that that phone number was actually me.”
“I think it would be nice for banking data and they example we'd just done because it was different from my usual login method. So I don't know if required is the word I would use, but it would make me feel better.”
“For the concept that we use today? Yes. In general? No. I think in general terms you're probably comfortable using the one-time password. Taking out a loan is a fairly big step to take, one time passwords might just be for your electricity account or your phone an account. I think there are times when the simplified one time password is appropriate and other times there's more security measures needed.“
“I think it would be a good idea. It would just make me feel more secure. It just was so quick to go in and just have access to everything. For me, it's a little unnerving. If this is the way it's going to be like to get a loan and stuff. Yeah. It just, I feel like it should.”
“Yeah it’s something I raised in my survey and before as well, I don’t know if it’s necessary because if someone already has my phone they probably have this info, but it’s just another step. I think a lot of banks use a log in PIN as you might not have that saved on your phone but it’s something you remember, but it’s dependant on the bank. If you put your DOB if someone has your phone they can log into your facebook and find it. But it’s stuff that’s very simple, even if it stops a couple of people scamming it only takes a second.”
“Not required but are beneficial. That's just an extra layer of security. One time password is quite good in my opinion, but, you know, especially for something like banks for more security, the better."
Unmoderated outcomes
- Out of 12 participants, when asked whether they felt the one time password process was easy enough for them, and hard enough for someone else to steal their data, 5 participants agreed or strongly agreed, 5 were indifferent responding with ‘neither agree nor disagree’ and 2 strongly disagreed
Expectations (3.68)
Overall, almost 15/22 of respondents agreed that logging in with one time password met their expectations of security
Moderated outcomes
- 7/10 agreed that logging in with one time password met their expectations of security
- Here are their thoughts on what gives them a feeling of security, and the expectations they have for security in authenticating:
- More than one factor
- “Not just a simple log in, that there's backups [layers]. Depends who you're dealing with. Once again, banks, government I'd want them to be right on the money, right up to date and have it under control. Well, you'd like to think that they're right on top of things.”
- “So again, knowing that there are additional layers wrapped around things, second layers of passwords, backup emails. I like to expect that particularly when dealing with sensitive data, so personal health, data, financial data, things like that, that the places I'm dealing with have sort of actually thought about this problem and employed best cybersecurity practices, whether that's making sure my login methods are as secure as possible. So not relying just on passwords. Whether that's, you know, making sure when my data is not being used, it's being stored somewhere encrypted and only these people have access to relevant training. Those are the sorts of things I'd like to be able to expect.”
- “I guess, if there's anything extra that you want to do, say almost like a bank or something, if once logged in, if you actually want to transfer money they might ask you for like another passcode when you want to do something. Or changing your password as well, if you left it logged in, you actually have to enter it again before you want to change your password.”
- “Good security on the login. Like obviously two-factor authentication. Just making sure my passwords strong. That's usually, that's usually it, you know, as long as the security of your website's good, it shouldn't be an issue.”
- “I think those alerts are good because it makes you know that your password is out there and that second step of like either a text message or call or whatever. Yeah. That if it's something super important, like banking or financial stuff that there is that backup.”
- Blind trust in brands taking security seriously
- “The one thing that gives me the feeling of security is if I know that it's a well-known company and I feel like I'm safe using the app. My expectation is for the companies that I'm using the app for to work out the back end to make sure that their system is protected and not hacked. And because if your system is protected as a high chance that my accounts will be protected. So, yeah.”
- “It just gets back to, I guess, feeling like I just take this stuff for granted. I don't know that I do really have any expectations other than it's probably okay, I guess, I'm quite trusting of, sites.”
- “I guess I just feel like if the sites are trusted, and definitely passwords. I probably do take security for granted. I suppose when I think of an example, I think it happened to me a few weeks ago where I think it was my bank I was trying log on to and usually I would use the app, but for some reason I didn't, and I think like a different site initially came up first in the search and I almost didn't realise… just trying to think of if it definitely was my bank… – but anyhow, I was trying to log on and I double clicked and then it took me a minute to sort of realise that it wasn't the right one. That’s sort of the best example I can give that I take it for granted that I just, sort of went about trying to log on without really thinking ‘hang on this isn’t right’, I almost got caught out.”
- “Again, this question that come with, who is the provider? Where is this coming from? And then at the end, I feel secure. If, is MyGovernment ID, if it is iCloud or Microsoft Teams or Google mail. Yeah. It is, is like my daily activities, my everyday activities. And I agree they take my biometrics because it's very hard for those companies to have a compromise on their customer data ID. Although Google has been leaked many times, but I think it’s improved it’s service.”
- And in regard to their expectations of security, here’s how One Time Password stacks up
- It felt secure
- “It feels very secure. I guess it feels secure because it's just for that session as well, for that time that you're logging in.“
- “I think it makes me feel secure that other people are not having access to my password. So I think, yeah, definitely, I would use that over putting in my password anytime. If I'm putting in my password directly to my Commonwealth Bank, for example, then it's different because it's for them. But if I'm using a third party, for example, like, you know, try to connect these two dots, I think I'd rather use a one-time password to minimise the amount of time of putting my password in other people's server that I don't know about.”
- “One of the things in the survey said ‘it's secure enough to stop other people, but easy enough that you could use it’. So I think it leans more toward the secure side, but I think the process is a good one. But maybe there's hackers who can circumvent it. I guess you might be worried because it's not something you've used before and you're not sure of the security. I guess especially the older generation, there is no password. But if you explain it to them or they think through the process, then it seems secure.”
- “I think, I think it's very integrated program. So it is, I think because I have thought the app for the process, I don't need to enter my mobile number, I just enter my customer ID and then it already had my mobile phone number and then send me the one-time password. So I think it is quite a logical platform itself. And very reliable, because it's got everything already.”
- “I like it. I think it's good. And it should be used more by all of the financial institutions. And in fact, I'd like it to be used by any of the big providers, whether it's energy, banks, whatever, anyone. I just think it's necessary.”
- But users wanted another layer [factor]
- “I have no problems with it. Like I said, more layers you can put in there for security, I'm happy with. With one time password is a fairly standard thing for transferring money. So if you're transferring money, I don't see why I wouldn't be any less secure. The only thing is when you transfer money already gone through an authentication process with your bank, you've logged in using a password and the one-time password coming to your telephone is like a backup. The combination of those two makes me feel much more secured than a single one.”
- “I think I'm a very cautious person and I think that it didn't meet my expectations. I think my expectations were higher that it would be, if not a more complicated process or complex at least have a little, a few more steps to it.”
- “Did a lot of things, right. Didn't do much wrong on from what I saw, you know, verify who you were, got your client details and it didn't ask you for your number. It sent it to you number, cause you know, your bank's gonna know your number. So yeah, it met everything that I, that ticks my boxes. Like I said, the really anything that can be better is just another layer. But even then, it's not mandatory for me.”
- “It was, it was just very easy. It was so easy. It was; that it's just the code and that's it and you have access to everything. It's very easy, but then it's just the way that we're moving now as a society, just to have everything so easily. I don't know if it'd be better to be able to access, I’m just thinking like something different, like a recognition like facial recognition or something to be able to do it. It seems like it has more security than a one time password.”
Unmoderated outcomes
- When asked ‘I felt that logging in with one time password met my expectations of security’, of the 12 unmoderated participants, 8 agreed or strongly agreed, 2 neither agreed nor disagreed and 2 strongly disagreed
Overall, only 3 participants felt One Time Password carried no risk at all.
Moderated outcomes
- Only 2/10 participants responded with ‘Not at all risky’ to the question “How much risk do you see in logging in with one time password to allow your data to be accessed to obtain an indicative interest rate from [data holder]?” For the 8 others, here’s what they had to say
- Their thoughts in regard to security when logging in like this included:
- Fears of fraudulent sites
- Alignment to current experiences
“I would wonder how the bank knows it is me. I haven't gone through an ID process so the only security is that there is a code coming to my phone.”
“I don't know or trust [data recipient], and in this exercise I couldn't verify I was on the "real" [DH] page. It would be easy to make an insecure mock up of this process to gather people's data (like customer IDs)”
“I think there should be more security measures before [data recipient] can access the account information.”
“I don't like that it was so easy to give them access”
“There is always a risk when sharing data between companies however the process/length of time that data is available for lowers the chance being hacked/data being leaked”
“As stated before, the only risk is if your phone is stolen or not accessible”
“Well, I never thought of it before, to be honest. I never thought of it in that much detail that I've indicated it's [a real-world DH]. So if this was a fraudulent website and I've indicated that to my bank, they would have an idea of what the format would look like. And would they could maybe send it into a fake, fake pass code? Yes. I don't know. I never thought of it in regards to protecting it. I would assume this was real. If I was doing it and not put too much thought into it.”
“If I did it this way and just logged in and this came and it was from like my bank from Qudos and it looked the same of how it normally looks. I don't think I would double think it to be honest if I was quickly going through. But now, because we're talking about it, it just, it, if they're that maybe they could be that clever to send a fake one-time password to put in so that the person feels more secure. And then they have all your information.”
“Again, I want to make sure I always check the padlock is there, so it's a secure link. I always check the fact that I'm actually logged into [a real-world DH]. The other thing is that it's going to expire, so if I don't act quickly enough, it's going to expire. But it also means that if this is captured by someone, for whatever reason, they they've only got less than 10 minutes to actually use it. So this actually, I think is, is quite good. I was very reluctant to use banking on my phone a while ago, but now with these sorts of securities, I'm much more comfortable doing it.”
“I mean, I'm sure there's ways to circumvent this possibly. I don't know, I haven't thought of any that come to mind. But I feel like this is more secure than using a password.”
“I guess when I have used one time password it’s kind of entered my mind, where does the one time password come from, and how do they know they’re sending it to the right person? That would be my thoughts.”
“I guess, so if I think about how I normally access [my banking app]… The my banking app will open and I have to log in with my fingerprint, and it feels a bit strange to me that there's a separate method to login for this service. I would almost expect it to trigger, if you've got the app on your phone, open the app and log in that way. It's more familiar to me. I know that that's how my bank expects me to access their stuff. And so this is a bit strange. I do feel a little bit weird about it.”
“It is a pretty secure, I think. So if you asked me, once you five on this one, I will say five on this security on this one.”
“Yes. Only the third party… so if the third party say is backed by [a real-world DH], like UBank is backed by NAB it would give me more confidence. And then I would say, if I know that I will say, I will give them a score, like four to five.”
Unmoderated outcomes
- All unmoderated participants saw at least some level of risk logging in with one time password. When answering the question “How much risk do you see in logging in with one time password to allow your data to be accessed to obtain an indicative interest rate from [data recipient]?” they responded with slightly risky (5), moderately risky(5) and extremely risky (2). Here’s what they had to say
“Not aware of [data recipient] and how strong the cyber security systems that are in place”
“Protected by 2-factor ID”
“One time passwords are generally more secure”
"As I have mentioned earlier, the OTP is secure, but sharing bank data is risky irrespective of what type of PW you are using.”
“I have studied Cyber Security, I have worked in a bank, I work in IT. The whole concept of giving a third party access to my banking data is a hard NO.”
“Its a third party, lesser known company; I don’t know who they are.”
“Because it could be a scam and there are so many of them around, it makes you more weary.”
Just over 17/22 of users felt that One Time Password was appropriate for the kind of data they were accessing.
Moderated outcomes
- All users felt one time password was appropriate for the kind of data they were accessing
- 8/10 participants said that they would expect the log in process to adapt depending on what they were trying to do; in regard to banking data vs accessing electricity usage data.
“You know, what you're using in electricity once again, it's one of those ones which really doesn't matter. Who really cares what I'm using with my electricity? It’s only for my own personal information and you know, what are people going to gain if they can figure out what amount of electricity I'm getting? In that case I don't think the layers of security on electricity data are going to be very substantial and I wouldn't expect them to them.”
“Yeah. So I certainly would expect that my electricity usage would be more straightforward to access. I can see a scenario where I would only need to input my account number and not even put in a password to say that. Whereas my bank data, I love that there is multiple sort of layers of authentication and again, biometric authentication, higher level of authentication associated with that.”
“I wouldn't expect it from my electricity account or maybe a phone bill might be a little bit different, but again, I'm an honest person. I'm sort of like, well, what could someone do with my electricity account? Yeah. I would think that the details that are on my electricity account would probably be available to anybody. My name, my address, I think there's the, a parish lot number or whatever, maybe a mobile phone that's that's it. And, and I would think that those things, you know, if there's someone who can hack a website, they wouldn't need to hack a website to find that information out about me.”
“Yeah. I think that one should be able to adapt because I mean, that one is relatively safe, I don't know if that's the right word, but I think that that's where the adaptability should come in place. Because, for example, electricity data, the only thing you might have is just your address and your name; it doesn't have like too much personal information for someone to work with.”
“Well, anything banking, I think should be a bit more secure than electricity. I mean, I dunno for me, somebody knowing how much electricity I use, it's not going to, unless it targeting me to change providers or something that they're doing it that way, I guess it, it wouldn't bother me.”
“Yeah, obviously my banking is more important. So yeah.”
“Yeah different level I feel like banking is more sensitive and private than you can see how much electricity has been used. Obviously it’s still confidential information but there should be heavier security measures on the banking details. Because you know, you lose money. It's going to cripple you. Someone sees what you're spending on electricity. It doesn't really bother you it's bad, but it's not going to do anything to you.” “It doesn't bother me. It doesn't bother me. It's more so the fact that if it did have less, I wouldn't be so concerned if I only had one or two, it's like, okay, but if it has three, great. I mean, if you, if you want to put the extra measures in there, sure. As long as it's not obnoxious to log in to, it should fine.”
“Well, I think, I think it's okay for me. Electricity usage. I think that banking needs to have a higher level of security, but the electricity usage access, I think anyone, any scientists, any data scientist can access it. Whereas the banking thinking things, I think it’s only up to the taxation officer station officer to audit the banking that can access it.”
Unmoderated outcomes
- Only 7 of the 12 participants tested felt that one time password was appropriate for the kind of data they were accessing. The other 4 strongly disagreed
Consumer Behavioural Archetypes
Each Archetype has specific needs for how authenticating to share CDR data should work in order for them to trust and understand it.
➊ Sceptics are less trusting of organisations and/or technology. They generally value control, and are adverse to sharing data based on experience with current practices.
➋ Assurance Seekers want to read additional information. They generally value familiarity and external reference/support, and are apprehensive to new experiences.
➌ Sensemakers need to understand how the process works. They generally value details, and can trust the process if given enough valuable information.
➍ Enthusiasts are excited to get the benefits of authenticating to share CDR data. They generally value simple experiences once trust is established.
System Usability Scale
The raw SUS score was evenly distributed for Redirect with One Time Password. The overall SUS score of 82.5 is considered very high. The coloured markers correspond to the Consumer Behaviour Archetypes as described above.
The System Usability Scale (SUS) is a Likert scale of 10 questions that users answer. Participants rank each question from 1 to 5 based on how much they agree with the statement they are reading. 5 means they agree completely, 1 means they disagree vehemently. SUS questions alternate between positive and negative statements, which is on purpose so respondents can’t arbitrarily agree to them all. Once data is collected and synthesised, a score can range from 0 to 100, however it isn’t a percentage. The average SUS score is 68, so while that may indicate 68% of the total maximum score, it’s actually more appropriate to call it 50%.
- 80.3 or higher is well-performing and bodes well
- 68 or thereabouts is average and needs some work to improve
- 51 or under is a problem and needs addressing
SUS is not used as a diagnostic and will not highlight any specific problems with a flow however it will give an indication of how usable a product is. In our case, SUS has been used to assess how usable a method is. Read more about SUS
Fogg Behaviour Model
All research participants have been categorised into archetypes based on their behaviours, and then mapped using the Fogg Model Diagram above. The coloured markers correspond as described in the Consumer Behaviour Archetypes section.
The Fogg Behaviour Model (FBM) compares consumer ability to complete authenticating to share CDR data against their motivation to do so in this context. Based on the chart, for most participants, the desired behaviour (progressing with the login using OTP) will happen when prompted (presented with OTP to continue). Surprisingly, some participants lacked both the ability and motivation to continue with OTP when prompted by the option to do so. This can be inferred in the diagram above by those who fall under the red ‘Action line’. Those who fall below the Action line are not likely to have the desired behaviour when prompted, while those who fall above it are more likely to act when prompted. Almost all Sense Makers (yellow) fall above the action line, there is only 1 that is just below the action line. For the Assurance Seekers (orange) who fell below the action line, there is potential for them to move above the threshold by increasing their ability, this can be achieved by simplifying the flow, for example.
Action line Considerations
Note that the Action line is indicative of the likelihood of a behaviour to happen when prompted in this context, but Fogg does not offer a hard and fast formula to plot it's exact location.
Summary
Redirect with One Time Password is satisfactory for most use cases, however there are several areas where the current process and consumer experience could be uplifted, such as:
- More easily recalled customer key: Customer ID is potentially problematic, with only half of all participants interviewed able to recall their banking Customer ID number off the top of their head; the other half find their banking Customer ID either by entering the relevant banking app with biometrics to find it, or store it on their device in the notes or contacts app. The practice of storing a Customer ID on a device brings rise to concerns around security and the ease in which OTP can be breeched if your device falls into the wrong hands, many participants having experienced theft or loss of their mobile phones.
- Extra security features: The research found giving consumers extra security features, such as options for multifactor authentication and alerting them that they will be automatically logged out, can contribute to feelings of being in control. The inclusion of educational elements, for instance explaining how a DH triggers an SMS, can be beneficial for those with lower levels of digital literacy.
- Visual trust markers: Standardising Data Holder UI to include the components identified in Insight #4 Users rely on visual trust markers such as; fast loading times, the inclusion of corporate information such as ABNs and phone numbers as well as cybersecurity badges could assist in increasing user perception of security and trust. The research team want to reiterate the importance for further research to explore how those with accessibility needs assess trustworthiness, and what indicators can be employed to uplift security in this context.
- OTP Autofill: At present DH’s elect to autofill numpads when a device has received an SMS containing an OTP. Uplifting standards to encourage DH’s to automatically autofill OTP from SMS can increase security and reduce cognitive load for users who have to toggle between their messaging app and the DH website.
One Time Password is a sufficient authentication model and could offer better consumer experience with some minor improvements, however, there are several shortcomings which could be addressed with the introduction of other models.
- Across the board, OTP did not match user expectations contextually; as most participants were familiar with the model as a second factor of authentication and did not perceive it as strong enough when used as a primary, stand alone model. An improved CX could see App-to-App included as a supported authentication model; striking a balance between convenience and security, as it’s perceived by users to be more trustworthy than redirect or browser-based methods. App-to-App can easily include multifactors of authentication occurring in a stepped format (at various points in a flow). This method will be explored in the following round of research.
- To exceed expectations, authentication can extend beyond simple multifactor authentication. Implementing OTP as a step-up, secondary form of verification when used in conjunction with a gold standard primary authentication method could go far in exceeding user perceptions of security and trust. Step-up authentication requires additional levels of authentication to adapt as the risk profile and sensitivity of the action increases, and could be implemented across the Consumer Data Right, irrespective of sector.
These changes could go far in exceeding user perceptions of security and trust across the Consumer Data Right. Further research is being undertaken to determine other models to support.
Quick links to CX Guidelines: