Decision Proposal 327 - Authentication Uplift Phase 1

[CDR-API-Stream]

Please find attached a decision proposal on authentication uplift. This decision proposal will cover the first tranche of authentication uplift (Phase 1) and is seeking preliminary feedback that will then be consulted on in detail in a series of subsequent decision proposals.

This consultation will be open for feedback until 15 November 2023.

Update: 16 October 2023
This consultation has been extended for feedback until 15 November 2023.
This consultation will be open for feedback until 24 October 2023

Update: 3rd October 2023
A corrected version has been published: Corrected - Decision Proposal 327 - Authentication Uplift Approach.pdf

[CDR-CX-Stream]

A decision proposal for authentication uplift has been published in the original comment.

This consultation will be open for feedback until 24 October 2023.

[CDR-API-Stream]

Update: 3rd October 2023

Please note that the version of this DP published on September 26 contained two incorrect recommendations in the summary section and one incorrect wording for the proposed levels of assurance changes. The document also contained minor typographical errors. These have been corrected in the version attached.

Primary changes to this version are as follows:

Section 2, Summary of key recommendations

DELETE

• Replacing Level of Assurance (LoA) as defined in the Data Standards, with Identity Proofing Levels (IPL), as defined in TDIF
• Introducing IPL 4 that maps to the TDIF Credential Level (CL) CL3

INSERT

• Introducing a Level of Assurance LoA4 that maps to the TDIF Credential Level (CL) CL3
• Recommend Data Holders support at least LoA3 for read access commensurate to existing digital channels

Section 2, Purpose of this consultation

Added a qualifying statement.

INSERT

As per Rule 8.11(1)(c)(i), the Data Standards Chair has an obligation for the “authentication of CDR consumers to a standard which meets, in the opinion of the Chair, best practice security requirements”.

Section 5.1.1

DELETE

• Introduce an Identity Proofing Level of Assurance (IPL) 4 represented by the URI: urn:cds.au:cdr:4 where authenticators used to attain this level MUST conform with the TDIF Credential Level CL3

INSERT

• Introduce a Level of Assurance LoA 4 represented by the URI: urn:cds.au:cdr:4 where authenticators used to attain this level MUST conform with the TDIF Credential Level CL3

---

26th September 2023
The superseded version is available here:
Decision Proposal 327 - Authentication Uplift Approach.pdf

[biza-io]

Due to November 1 delivery Biza requests this consultation be extended by 3 weeks to 15 November 2023.

[AusBanking3]

The ABA kindly requests an extension to this consultation to be able to provide valuable feedback. We are requesting an extension of 3 weeks with a due date of 15 November. The ABA requires more time for this consultation to review the proposed changes due to their complex nature. Additionally, our members, alongside the ABA, have been very busy reviewing and collating feedback for 4 other concurrent CDR consultations:

1. Expansion to non-bank lending,
2. Consent Review,
3. Operational Enhancements and
4. Screen scraping.

[CDR-API-Stream]

Hi @biza-io and @AusBanking3, thank you for your feedback. The consultation will be extended until 15 November as per your request.

[CDR-Engagement-Stream]

The team have put together a overview video to introduce Decision Proposal 327.

Edit: new link to an updated video with Noting Paper 326 reference.

[cuctran-greatsouthernbank]

Please find the feedback from Great Southern Bank attached.
Feedback regarding Decision Proposal 327 Authentication uplift phase 1 - Great Southern Bank.pdf

[CDR-API-Stream]

Please find the feedback from Great Southern Bank attached. Uploading Feedback regarding Decision Proposal 327 Authentication uplift phase 1 - Great Southern Bank.pdf…

Hi @cuctran-greatsouthernbank, it appears as though your upload didn't work. Could you please edit your comment and try uploading your feedback document again?

[cuctran-greatsouthernbank]

Please find the feedback from Great Southern Bank attached. Uploading Feedback regarding Decision Proposal 327 Authentication uplift phase 1 - Great Southern Bank.pdf…

Hi @cuctran-greatsouthernbank, it appears as though your upload didn't work. Could you please edit your comment and try uploading your feedback document again?

thanks for letting me know. I reuploaded the file in the original comment now.

[TT-Frollo]

Please attached for Frollo comments
Decision 327 Authentication uplift Frollo Comments TT.docx

[WestpacOpenBanking]

Please find feedback from Westpac attached.
Decision Proposal 327.pdf

[AGL-CDR]

Please find AGL's response to the consultation attached.
AGL Response to Decision Proposal 327_ Authentication Uplift Approach.pdf

[paige-skript]

Please find Skript's feedback attached.
Skript_Feedback_DP327_Auth_Uplift_Phase_1.pdf

[TT-Frollo]

One Additional comment. Changes that impact either DCR or a consent must be tested with over 100 DH's. In the banking sector it also means having a production account at each bank, which as an ADR is not practical to do. A solution to this needs to be discussed.

[anzbankau]

ANZ's feedback on this DP:
ANZ feedback on DP327 - Authentication Uplift Phase 1.pdf

[biza-io]

Due to ongoing operational workload associated with recent November 1 changes, Biza requests a further small extension through to Friday 17 November. We appreciate the Data Standards Body understanding.

[commbankoss]

CBA's feedback attached.
20231115 CBA Group Submission Decision Proposal 327 (final).pdf

[CDR-API-Stream]

Due to ongoing operational workload associated with recent November 1 changes, Biza requests a further small extension through to Friday 17 November. We appreciate the Data Standards Body understanding.

Hi @biza-io, we appreciate the current workload for participants, particularly in the Energy sector. This consultation shall be left open until the end of this week.

[CDR-API-Stream]

With permission from the Australian Banking Association, their submission has been uploaded on their behalf.

20231115 - ABA Submission - Authentication Uplift.pdf

[dpostnikov]

In my personal opinion, this proposal is mixing different issues together (weak CDR authentication and inflexible requirements to support it, inability to do x2app and decoupled flows and etc) and patch these "symptoms" as oppose to fix the root cause.

As a result, the recommendations produced will be difficult to implement for all existing and future data holders. And some recommendations just will not work and or will contradict other regulations and practices.

If we fix the root cause we can solve most of the issues and limitations that we are experiencing now.

Root cause

There should not be a CDR Authentication method separate from a regular Data Holder authentication. We should not be focusing on CDR Authentication uplift but on moving back to Data Holder authentication.

Most open data ecosystems use existing authentication methods familiar to their customers.

Main recommendation: Move to existing data holder authentication mechanisms.

This will simplify CDR ecosystem significantly and will increase adoption of CDR because this will allow for:

• Increased trust in the ecosystem by using customers’ familiar authentication methods via familiar channels.
• Simplification of user experience by enabling industry standard based x2web, x2app and decoupled flows.
• Reduction of friction by removing custom and clunky and out-of-date authentication experiences.
• Utilisation of risk-based fraud detection tools, wide range of fraud signals and, in general, allow for further innovation in authentication space. Even SSO question raised somewhere else will be answered then.
• Reduction of compliance costs and re-use of existing infrastructure.
• Immediately, even without any additional requirements, authentication across the industry for CDR flows will be uplifted (in comparison with current weak OTP mechanism), stronger customer authentication will be allowed without DSB needing to specify it, e.g.: FIDO software and hardware authenticators, passkeys, SSO.

_Note 1: On CDR implementation call last week, Mark confirmed that this is aligned with DSB intent, but the proposal doesn’t spell it out explicitly. This should be one of the key guiding principles.

Note 2: it doesn’t prevent from adding additional minimal requirements for certain type of functionality in the future.  In fact, it makes it simpler to build upon.

Note 3: Of course there should be a special consideration for non-digitally active customers._

To summarise, just by focusing on moving back to existing data holder authentication, DSB would be addressing most of their key outcomes targeted.

Additional recommendation. After implementing main recommendation above, conduct further consultation if there are any additional requirements for certain use cases or certain industries and what is the best way to implement them.

In general, it is great to encourage data holders to improve their authentication but there are a lot of questions that need to be answered before designing and prescribing a solution, for example:

• Are there any additional requirements if we move to regular Data Holder Authentication?
• For which use case and for which industries?
• Determine who is the right body to prescribe this authentication requirements. Perhaps, these additional requirements should be driven by the relevant industry bodies (banking. telecommunications, payments, energy providers and etc).
• What frameworks are suitable to describe them. E.g.: Both NIST and TDIF are not suitable to represent authentication space adequately and both are evolving as we speak.
• Provide conformance mechanisms to guarantee that data holder can achieve required level of assurance (e.g., TDIF accreditation).
• Conduct security analysis of the proposed changes.  This will be very different from other security reports assuming the main recommendation above is implemented.

Note 4. I would recommended to remove TDIF references from CDR standards until all these questions are answered.

Otherwise, this creates more confusion for implementers.

[biza-io]

Biza.io thanks the Data Standards Body for its understanding. Please find attached our response to the above proposal.
DP-327 Authentication Uplift Response.pdf

Edit: Apologies, very minor typo from final drafting fixed.

[CDR-API-Stream]

This consultation is now closed. Thanks to everyone for engaging and providing comprehensive feedback. Responses will be reviewed and considered.