-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Noting Paper 280: The CX of Authentication Uplift #280
Comments
Noting Paper 280 on the CX of Authentication Uplift has now been posted and can be found in the original post. While this paper centres on CX research, the preliminary scope and focus will inform the general scope for CDR authentication uplift. Feedback is invited by Friday 27 January 2022. |
TPGT appreciates the opportunity to provide feedback in relation to Noting Paper 280, however, we would like to request an extension be provided until Friday 10 February to allow for key stakeholders to be able to participate in the response. |
Performing CX research on authentication in isolation from the information security and implementation impacts will result in a potential disconnection from the technical reality. This has already been demonstrated in the course grained scopes, collapsed scopes and fine grained access disclosure variability between the Standards, CX Guidelines and Rules. If nothing else my feedback would be that CX learn from the mistakes of the past so implementers aren't, once again, in a conflict between DSB guidance and Rules. Additionally, this is a noting paper so there is no actual scope to alter the DSBs approach. Nonetheless I would note that it's a bit rich to publish a paper containing some fairly complex and far reaching research techniques over a holiday break and call it "consultation". On this basis the request of TPGT seems reasonable. |
This consultation will be extended to Friday 10 February in response to community requests. |
Thanks for your comments @perlboy This noting paper was developed following requests from members of the Data Standards Advisory Committee. The aim was to relay how the DSB are approaching CX research on authentication, but also to provide a channel for the community to comment on the initial scope. The DSB's CX and technical teams worked together on this paper to facilitate alignment. It was published as early as possible once that had been achieved, but we acknowledge the difficulties of consulting in the December-January period. The feedback window has now been extended. The purpose of this noting paper is to allow the community to provide early input, and we welcome views on any disconnects or negative implications that may have been missed. |
TPG Telecom is supportive of the authentication review and agrees with the findings of the Independent Security review that the current OTP method does not meet minimum security requirements. We do not see value in augmenting the current OTP process and believe that the other authentication methods in scope should be considered. The Standards should be updated to provide minimum security requirements for authentication, rather than explicitly prescribing fixed method/s. This is particularly relevant for the Telco sector, as we are already governed by the Telecommunications Service Provider (Customer Identity Authentication) Determination 2022, which outlines how Telcos must undertake Multi-Factor Authentication for high-risk transactions. The Standards should seek to specify the baseline requirement of a framework for authentication that includes:
|
Thank you for the opportunity to provide feedback. We are broadly supportive of the proposal and note the following for consideration:
|
As a prospective ADR, Tic:Toc welcomes the opportunity to comment on the proposed approach for CX research in relation to the authentication uplift. The experiences that consumers have with authentication are a key driver of CDR conversion rates, which in turn influence commercial decisions about extent and timing of participation in the CDR. Tic:Toc supports the security uplift for authentication and the proposed CX research, noting the following points for the DSB’s consideration:
|
Please find CBA's feedback attached. |
@perlboy made a good point. There is a danger of this research producing something that is either not secure or not implementable. There is no question that authentication in CDR has to be uplifted and current mechanism is not user friendly or secure. Noting paper seems to be mixing different things together. I propose to breakdown this problem space into multiple areas, re-assemble it together and only then perform a CX research on the final outcome. 1. What authorisation flows should be supported?
UK Open banking, for example, supports all three because they provide appropriate user and use-case coverage (inclusion). All flows come with different security considerations and have appropriate controls available within FAPI framework that CDR has already adopted, so there is not need to re-invent the wheel. The flows that were considered insecure are already ruled out by the community (e.g. embedded). Picking only one of the flows only creates a bad customer experience, restricts possible use cases and/or prevents a part of the community from using CDR. Current Australian CDR flow as prescribed by the CDR specifications is a strange, non-standard weak mix of redirect and OTP. 2. What level of authentication and risk based decisioning is required of different types of transactions? This is where we discuss types authenticators, their strength, biometrics multiple factors and FIDO standards (not just Passkeys). This should be an opportunity to modernise and improve authentication across Australian banking, energy and telecommunications industries. Frameworks like NIST should drive what level of assurance is required for a particular use case. We should be encouraging data holders to avoid using knowledge-based secrets and phishable credentials / factors. 3. What security and fraud concerns should be considered? Movement towards FIDO standards together with transaction signing and risk-based fraud decisioning solves security concerns. Data holders should be allowed to use existing customer authentication and associated fraud controls. 4. What overall customer experience is acceptable? Overarching principle should always be: Customer shall be using existing and familiar authentication channel with no additional friction. Movement towards FIDO standards improves user privacy and authentication user experience. Existing CX guidelines and design principles in other jurisdictions can be helpful too, for example, OBIE CX guidelines (UK). If you break the problem down as suggested, the right solution might become much clearer, cleaner and we don’t have to re-invent it. This has been successfully done before. |
Thanks to everyone who provided feedback on the initial scope and approach for CX research into authentication uplift. The DSB will review and consider these comments for ongoing CX research and technical analysis. Importantly, the CX research is focused on existing and familiar authentication approaches and considering historical learnings from other jurisdictions, such as the UK's OBIE (e.g. the current guidelines). The purpose of the CX research is to understand how and where the existing CDR CX standards and guidelines might need to be adjusted to accommodate these approaches, validate issues with the current state of authentication, and test various community proposals (such as the ‘waterfall authentication’ proposition raised at a previous Data Standards Advisory Committee and change requests posted on GitHub). To support transparency, the DSB will provide links in this thread to published CX of authentication research reports. The DSB is conducting standards analysis in tandem to support any future decision proposals. This thread will remain open so ongoing discussion can take place ahead of any formal consultation on authentication uplift. |
The report for the first round of CX of authentication uplift research can be found here. This report contains findings and considerations based on Round 1 of CX research that was conducted on the ‘Redirect with One Time Password’ (OTP) approach. |
The report for the second round of CX of authentication uplift research can be found here. This report contains findings and considerations from Round 2 of CX research on ‘App/Browser-to-App with Biometric’. |
We welcome the opportunity to provide feedback and apologies in publishing our feedback later than accepted.
|
This comment originally contained a problem space description for offline customer authentication. To facilitate a targeted feedback, it has been converted into a separate consultation, Noting Paper 296, which is open for feedback until Monday 17 April. |
Hi DSB et al, with respect to timeframes, can I please ask that the above request for feedback be updated with a date that consultation closes? Also, there is chance for confusion here given the request is nested within the comments section of another request for consultation, which has since closed. Would it be appropriate for this new request to be separated into a new issue card, linking back to #280? |
@AGL-CDR the problem space has now been converted into a separate consultation, Noting Paper 296, which is now open for feedback until Monday 17 April. |
Authentication Uplift - Round 3 Research report has been published and can be found here. This report contains findings and recommendations from the third round of CX research conducted as part of the Authentication Uplift project. This research ran in March of 2023 and tested “Decoupled” authentication and included elements of “fall-back” models. The purpose of the research was to identify consumer experience considerations to support and inform an expanded approach to Consumer Data Right (CDR) authentication. In total, 40 consumers participated in this round of research. Two prototypes were used to facilitate discussion and generate insights in relation to decoupled authentication, selected fallback methods, and general sentiments regarding authentication. Key insights from the research included that:
Decoupled authentication could be supported by the CDR with the following constraints in order to meet user expectations of comfort, control and trust:
The study concludes with this third round of research. The research team will now focus on preparing a report on the outcomes and compare the findings across the three models tested along with a recommendation for consultation. The full report can be accessed here. |
A fourth report on the CX of authentication uplift research has been published online and can be found here. This report contains summaries and comparisons of all the recent CX research conducted on this topic, including an improved Redirect with OTP flow; App/Web to App with Biometrics; Decoupled with QR Code. In total, over 150 consumers participated across the three rounds of research; which involved 90-minute 1:1 interview sessions and 30-minute unmoderated prototype tests. Key Themes System Usability Scale Opportunities The research on Redirect with One Time Password identified several key opportunities and improvement areas and could be uplifted to continue being a supported model, particularly for sectors with lower digital adoption. Decoupled could also be supported to allow the user to authenticate securely with their known device no matter how they interact with the CDR, while support for the use of QR codes as part of CDR authentication could be de-prioritised. Next Steps Authentication uplift will also need to consider Credential Level pairings and recommendations from both the PwC IC Accessibility and Independent Security Review reports. The DSB will present on the topic of authentication uplift at the CDR Implementation Call on Thursday 13th July from 3pm-4:30pm. This session will cover key findings and opportunities from the CX research along with a brief overview of the DSB's approach to CDR authentication uplift. You can register for the regular call by emailing [email protected] - see here for further details about the call. |
Attached to this comment is the slide deck the CX Team presented at the Implementation Call on Thursday 13th July. Implementation Call Presentation - Authentication Uplift Research Outcomes.pdf The deck contains high-level summaries and comparisons of all the recent CX research conducted on this topic, Redirect with OTP flow; App/Web to App with Biometrics; Decoupled with QR Code. It also shares the DSB's current thinking on the authentication uplift approach, which will be formally consulted on as a Decision Proposal soon. This thread will be updated when the DP is live. |
Following the Government’s response to the Inquiry into Future Directions for the CDR, as well as the Independent Information Security Review, the Data Standards Body (DSB) is now conducting Consumer Experience (CX) research to inform which authentication approaches should be supported by the technical and CX standards.
The purpose of this noting paper is to share the DSB’s general CX research approach to authentication uplift with the community. We invite community feedback on this work and recommend you read this noting paper if you would like to:
• Provide views on the preliminary scope and priorities for authentication uplift
• Suggest other authentication approaches for the DSB to consider
• Comment on the general approach to CX assessment of authentication approaches
This paper and consultation will not delve into technical considerations. It focuses on CX research goals and the preliminary scope for authentication uplift, as well as various methods, measures, and metrics being used to assess alternative authentication approaches.
While this paper centres on CX research, the preliminary scope and focus will inform the general scope for CDR authentication uplift. Given the DSB is prioritising authentication uplift as foundational to future CDR expansion including action initiation, community feedback is invited on the preliminary scope and priorities for authentication uplift, as well as any other issues or items that the DSB should consider.
Noting Paper 280 on the CX of Authentication Uplift can be found below:
Noting paper 280 - CX of Authentication Uplift.pdf
The community is invited to provide feedback on this paper by Friday
27 January10 February 2023.Edit: Consultation extended to 10 Feb following community requests
The text was updated successfully, but these errors were encountered: