Logo
  • Overview
  • Consent
  • Authenticate
  • Authorise
  • Consent Management
  • Notifications
Consumer Experience (CX) Guidelines

Authenticate

This section covers the authentication stage. This involves a consumer verifying who they are with their data holder.
icon
New URL @December 2, 2024

The CX guidelines have been re-launched on a new domain: cx.dsb.gov.au

For more information, refer to Change log: Consumer Experience (CX) Guidelines

‣
On this page

Overview

Authenticate is the second stage of
Authenticate is the second stage of The Consent Model.

The authentication stage involves a consumer verifying who they are with their data holder. This is required so the data holder can connect the data recipient's authorisation request to the correct CDR consumer. The standards support multiple authentication methods to give consumers a safe, familiar, and consistent experience while ensuring flexibility for data holders and recipients.

Redirect to App (R2A) provides a faster, safer, and more convenient way for consumers to authenticate when their data holder’s app is installed on their device. This app-based flow supports strong methods like biometrics and PINs, and must be implemented by data holders and data recipients by 10 May 2027.

As per the Fallback Authentication Framework, where Redirect to App is unable to be used for the purposes of CDR authentication, and Decoupled Authentication is not supported, data holders are required to continue providing support for Redirect to Web with One Time Password (OTP) flow. This ensures consumers can always complete the process by verifying their user identifier and entering a one-time code.

CX Guidelines for Authenticate

Redirect to App

Example of the flow where the consumer authenticates with the data holder’s app. Read more about Redirect to App.

Fallback Authentication Framework

Example of the flow when Redirect to App is unable to be used for the purposes of CDR authentication, and Decoupled Authentication is not supported. Read more about the Fallback Authentication Framework.

Redirect to Web with One Time Password

Examples of the flow where the consumer inputs a user identifier and how to use a One Time Password to authenticate with a data holder. Read more about Redirect to Web with One Time Password.

Last updated

This page was updated @Sep 22, 2025

Have your say

Community consultations and maintenance are part of our ongoing process. Here’s how you can get involved:

  • Request new Guidelines or changes to existing Guidelines through the CX Guidelines Consultation process
  • Request new Standards or changes to existing Standards through the Standards Maintenance process
  • Log a ticket for any questions about the rules, standards, or guidelines through the CDR Support Portal
  • Email your feedback to cx@dsb.gov.au
image

Quick links to CX Guidelines:

Overview

Consent

Authenticate

Authorise

Consent Management

Notifications

Accessibility statement

→ cx@dsb.gov.au → cx.dsb.gov.au | cds.gov.au

The Consumer Data Standards Program is part of Treasury. Copyright © Commonwealth of Australia 2023. The information provided on this website is licensed for re-distribution and re-use in accordance with Creative Commons Attribution 4.0 International (CC-BY 4.0) Licence.
Data Standards Body | CX Guidelines

CX Guidelines

Overview

Consent

Authenticate

Authorise

Consent Management

Notifications

Keep in touch

DSB Newsletter

Website use

Accessibility Statement

Copyright

Privacy

Disclaimer

In the spirit of reconciliation, the Data Standards Body acknowledges the Traditional Custodians of country throughout Australia and their connections to land, sea and community. We pay our respect to their Elders past and present and extend that respect to all Aboriginal and Torres Strait Islander peoples.