Noting Paper 296 - Offline Customer Authentication

[CDR-CX-Stream]

Friday 17 March: Noting Paper 296 Published
The purpose of this paper is to seek community feedback on offline customer authentication. The paper focuses on the impacts and opportunities regarding the augmentation or deprecation of the redirect with OTP (One Time Password) model.

The key consultation questions for this noting paper are as follows:

• How might we augment the redirect w/ OTP flow/mechanism to maintain support for offline customers?
• If it is not appropriate to retain the redirect w/ OTP flow at all, what alternatives exist to maintain support for offline customers?

Noting paper 296 on Offline Customer Authentication can be found below:
Noting paper 296 - Offline Customer Authentication.pdf

Feedback is now open on this noting paper and will close on Monday 17 Friday 21 April Monday 1 May 2023.

---

Edit: Deadline extended from 17 April to 1 May 2023.

[CDR-CX-Stream]

The noting paper for the consultation on offline customer authentication has been published and can be found in the original post.

[AGL-CDR]

Following on from a recent AEC-DSB forum that discussed this consultation - a number of participants voiced support to have the due date of consultation extended to Friday 21st April. AGL is supportive of this delay as we consolidate feedback from around the business after the Easter break. Requesting DSB consider this request to delay, thank you.

[CDR-CX-Stream]

In response to community requests, this consultation will be extended to Friday 21 April 2023.

[anzbankau]

We seek confirmation that the scope of this paper is restricted to offline energy customers only and that any redirect with OTP augmentation or deprecation considerations are in the context of offline energy customers only and are not relevant for other designated sectors.

Thank you for your assistance.

[CDR-CX-Stream]

Hi @anzbankau

The scope of this paper relates to the impacts and opportunities of augmentation/deprecation of the Redirect with OTP model, in particular in relation to offline customers.

At the moment, offline customers are only eligible CDR consumers in the Energy sector. The scope of eligible offline customers may change as new sectors are designated, or subject to rules changes.

Having said this, any augmentation or deprecation of the redirect with OTP model may be implemented across the CDR ecosystem, and as such will impact any other sectors where OTP is used. Therefore it may be beneficial for CDR participants in other sectors, including Banking, to review and contribute feedback to this paper.

[commbankoss]

The CBA supports the ACCC’s current banking sector eligibility rules, namely that a customer must have online access to at least one account to be considered eligible. Given the highly sensitive nature of the data that can be shared under CDR we do not believe it is feasible to safely extend authentication to offline customers, particularly when the authentication factor is a phishable OTP.

[CDR-CX-Stream]

thanks @commbankoss for your comment. To clarify, this paper is seeking input into the augmentation/deprecation of the redirect with OTP model only. This paper is not seeking to assess whether eligibility for offline customers should change or be extended.

We would welcome feedback on how any augmentation or deprecation of the redirect with OTP model might impact existing operations and to what degree. We also welcome thoughts on how OTP can be augmented to meet the required CL.

[AGL-CDR]

Thank you for the opportunity to provide feedback on Offline Customer Authentication. Please find AGL's submission in the attached pdf.
AGL - Offline Customer Authentication - 21 April 2023.pdf

[anzbankau]

We are not supportive of offline customers being included in scope for the banking sector in the CDR and being able to authenticate, separate to any existing mechanisms that are in place today for customers. If this was to be changed, a full assessment of the mechanism for these customers to share would need to be performed at that time.

[CDR-CX-Stream]

Thank you to the responses provided by the community thus far. We would like to clarify that this noting paper does not seek to change the definition of eligible customers for the banking sector to include offline customers.

The DSB however welcomes any input banking sector participants may have on the impacts and opportunities regarding the augmentation or deprecation of the redirect with OTP (One Time Password) model, should they choose to provide it.

[NationalAustraliaBank]

Hi @CDR-CX-Stream ,

As banking sector has been invited to provide feedback(this week) as well on this topic, we will need some more time to discuss and analyse the impacts and opportunities regarding the augmentation or deprecation of the redirect with OTP (One Time Password) model. We are asking for extension on this topic until the 28th of April 2023?

Yash

[CDR-CX-Stream]

In response to community requests, and with consideration to the upcoming Anzac Day public holiday, this consultation will be extended to Monday 1st May 2023.

[JohnMillsEnergyAustralia]

Thank you for the opportunity for EA to provide feedback on Offline Customer Authentication.

The case for change here in April 2023 is not clearly evident.

All Energy retailers should be regulated to build to the same Customer Authentication standard and the same costs. (Key competitive neutrality principle)

With Action Initiation legislation now before Parliament, an uplift is expected in Customer Authentication to support payments and transactions arising from AI. To do so sooner, is premature and may well risk omitting key use cases arising from AI standards development.

To undertake an earlier uplift in Customer authentication could incur costly duplicate build costs on the industry that are unnecessary if a sensible deferment is adopted.

Further EA, endorses many of the points made in the above AGL submission on this topic.

[NationalAustraliaBank]

NAB supports the position of ANZ and CBA on the offline customer access considering the highly sensitive data sharing in banking industry. Based on this position, any deprecation of redirect with OTP model will impact existing online customer authentication and consent flow. NAB believe OTP model is still the most widely accepted authentication method for online customer (considering the security vulnerability of username/password). Therefore, NAB is not expecting the change on OTP model for now before the new/stronger authentication method is introduced (such as CIBA, but it will have less customer coverage comparing with OTP model).

[CDR-CX-Stream]

Thanks to those who have provided feedback so far. To clarify the purpose of this consultation, the DSB would like to emphasise that this noting paper:

• is not proposing sector-specific authentication standards
• is not proposing an authentication approach specific to offline customers
• is not suggesting that changes to the eligibility rules are being considered for any sector

Rather, this paper is inviting views on:

• the impacts of deprecating the redirect with OTP approach entirely, for all sectors, particularly with regard to offline customers who may only be able to authenticate using this approach today
• or, how the redirect with OTP approach might be strengthened, or replaced, while still supporting authentication for offline customers

The DSB would also like to clarify that this consultation is happening as part of CDR authentication uplift work, including to support action - it is not proposing a separate, distinct, or earlier change.

[PratibhaOrigin]

Thank you for the oppertunity to provide feedback on this topic.

• Origin concurs with the other participants and supports deferment of any changes to the redirect with OTP flow at this time.
• Origin also understands the unique risk the energy industry is carrying with the redirect with OTP flow, especially with the major data breaches that have occurred in Australia - a risk we are actively monitoring.
• Changing the flow at this time will result in duplicate costs given the changes with will be needed to support Action Initiation and changes that will be needed to comply with the regulation in the Teleco sector.

[CDR-CX-Stream]

This consultation is now closed. Thank you to all who responded.

[CDR-CX-Stream]

This issue has now been closed. The topic of offline customers will be consulted on as part of the ongoing authentication uplift work, which has now progressed into the decision proposal phase. Please see #326 and #327 for the ongoing consultations regarding authentication uplift.