Executive Summary
This report contains findings and recommendations from the second round of CX research conducted as part of the Authentication Uplift project. Round 2 research focussed on ‘App/Browser-to-App with Biometric’ and ran in November of 2022. The purpose of the research was to identify consumer experience considerations to support and inform an expanded approach to Consumer Data Right (CDR) authentication. The objective is to give consumers more choice and freedom when authenticating themselves with data holders, while maintaining financial grade security. Round 1 was conducted in September of 2022 and benchmarked the existing ‘Redirect with One Time Password (OTP)’ model.
In total, 90 consumers participated in round 2 research; 10 consumers participated in 1:1 interview sessions which ran for an hour and a half each and 80 consumers participated in unmoderated prototype tests which ran for half an hour. App-to-app and Browser-to-App prototypes were used to facilitate discussion and generate insights in relation to the authentication models shown, as well as to authentication more generally.
Consultation
This project relates to NP280 which is open for consultation from 14 December 2022 to 27 January 2023.
Context
The authentication stage is the second step in The Consent Model and involves a consumer verifying who they are with their Data Holder (DH). This step is required so the data holder can connect the data recipient's authorisation request to the correct CDR consumer.
Authentication in the CDR regime is limited to a single consistent, authentication model, referred to as the 'Redirect with One Time Password' flow. No other flows are currently supported. ‘Redirect with One Time Password’ was previously tested in June 2019 against two models; ‘Redirect to Known’ and ‘Decoupled’, and was found to be the preferred authentication model by research participants. The outcomes can be accessed in Phase 2 Stream 3 report.
This research has been informed by the following:
- In December 2021, the Government noted support for the Inquiry into Future Directions for the CDR’s recommendation to review the approach to authentication. The Inquiry stated that ‘the convenience and consumer experience of different authentication mechanisms should be considered’ when assessing how to expand CDR authentication support.
- The Independent Information Security Review published in July 2022 separately highlighted that the current approach to CDR authentication does not meet minimum security requirements, and adjustments are warranted.
- The CDR community have also requested changes to the current CDR authentication model, which the DSB is considering as part of this work (see CR405, CR554 and CR542).
- Decision 182 – Information Security Uplift For Write aka action initiation This consultation sought community input on how the info sec profile might evolve to explicitly support write operations.
Findings
The research found that biometric authentication methods (such as FaceID) weren’t as widely accepted as the research team had initially anticipated, though all 90 participants were familiar with them and frequently used them. We observed preferences for its usage over traditional passwords in some use cases because of its uniqueness and inherence, but this was in scenarios where there was little-to-no risk involved in successful authentication. While there was general agreement that authentication should adapt based on the scenario (i.e. accessing sensitive vs. non-sensitive data), similar to the findings in Round 1, not all participants shared this view that authentication should adapt. This was not because they thought less-sensitive data (such as telco or energy data) required less stringent authentication methods, rather, these participants had an expectation that all of their data should be kept secure and private. Many participants expected a standardised approach to authentication; with consistent and strong authentication required to login irrespective of the use case or sensitivity of data. Participants unanimously preferred Multi-Factor Authentication (MFA) over any specific authentication model using only one factor to authenticate.
From the 2-Factor Authentication (2FA) use cases tested (FaceID + OTP, FaceID + PIN) the research team observed a preference for step-up authentication (step-up authentication requires additional levels of authentication to adapt as the risk profile and sensitivity of the action increases). Some participants found back-to-back authentication overwhelming (back-to-back authentication asks two factors of authentication in a row) and step-up authentication was perceived to be the more gentle approach and considered as a confirmation of an action; leaving the participant feeling confident and in control. This is covered further in Insight #7 of this report.
There were a few issues raised by participants about redirecting from a consumer app or website to a Data Holder app for authentication and authorisation; with several participants saying they may flag automatic redirection in the real world as a suspicious “phishing attempt” if they were engaging with a brand they had not yet established trust with. Participants also stated they would feel more in control if there was an alert such as a push notification or a call to action button prior to moving over to their Data Holder app (rather than being redirected automatically) especially in the instances where the authentication method was FaceID as a single factor. This was because several participants had experiences historically where they unintentionally authenticated with FaceID just because they were looking at their phone at the point of the prompt. Lastly, for the use cases where biometric methods were used as a single factor, participants desired higher levels of friction when there was more risk involved in the action they were taking.
The research found that, while scores were not significantly different, redirecting to a DH app from an ADR app was considered more trustworthy and had slightly higher participant confidence compared to redirecting from a browser-based website. However, this finding is only true for apps that have been downloaded from a reputable source and have a pre-established level of user trust and confidence – thus making it a strong option particularly for the banking sector, with many participants having installed and regularly using their banking providers’ mobile app. For the scenarios where a participant didn’t have a Data Holder’s app installed on their device, there were two groups of expectations for what should occur; the first was that the user would be taken to a browser where they could access the web-version of the service to authenticate, and the second was that they would be taken to the AppStore or GooglePlay to download the application.
Accessibility and inclusivity continue to play a key role in how users authenticate to a platform. This round also found participants advocating for a risk-based model to protect vulnerable consumers such as those who experience Domestic and Family Violence, as there is a risk of one party taking on debt without their knowledge, or coerced consent.
We explore these findings in depth throughout this report and provide some early-stage, high-level recommendations in the summary section of this report
Research artefacts at a glance
The following artefacts have been produced following the research and represent our findings. Each artefact is explored in further detail in the Research Outputs section of this report.
Global Performance
Consumer Behavioural Archetypes
System Usability Scale (SUS)
Project goals
This research project aimed to:
- Identify appropriate authentication models to support in the CDR;
- Provide CX input to the authentication framework to assess incoming/supported models;
- Strike a balance between security, consumer experience and value delivery;
- Help organisations provide intuitive, informed, trustworthy consent experiences with positive outcomes.
Research Objectives
- Understand current consumer behaviours, pain points and needs regarding authentication
- Identify appropriate consumer experience criteria and metrics to assess authentication models
- Inform the development and proposal of new standards, and/or the revision of existing standards
- Identify appropriate models to be considered for adoption that are interoperable, flexible and adaptable
- Uplift authentication standards to offer improved experience, choice, convenience, inclusivity and security as well as alignment to consumers' existing digital experiences
- Understand how consumer behaviour/attitude may shift for different use cases (e.g. banking vs energy) using the same authentication method
- Explore the impacts of different elements and mechanisms
Hypothesis
- Authenticating without needing to recall or manually enter information is preferred by users
- A familiar authentication method is perceived as more intuitive and will increase the likelihood of task completion
- If a user is informed of the next steps and contextual requirements of an authentication flow, then they will feel more comfortable and in control
- Informed user authentication can be supported by stating the purpose and outcome of the authentication. ("Why and what for?")
- The model meets or exceeds the user's expectations of friction, security and experience
Consistent with Round 1, hypotheses 1-4 were largely validated by the research. Hypothesis #5 was validated in some use cases, but not in others. The use cases which involved a second factor of authentication as well as a Biometric method exceeded user security expectations, but failed to meet expectations in scenarios where Biometric was used alone.
Research Approach
The following 4 major components of authentication were explored:
- Channel: This is the channel where authentication is performed. For example: mobile, desktop, kiosk etc.
- Modality: Modalities are the inputs used for authentication. For example: Biometric, Pin code etc.
- Authentication method: This is the method by which an authentication is performed. Out of many factors of authentication methods, these 3 are mostly recognised:
- Knowledge-based: Something the user knows, such as a password or the answer to a security question
- Inherence-based: Something that the user is, as represented by a fingerprint or iris scan
- Possession-based: Something the user possesses such as a one-time password generator, certificate, or smart card
- Notification method: This is the different ways a user is alerted about the authentication requirement. For example: Push notification, Email notification etc.
Combination of elements tested in Round 2
Channel | Modality | Notification method | Authentication method | Elements of authentication |
App-to-App | Biometric only | Push | Inherence | - Something the user is (FaceID) |
App-to-App | Biometric + OTP (step-up) | Text/SMS | Inherence + possession | - Something the user is (FaceID)
- Something the user has (Phone/OTP) |
Browser-to-app | Biometric only | Push | Inherence | - Something the user is (FaceID) |
Browser-to-app | Biometric + PIN (back-to-back) | Push | Inherence + knowledge | - Something the user is (FaceID)
- Something the user knows (PIN) |
Use cases
The research team developed 2 use cases that would be tested across 4 different user flows. The use cases included:
- Getting indicative interest rates for a car loan through a fictional non-bank lender called “Lendify” [ADR]. The participant was told they bank with a real-world Data Holder (DH).
- Comparing telco plans from various providers using a fictional comparator service called “TelCompare” [ADR] to get a better deal on home internet. The participant was told their provider was a real-world DH.
These two use cases were each then extrapolated into two user flows, the first saw the ADR experience on a website (”Browser-to-App”), and the second had the ADR experience in a mobile app (”App-to-App”). This resulted in a total of four prototypes which were tested with research participants. These have been broken down below:
NB: All of the following flows involve a user authenticating in their Data Holder’s app, and assume the DH app has been pre-installed and previously used on the device.
App-to-App
Banking: User gets indicative interest rates using the Lendify app and shares data from a real-world DH.
Telco: User compares their home internet plan with more competitive telco providers on the market, using the TelCompare app.
Browser-to-App
Banking: User gets indicative interest rates using the Lendify website and shares data from a real-world DH.
Telco: User compares their home internet plan with more competitive telco providers on the market, using the TelCompare website.
Use case 1 (Banking)
Use case 2 (Telco)
Methodology
Data was collected throughout various points in the research. The research team conducted both moderated and unmoderated testing sessions, both feeding in to the final outputs. Moderated testing sessions involved a moderator guiding the participants through tasks. Unmoderated test participants complete the test independently as they would in a natural environment.
Moderated sessions: 1-on-1 interviews
- Number of participants: 10
- Activities: Screener, Interview, Prototype test, In-depth interview, Post-task Survey
- Duration: 1.5 hours
Unmoderated sessions: Maze Online platform
- Number of participants: 80
- Activities: Screener, Prototype test, Post-task Survey
- Duration: ~30 minutes
Research Findings & Insights
Research findings and insights include key observations and themes identified during moderated research sessions, supported by participant quotes. Some findings may go beyond the scope of the research topic, but have been included for completeness. Recommendations to uplift the CX may also be included – though this has not been the focus for the research team – as the goal is to identify appropriate authentication models for the CDR.
1. Findings from Round 1 are reaffirmed
The second round of research further validated all findings generated in the first round of research. We’ve explored how they manifested in round 2 below:
- Friction is multifaceted
- Secure authentication goes beyond just logging in
- Authentication through a generational lens
- Users rely on visual trust markers
- OTP is known (and trusted) as a second factor
- Users trust established brands, but expect more from them
- Users perceive multi-factor adaptive authentication as the norm
Round 2 finding “2. Biometric authentication is still maturing” validates this finding by shedding light on unhealthy friction users experience when using Touch or FaceID.
In this initial round 1 finding, we explored user desires for features like automatic logout. This round 2 finding “7. Control is found through self-initiated action” gives credence to this initial finding, and provides more detail about the kind of controls which contribute to positive user experiences.
Whilst not a major recurring theme, we do see generational perspectives appear in the round 2 insight “2. Biometric authentication is still maturing”, finding that older participants typically mistrust or dislike biometric forms of authentication.
This insight is inherently implied in a lot of the exploration from round 2, rather than explicitly validated. We know the indicators and triggers that users look to time and time again, to verify the integrity and trustworthiness of an app or website.
Several new insights from round 2 speak to this insight; particularly “8. Step up authentication feels good”, with users viewing biometric as a first factor when paired with a second factor such as OTP or PIN code.
Similar to insight 4, this insight still rang true in round 2 research as a belief users unconsciously and inherently held.
This statement was further demonstrated in round 2 in insights “8. Step up authentication feels good” and “4. Access to one is access to all”.
2. Biometric authentication is still maturing
Our findings revealed all participants were familiar with biometrics methods of authentication, though many participants – particularly those in older generations – either didn’t have devices that support fingerprint or FaceID and more commonly didn’t trust the method. This mistrust is partly caused by the events of data breaches.
User attitudes toward biometric authentication walk a line between convenience and frustration. Several participants cited frustrations with biometric methods for various reasons. The most commonly raised issues related to physical impacts, like having wet hands or wearing face-masks or glasses which prevented successful verification; and accidental verification, opening apps or actioning tasks by way of looking at the device at the point of biometric authentication without intentionally authenticating. The participants who had experienced accidental facial authentication anticipated a secondary method such as PIN, a theme which re-appeared throughout the prototype testing, many participants expecting a second verification to access data or confirm actions.
While the majority of participants were familiar with using Fingerprint or FaceID to access their smartphones, many felt more comfortable using other authentication methods to access their banking and data-sensitive apps. Biometrics alone weren’t perceived as secure enough, until paired with a secondary factor, particularly for banking use cases.
One interesting point to note is that biometric methods were preferred by participants who had mental health challenges and physical disabilities, as they found it faster and less challenging to authenticate.
3. Protecting vulnerable customers is paramount
What may have been one of the most alarming findings from the research to date was the risk authentication poses to vulnerable users. One research participant with a background as a financial counsellor shared their experience working with victims of financial abuse. These cases are varied in nature, but regularly involve Domestic and Family Violence, which extends to one partner suffering financial abuse at the hands of another. This can also extend to elder abuse, particularly in communities where English is a second language. These cases can often involve the victim taking on debt for the perpetrator and have significant and long-lasting impacts on the victim; mentally, emotionally and financially.
Such cases can occur from the perpetrator having access to the victim’s smartphone; knowing their PIN code or being registered as a secondary user with biometric capabilities. This means they can access the victim’s device, and easily action tasks with or without the victim’s understanding, knowledge or consent. These risks obviously go beyond just authenticating, and expand to the actions an intruder can take after the authentication has occurred. Actions can involve applying for loans or other lines of credit, purchasing goods through online stores, and approving transfers of money, to name a few. This highlights an issue far greater than the need for secure authentication, and identifies a systemic and widespread societal issue, one which secure authentication can’t solve, but can do its part in reducing potential suffering.
4. Access to one is access to all
Across the board it was apparent that participants advocated for consistent and strong authentication requirements, irrespective of the data they were accessing. The notion that even seemingly insensitive data such as an energy account profile or account balance can be stitched together with other innocent information to create a holistic view of the person continues to give rise to concern around privacy and security. These feelings are further exacerbated by the recent cases of data leaks and hacking in Australia; accessing even minor personal information can give hackers access to more important, higher-risk data. Participants feel their data should be kept private and secure regardless of how sensitive; further highlighting the importance of a gold-star authentication process.
There is little evidence to support extra factors of authentication negatively impacting a user’s experience. There may be an initial and brief annoyance at the second verification step, but these feelings are quickly counteracted with reassured comfort for the safety and security of their account. With this considered, we can confidently proceed with implementing multiple factors of authentication aware that participants recognise the benefit and appreciate the security.
5. Redirect to app is preferred when compared to browser, but with caution
The research found that participants feel more comfortable when redirecting from an app or website to a trusted app on their device when compared to redirection to a new tab on their browser. Unsurprisingly, this is because users have already established trust with pre-existing apps and know they have come from a reputable source (such as the AppStore or Google Play) and aren’t going to be redirected to a fraudulent website. They can also authenticate on their existing apps in ways that are consistent with their existing experiences. As such the flow will more closely match their mental models. The added bonus of this process when compared to methods such as OTP, means that users aren’t required to remember complicated strings of information such as their banking user ID – they can simply authenticate and access.
There were various views on how participants wanted to access their app to consent to data sharing; some liked that the flow automatically took them to their app and others said they would feel more in control if they had the option to open their app themselves. There were concerns around phishing and lack of clarity regarding the mechanisms that trigger the app to open, and similar to findings from round 1, participants wanted to log out or know they would be automatically logged out when leaving their data holder app.
In the instances where participants did not have an app installed on their device, their expectation was to be taken to the AppStore or GooglePlay and be prompted to download or that a new browser window would open to facilitate log in.
6. Control is found through self-initiated action
This round of research further highlighted the importance participants place on having control over their experience. Participants reported they would feel more comfortable and trust a product more if they had more control over their experience. This applies to how and when they authenticate, and in context to the consent flow, what information they share with ADRs.
Specifically, participants enjoyed controls such as; choosing what kind of authentication models they wanted to use to access their data, how many layers of security (i.e. the combination of factors), ability to opt in or out of specific features and options, alerts to when data security may have been compromised and easy processes to securely reset passwords.
Further to a point shared in insight “2. Biometric authentication is still maturing”, participants who reported accidental successful authentication with FaceID wanted the ability to control how FaceID was triggered, some suggesting an ‘I’m ready to authenticate’ button might be a good workaround. While some controls may not be feasible to implement into flows, forewarning users of the next steps will forearm them and thus increase feelings of control. This finding may support improvements to the consent flow including more stepped and clear instructions so users can confidently anticipate next steps and avoid any surprises during the flow. Giving users control and choice during their experience can increase feelings of trust and comfort.
7. Step up authentication feels good
Our findings from round 1 found that participants wanted two factors of authentication. In round 2 we endeavoured to uncover the order that best suited participants and we subsequently tested two common processes of 2FA; step-up and back-to-back. Both processes request an initial authentication, but the stage at which the second authentication is different. For step-up, the second factor is requested after a user performs an action. This method is consistent with many banking apps, where the second factor may be triggered after a transfer is initiated or a new payee added. Back-to-back is as the name implies, and one factor is requested straight after the initial factor.
Participant preferences were as varied as the two options; with a roughly even split between the two. We can, however, identify step-up as the recommended option, when considering this finding in context to user existing mental modes and does not overload the participants at the beginning of the flow.
However, back-to-back may still be a favoured option as problems such as accidental authentication can be avoided; increasing user trust at the beginning of the authenticate and authorise journey and providing a secondary layer for those who don’t totally trust biometrics. Back-to-back may also act effectively in heightening the barrier to entry and better protecting vulnerable customers.
8. Accessibility and inclusion are continuing factors in uplifting authentication experiences
The research reiterated the importance of accessibility in authentication. All users across the spectrum of human diversity should have access to robust and easy-to-use authentication methods, which match their expectations of security.
Both permanent and temporary disability impact how users prefer – and have ability – to authenticate online. Disability may be cognitive, developmental, intellectual, mental, physical, sensory, or some combination of these. This finding is particularly pertinent to biometric methods. Several research participants who experienced various mental health challenges cited a preference for biometric methods due to their lower barriers-to-entry and absent cognitive requirements. For other participants, physical impairment could often create frustrating experiences when using biometric; such as having scratched finger-tips after physical yard work or facial wound dressing which wasn’t recognised by FaceID for example.
Further findings included people who can not read or write, or those with English as a second language, who may find it hard to comprehend complex information presented to them, reiterating the importance of providing alternative ways to authenticate where possible which conform to the latest Web Content Accessibility Guidelines.
Research Outputs
Global Performance: Radial Graph
Global Performance is a measure developed by the research team to define success for various authentication models, made up of five separate measures:
- Recall & input
- Familiarity & completion
- Comfort & control
- Purpose & outcome
- Expectations
Each of these five measures consists of 3 different metrics (as demonstrated in the ‘Measures & Metrics in detail’ table) collected throughout the research and then collated to determine a quantifiable outcome for each measure. These 5 measures are then reflected on a five-point radial graph, demonstrating the global performance for the respective authentication model.
App/Browser-to-App with Biometric
App/Web-to-App metrics and measures outcomes. A score above 4 is considered excellent, above 3.75 is considered very good, a score below 3.25 is considered poor and below 3 is bad.
Measures and metrics | Score |
Recall & input | 3.93 (score for measure) |
Information a user needs to recall | 4.56 (score for metric) |
Users perception of length | 3.58 (score for metric) |
Number of user inputs | 3.64 (score for metric) |
Familiarity & completion | 3.84 (score for measure) |
Familiarity | 3.91 (score for metric) |
Brand influence | 3.45 (score for metric) |
Current authentication models | 4.14 (score for metric) |
Comfort & control | 3.74 (score for measure) |
User feeling in control | 3.53 (score for metric) |
Awareness of next step | 4.37 (score for metric) |
Trustworthiness | 3.33 (score for metric) |
Purpose & outcome | 3.53 (score for measure) |
Benefit awareness | 3.70 (score for metric) |
Sensitivity of value prop | 3.45 (score for metric) |
Level of positive-friction | 3.43 (score for metric) |
Expectations | 3.56 (score for measure) |
User security expectations | 3.50 (score for metric) |
Perceived security | 3.82 (score for metric) |
Sector | 3.38 (score for metric) |
The research found App/Browser-to-App with Biometric to be a generally well-performing authentication method. The majority of participants tested were familiar with Biometric methods of authentication and currently use them on a regular basis. The highly automatic process of the App/Browser-to-App flow and use of Biometrics meant participants had very little information to recall or input throughout the flow, demonstrated by the high score in the ‘Recall & Input’ measure.
‘Purpose and Outcome’ and ‘Expectations’ were the poorer performing measures, this can be attributed to the lack of positive friction in the flows tested, with participants expecting and desiring a second factor of authentication to meet their expectations of security. Among all metrics, Trustworthiness (Comfort & Control) earned the lowest score with many participants reiterating that a second factor of authentication would have made them feel more comfortable and in control of the process.
Participants appreciated the ease with which they could authenticate with this method, and although they like authenticating with biometric means, they believe it is not always the most appropriate method for sensitive use cases when used as a single factor.
Recall & Input (3.93)
Familiarity & Completion (3.84)
Comfort & Control (3.74)
Purpose & Outcome (3.53)
Expectations (3.56)
Consumer Behavioural Archetypes
Each Archetype has specific needs for how authenticating to share CDR data should work in order for them to trust and understand it.
- Sceptics (22% of participants) are less trusting of organisations and/or technology. They generally value control, and are adverse to sharing data based on experience with current practices.
- Assurance Seekers (51% of participants) want to read additional information. They generally value familiarity and external reference/support, and are apprehensive to new experiences.
- Sensemakers (27% of participants) need to understand how the process works. They generally value details, and can trust the process if given enough valuable information.
- Enthusiasts (0% of participants) are excited to get the benefits of authenticating to share CDR data. They generally value simple experiences once trust is established.
System Usability Scale
The overall SUS score for App/Browser-to-App (Biometric) was 82.88, which is considered very high. The coloured markers depicted in the graph correspond to the Consumer Behaviour Archetypes (Sceptics, Assurance seekers, Sense makers, Enthusiasts) as described previously. The raw SUS scores were widely distributed for this round of research. When reviewing the SUS scores against the Consumer Behaviour Archetypes, researchers observed a trend: most of the Sceptics consistently scored lower in SUS compared to other archetypes; thus characterising their consumer archetype. Generally speaking, Sense Makers recorded higher scores, while Assurance Seekers had mixed results. Out of all consumer participants, 67% rated their experience as ‘excellent’, 18% as ‘good’, 5% as ‘okay’ and only 10% as ‘poor’ or ‘very poor’.
Summary
The research found App/Browser-to-App with Biometric to be a sufficient method of authentication for some use cases where there is little risk involved in successfully authenticating. The method is familiar and found to be very easy to use by most participants. This method could be supported by the CDR with the following constraints in order to meet and exceed user expectations of control, trust and security:
- App/Browser-to-App with Biometric as part of a 2-factor, step-up authentication model: the research found many participants expected a standardised approach to authentication; with consistent and strong authentication required to access any type of data, no matter the sensitivity. This expectation can be met by implementing multi-factor authentication (MFA), and further increasing user trust and comfort using a step-up model. Research participants reported greater feelings of control and confidence when more than one factor was required as a ‘confirmation’ of action. The user expectation is that this standardised approach would be in place across all sectors and types of data, regardless of the sensitivity; to meet this expectation we recommend forming a ‘gold-standard’ authentication to be implemented across the CDR.
- More warning before automatic redirection: Users prefer redirecting to an app from a trusted app than from a website because they are more trusting of apps on their devices. Users generally liked the automation, however across the board there was a desire from participants for an alert, or user-triggered action, before redirecting from the ADR to the DH platform. Giving users more forewarning would make them feel more in control and reduce the risk of accidentally authenticating with FaceID just by looking at the device. Users would also feel more aware of the next step if information was provided about the journey if they do not have the DH installed, this would manage their expectations about being taken to AppStore or GooglePlay.
- Commitment to accessibility, inclusivity and protecting vulnerable consumers: the research findings reiterated the importance of assessing risk-based models to protect vulnerable consumers, while also continuing to consider accessibility and inclusivity as paramount to supported authentication approaches.
Continuing research is being undertaken in 2023 to determine other models to support.
Quick links to CX Guidelines: