Decision Proposal 062 - Authorisation Flows #62
Comments
JamesMBligh
added
Status: Proposal Pending
|
The decision proposal has now been published for feedback. -JB- |
JamesMBligh
added
Status: Open For Feedback
|
The way this proposal is written it dictates that the authentication happens within the current online channel/s - "Data Holders MUST support the completion of authorisation via the various digital channels they offer that Customers would reasonably expect to use on a regular basis.." Up to this point we had assumed that the requirement was that the authentication and authorisation should happen in an application that looked and felt like the pre-existing digital channels, and in the same manner as the pre-exiting digital channels, but may or may not actually be a part of the pre-existing digital channel/s. Why has the way the solution is to be delivered been restricted in this manner rather than just being expressed in terms of requirements? There are potentially (CX) issues in sending the customer into their online banking to consent (consent being an ephemeral activity that is only required as part of a flow launched via the recipient and not to be used otherwise) and there are potentially benefits where many brands/channels exist in seeking a solution outside the various current channels that can be used/reused by all channels. |
|
We have developed a draft sequence diagram (below) based on our current interpretation of the information security standard. Based on this interpretation of the standard we have the following remarks and questions:
Sequence diagram
|
|
Hi @Mekaal, the proposal is being expressed in terms of requirement. The requirement is that authentication happens via a channel a customer is familiar with. This has been consistently expressed and has been in direct response to concerns regarding phishing raised by the Banking sector as well as customer advocacy groups. If the restriction was relaxed to allow for an app that looks like the Bank’s authentication flow but is actually a different app then we are explicitly opening the potential for phishing attacks. That is usually what a phishing attack is. An app that looks like a bank app but isn’t. -JB- |
|
In response to @WestpacOpenBanking:
Thanks. Nice diagram. Do you mind if I reuse it with amendments as appropriate? I'll address this in the thread for proposal 064.
Step 22 isn't currently required by the proposal (for all of the reasons stated). There is a specific requirement (below) that requires the recipient to honour a redirect sent from the known channel even if this occurs on a separate device.
The CX team will be testing this flow with customers to assess if there are additional CX issues that need to be addressed.
This is an interesting one. I'm not sure anyone has raised this concern before. I don't believe the current proposals would have an issue with this, however. These will still be setup by the recipient during registration. This registration will be with the ACCC Register and the holders will then obtain this information consistently from the register.
This is not precluded by the rules and is specifically encouraged by the extensibility model adopted very early in the process of standards development. I hope that addresses everything. -JB- |
|
We are happy for Data61 to use the diagram as appropriate with amendments. We will email the source used to generate both the diagram above and the diagram below. In the meantime, we have been considering scenarios errors might occur in the proposed flow and have some minimal changes that the community and Data61 may wish to consider. These haven’t been security assessed by us and don’t constitute a recommendation – we still believe that use of a consent resource is the most likely to result in a robust experience for customers, especially where errors occur. Modified sequence diagram incorporating these minimal changes:
|
|
Hybrid Flow As part of the initial CDR release, NAB is comfortable overall with the Hybrid Authorisation flow with redirect to known channel. From a security perspective, the hybrid redirect flow allows for active monitoring of fraud that other methods may not cater for today. We understand there are CX/UI implications that may not be sustainable in the foreseeable future such as real-time handling of decoupled authorisation requests from multiple signatories. To ensure the solution provides a desirable and usable customer experience that also balances security requirements, we reiterate that a collaborative workshop is required with the CX / UI and Technical streams along with the industry participants. We expect Data61 to provide a formal, up-to-date detailed sequence diagram flow. Consent As previously mentioned on DP#64, NAB strongly opposes the implementation of a solution that consolidates identity management and consent / permission management. In addition to the points previously articulated, there is a risk that the proposed solution exposes unknown security vulnerabilities. NAB supports best practices as seen in the UK implementation, which separates these security and business concerns, and expects that due-diligence Security Assurance activities on the proposed solution are performed. |
|
Priviti has created an Open Standard Consent API, that we are making available as a proposed standard as part of this process. A Consent API has been called out by us previously as being a necessary step to ensuring a separate Consent framework is adopted across the industry to support Consents for Data Sharing. With the delay in drafting the standards, there should be plenty opportunity to fully test and adopt a Consent API that support the points raised above and in DP#64 Consent is a crucial element of CDR and Open Banking and as a representative of the Fintech, RegTech , AIIA and startup community we are confident in the benefits Consent can provide to a Consumer. Acknowledging we also have a conflict in participating (as we have invented a Consent API that we would like tested as a standard), however, that’s not our only reason for participating here. As an advocate for the industry and consumer choice, explicit Consent and Consent identifiers are crucial to effect data sharing agreements between organisations and will also help us to participate in current and future global standards, as evidenced through the adoption of GDRP, PSD2, MifIID by overseas and local entities. Consent goes to the heart of CDR and the Open Banking initiative and the valid issues raised in this and other threads, should not be overlooked or left until later. The Consent API has been adopted (after the fact) in the UK and is working well for participating entities. We should be ahead of the world here and have an opportunity (and time) to collaborate and get it right now. Anything other than a detailed evaluation around the implementation of a Consent API falls short of what we feel those in the industry and our consumers are expecting. We would like to participate in a testing regime during the standard evaluation period that supports the adoption of a Consent API framework as proposed by NAB, Westpac and others and shared openly by us on Gitlab (PM me for details and access) |
Sorry, but point of order here. "Shared Openly" and then "PM me for .. access". We welcome all of the valuable feedback you and others have provided but these two statements are contradictory. Can you provide a link to where I can find a swagger spec? Open is not open if it's an invite only party. |
It's a fair point you raise and I'm glad you did. There are 31million users on Github so forgive me I wasn't intentionally misleading but by 'Open' I didn't mean that we would feel comfortable sharing the API and IP with the whole world. We would happily share it with you and those involved in this program. If you PM me for access I will give you a link to login to review the swagger files. If we get a project kicked off we can open the kimono to an offline closed working group to tear into with a view to developing the new Australian Consent standard. We think there is an opportunity to create new standards from this exercise (in fact we think that's the whole point) and we think we've got something that will help in relation to creating a Consent framework. We also think there is value in what we have created so don't want public access until all the standards bodies in different regions have done their own due diligence and established their own standards. We're not a bank and don't have those kind of resources. If you're interested have a look at how Barclays have done it Barclays Consent API or via the UK sandbox here |
|
On a point of information, there's no such thing as a Barclays consent standard. Barclays adopted the OB consent standard which was developed in a completely open and unrestricted manner, with many open meetings and cycles of feedback. The most up to date version is at https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1077805332/Account+Access+Consents+v3.1.2 The idea of an 'Australian' technical standard where there are elements which have no jurisdictional bearing is difficult to understand. Where possible, global standards should be able to converge - FAPI and SWIFT being two key examples. In any event an open process will have the greatest likelihood of collaborative efforts which result in a high quality output. Finally, APIs which are to be offered and consumed by a wide audience shouldn't be considered IP or hidden. The examples in market which are consumed at scale (Stripe, Paypal, eBay etc) are completely open and have supporting (and freely accessible test facilities. |
|
The 'UK Sandbox' is available at https://backstage.forgerock.com/knowledge/openbanking/home/g82455974 |
ok this is going wrong.. this isn't about Priviti (we're not a bank, ebay or Stripe) use our Consent API or not or another one I'm not bothered. The point we (and others) were trying to make was that there needs to be a Consent API and there currently isn't one and we feel that's a mistake. |
|
I really appreciate your input @DermotMcCann on this topic. Specialists in areas impacting the standards are usually strong and effective voices during consultation. All comments on this topic are very welcome. As the topic of the consent API is a recurring theme in feedback it is probably a good idea for reasoning behind the current position to be outlined.
Taking these points into account, if we adopt a consent API now we will be pinning ourselves to a specific position just before a relevant open standard is likely to emerge without any functional requirement to do so. The position in the current proposal does not exclude the addition of a consent API in the future when a standard has emerged with commensurate vendor support and/or a specific need presents itself. This position is compliant with the following design principles:
In summary, the current position is: a consent API is a good idea but should be considered in a future iteration of the standards, not version 1. I hope that helps clarify the position somewhat. As always, feedback is welcome. -JB- |
|
James, the text reads "Data Holders MUST apply a timeout of five minutes for the completion of the volitionary action by the customer of authenticating in an existing channel." Can you please clarify what is the start of the five minutes - is it the customer authenticating a session in an existing channel, or other (eg receipt of the original request, capture of the username)? |
|
Hi @Mekaal, I wasn't specific because this could depend on variations arising the CX guidelines but an initial expectation is that the five minutes is initiated once the customer enters their ID in the redirected page and would be fulfilled once the same customers completes authentication in a known channel. Is this the clarification you are looking for? -JB- |
|
That’s good - thanks
|
|
|
Thanks for all of the feedback. By request this issue will be kept open for further consultation until mid week. |
|
CBA continues to recommend the use of de-coupled (non-redirect) authorisation approach rather than “redirect with known channel” (redirect) approach. We believe the redirect approach significantly increases the phishing risk to consumers by creating new opportunities for highly adaptive cyber criminals to create new phishing scams. In addition, we believe the redirect approach will contribute to a less secure ecosystem as consumers will become conditioned to trusting URLs to which they are redirected by a third party. While it is impossible to fully guarantee consumer safety online, Commonwealth Bank believes that the decoupled approach is significantly more secure for consumers than the redirect approach. Furthermore the Decision Proposal states that “Data Holders MUST support the capture of the Customer’s username via the redirected page. We understand this username to be the same identifier the Customer would normally use for other digital channels provided by the Data Holder.” CBA strongly opposes the use of unique banking identifiers by consumers for any purpose other than accessing online banking services to protect against future phishing attacks. CBA believes that a decoupled approach will not lead to a significant compromise on CX. Rather the proposed redirect model may actually increase the risk of consumer ‘drop out’, since there are more steps involved. We welcome further discussion with all parties to identify the most secure solution for consumers. |
|
Thanks for the feedback. This is all very useful and will be reviewed internally with a view to determining a path forward. I'll be closing down feedback on this thread. Any additional feedback or points of clarification can be posted on the current open thread for feedback (#67) |
JamesMBligh
added
Status: Feedback Period Closed
JamesMBligh
added
Status: Decision Made
|
Please find attached the final decision covering this issue |
This issue has been opened to capture, document and obtain feedback on a subset of the Information Security profile for the CDR regime with a view to finalisation and endorsement by the Chair of the Consumer Data Standards body.
This issue is specifically related to the authorisation flow for the regime.
The decision is published below and will be open for feedback until the 17th May:
Decision Proposal 062 - Authorisation Flow.pdf
The text was updated successfully, but these errors were encountered: