Executive Summary
This report contains findings and recommendations based on Round 1 of CX research that was conducted on the ‘Redirect with One Time Password’ (OTP) in September of 2022 as part of the Authentication Uplift project. The purpose of the research is to identify consumer experience considerations to support and inform an expanded approach to Consumer Data Right (CDR) authentication. The objective is to give consumers more choice and freedom when authenticating themselves with data holders, while maintaining financial grade security.
Twenty-two consumers participated in the research in total; ten consumers participated in 1:1 interview sessions which ran for 90 minutes each and twelve consumers participated in unmoderated prototype testing. Prototypes of the Redirect with One Time Password flow were used to facilitate discussion and generate insights in relation to authentication more generally.
Consultation
This project relates to NP280 which is open for consultation from 14 December 2022 to 27 January 2023.
Context
The authentication stage is the second step in The Consent Model and involves a consumer verifying who they are with their Data Holder (DH). This step is required so the data holder can connect the data recipient's authorisation request to the correct CDR consumer.
Authentication in the CDR regime is limited to a single consistent, authentication model, referred to as the 'Redirect with One Time Password' flow. No other flows are currently supported. ‘Redirect with One Time Password’ was previously tested in June 2019 against two models; ‘Redirect to Known’ and ‘Decoupled’, and was found to be the preferred authentication model by research participants. The outcomes can be accessed in Phase 2 Stream 3 report.
This research has been informed by the following:
- In December 2021, the Government noted support for the Inquiry into Future Directions for the CDR’s recommendation to review the approach to authentication. The Inquiry stated that ‘the convenience and consumer experience of different authentication mechanisms should be considered’ when assessing how to expand CDR authentication support.
- The Independent Information Security Review published in July 2022 separately highlighted that the current approach to CDR authentication does not meet minimum security requirements, and adjustments are warranted.
- The CDR community have also requested changes to the current CDR authentication model, which the DSB is considering as part of this work (see CR405, CR554 and CR542).
- Decision 182 – Information Security Uplift For Write aka action initiation This consultation sought community input on how the info sec profile might evolve to explicitly support write operations.
Findings
The research found OTP to be a generally well-performing authentication method. Consumers are typically familiar with the verification requirements having regularly used the OTP model in various contexts, with banking platforms specifically matching their mental models. Consistent exposure to this method means users across the board are confident with the flow and aware of what to do at each step, making it a fast and easy process to complete. OTP offers a level of convenience to users by removing the need to recall lengthy and complex passwords, and (in some instances) quickly auto-fills passwords from SMS text messages. From a security perspective, users appreciate the OTP expiration window and prefer entering a one time password in place of their actual password; subsequently reducing drop-off rates.
While OTP is satisfactory for most use cases, there are several areas where the current process could be improved. Customer ID is potentially problematic, with only half of all participants interviewed able to recall their banking Customer ID number off the top of their head; the other half find their banking Customer ID either by entering the relevant banking app with biometrics to find it, or store it on their device in the notes or contacts app. The practice of storing a Customer ID on a device brings rise to concerns around security and the ease in which OTP can be breeched if your device falls into the wrong hands, many participants having experienced theft or loss of their mobile phones. The research found giving consumers extra security features, such as options for multi-factor authentication and automatic log-out, can contribute to feelings of being in control. The inclusion of educational elements, for instance explaining how a DH triggers an SMS, can be beneficial for those with lower levels of digital literacy. An improvement to consumer experience could see App-to-App included as a supported authentication model; striking a balance between convenience and security, as it’s perceived by users to be more trustworthy than redirect or browser-based methods.
One Time Password is a sufficient authentication model and could offer better consumer experience with some minor improvements, however, there are several shortcomings which could be addressed with the introduction of other models. Across the board, OTP did not match user expectations contextually; as most participants were familiar with the model as a second factor of authentication and did not perceive it as strong enough when used as a primary, stand alone model. Implementing OTP as a step-up, secondary form of verification when used in conjunction with a gold standard primary authentication method could go far in exceeding user perceptions of security and trust. Step-up authentication requires additional levels of authentication to adapt as the risk profile and sensitivity of the action increases, and could be implemented across the Consumer Data Right, irrespective of sector. We explore early stage recommendations in the summary section of this report.
Research artefacts at a glance
The following artefacts have been produced following the research and represent our findings. Each artefact is explored in further detail in the Research Outputs section of this report.
Global Performance
Consumer Behavioural Archetypes
System Usability Scale (SUS)
Fogg Behaviour Model
Project goals
This research project aimed to:
- Identify appropriate authentication models to support in the CDR;
- Provide CX input to the authentication framework to assess incoming/supported models;
- Strike a balance between security, consumer experience and value delivery;
- Help organisations provide intuitive, informed, trustworthy consent experiences with positive outcomes.
Research Objectives
- Understand current consumer behaviours, pain points and needs regarding authentication
- Identify appropriate consumer experience criteria and metrics to assess authentication models
- Inform the development and proposal of new standards, and/or the revision of existing standards
- Identify appropriate models to be considered for adoption that are interoperable, flexible and adaptable
- Uplift authentication standards to offer improved experience, choice, convenience, inclusivity and security as well as alignment to consumers' existing digital experiences
- Understand how consumer behaviour/attitude may shift for different use cases (e.g. banking vs energy) using the same authentication method
- Explore the impacts of different elements and mechanisms
Hypothesis
- Authenticating without needing to recall or manually enter information is preferred by users
- A familiar authentication method is perceived as more intuitive and will increase the likelihood of task completion
- If a user is informed of the next steps and contextual requirements of an authentication flow, then they will feel more comfortable and in control
- Informed user authentication can be supported by stating the purpose and outcome of the authentication. ("Why and what for?")
- The model meets or exceeds the user's expectations of friction, security and experience
Hypotheses 1-4 were largely validated by the research. Hypothesis #5 remains to be validated by further research and investigation.
Research Approach
The following 4 major components of authentication were explored:
- Channel: This is the channel where authentication is performed. For example: mobile, desktop, kiosk etc.
- Modality: Modalities are the inputs used for authentication. For example: Biometric, Pin code etc.
- Authentication method: This is the method by which an authentication is performed. Out of many factors of authentication method, these 3 are mostly recognised:
- Knowledge based: Something the user knows, such as a password or the answer to a security question
- Inherence based: Something that the user is, as represented by a fingerprint or iris scan
- Possession based: Something the user possesses such as a one-time password generator, certificate, or smart card
- Notification method: This is the different ways a user is alerted about the authentication requirement. For example: Push notification, Email notification etc.
Combination of elements tested in Round 1
Channel | Modality | Notification method | Authentication method | Elements of auth |
App to browser | One time password | SMS | Possession based | - Something the user Knowns (Customer ID)
- Something the user has (Phone/OTP) |
Use case
The use case tested involved a consumer going through a fictional phone app flow to get an indicative interest rate for a car loan. The participant was told they bank with a real-world DH.
Methodology
Data is being collected throughout various points in the research. We are running both moderated and unmoderated testing sessions, both feeding in to the final outputs. Moderated testing sessions involve a moderator to be present to guide the participants through tasks. Unmoderated tests do not involve moderators and as such participants run through the test independently as they would in a natural environment.
Moderated sessions: 1-on-1 interviews
- Number of participants: 10
- Activities: Screener, Interview, Prototype test, In-depth interview, Post-task Survey
- Duration: 1.5 hours
Unmoderated sessions: Maze Online platform
- Number of participants: 12
- Activities: Screener, Prototype test, Post-task Survey
- Duration: ~30 minutes
Research Findings & Insights
Research findings and insights include key observations and themes identified during moderated research sessions, supported by participant quotes. Some findings may go beyond the scope of the research topic, but have been included for completeness. Recommendations to uplift the CX may also be included – though this has not been the focus for the research team – as the goal is to identify appropriate authentication models for the CDR.
1. Friction is multifaceted
The research found the principle of friction to be multifaceted, with factors manifesting in various ways. The first, unsurprisingly, is that friction can be viewed by participants as negatively or positively impacting on an authentication experience, i.e. there are ‘healthy’ or ‘unhealthy’ levels of friction in a given flow. Furthermore, the research revealed friction can occur both online and offline for users.
Many participants in particular raised frustrations around one-time passwords interrupting their workflow when having to search for devices (mobile phones, DigiPasses) in order to receive their one time codes. In more complex scenarios, several participants shared details around having lost access to previous mobile numbers (either through theft, loss, moving/travelling overseas, or simply updating numbers) and the challenges this presented when accessing platforms which require one time passwords delivered to mobile numbers.
One may hypothesise that higher levels of friction create more frustrating experiences for users, however the research does not support this. On the contrary, many research participants expressed discomfort in regard to the speed and few required steps in which they were able to authenticate when granting access to financial data; they believed more steps involved in authentication processes offered higher barriers to entry and subsequently improved security. So while participants experienced some frustrations when accessing devices to receive one time passwords, they generally appreciated lengthier processes when accessing sensitive data. This highlights the importance of assessing context when determining appropriate authentication models.
2. Secure authentication goes beyond just logging in
The research found participant perceptions and expectations of security in authentication models extends beyond the steps involved in ‘logging on’. While participants rely heavily on visual cues (covered in insight #4 “Users rely on visual trust markers”), customisation options and additional security features beyond the initial ‘log in’ impact their perceptions of security throughout the entirety of a given use case flow.
Participants expressed preferences for authentication customisation; having the ability to control how they access a given platform with authentication methods that suit them and the option for additional factors. Participants will use multi-factor authentication when it’s available, if they feel it’s appropriate for the platform. Many users enjoyed the convenience single login to access multiple services (such as MyGov account) offered, however also expressed concerns if this single login is compromised, it’ll also compromise all services linked to that one login. This insight brings forth the design challenge to create an authentication experience which walks the line between convenience and security.
Surprisingly, participants also noted automatic log out as a feature which made them feel in control, as they didn’t need to remember to do this themselves.
3. Authentication through a generational lens
We found significant differences among the generations in feelings of comfort as well as in the level of perceived security. An unsurprising insight when considering younger generations are generally considered to be more digitally literate than older generations. In particular these differences were also observed when looking at use-case benefit vs reward.
Typically, older generations did not see the benefit in the use case (a fictional app to get an indicative interest rate for a car loan) and expressed preferences to; speak to someone on the phone; visit a brick and mortar store; or submit a paper-trail application via post. Participants in younger demographics were more likely to see the benefit in the use case, and noted their preference to complete tasks online or unassisted (such as using self-service checkout at the supermarket) instead of having to go into a branch or speak to someone.
Participants in older generations notably also felt the authentication process was too fast and did not have enough steps, making them feel uneasy in regard to sharing their banking data. It may seem those in older generations may sit at two ends of the spectrum, with some hyper-aware of risks online and others blissfully unaware. Those in the former group were more likely to assess the trustworthiness in a flow on the visual cues and noted their habits online involve checking URLs (correct addresses and ‘HTTPS’ connections), padlock icons, an ensuring websites match their visual expectations (colours, typography), however these practises are not unique to older generations and were evident across all generations interviewed.
4. Users rely on visual trust markers
The research found users across all age demographics heavily relied upon visual cues and markers to determine whether they could trust and feel comfortable using a platform, with many citing the presence of certain visual features paramount to whether they would proceed using a digital product.
While we do not believe this list is exhaustive, the following visual trust markers appeared repetitively in the research and go far in denoting to users whether a site or platform is trustworthy, secure and legitimate. They are as follows:
- The presence of a padlock icon in the URL bar as well as a ‘HTTPS’ connection and correct URL address
- Pixel-perfect user interfaces which match user expectations of formatting, such as colour palette, typography, branding
- Correct spelling and use of grammar
- No slow loading time or suspicious redirections
- Corporate information such as ABNs or phone numbers, and
- Apps downloaded from trusted sites such as the AppStore
As these trust markers are all visual, further research could be undertaken to better understand how those with accessibility needs assess trustworthiness.
5. OTP is known (and trusted) as a second factor
Almost all participants were familiar with using One Time Password to authenticate, with many expressing thoughts in regard to the expiration window and delivery to a registered phone number as positive security measures. Users also preferred using a one time password in the context of the use case (consenting to sharing banking data) as they perceived it as less risky than having to enter their actual banking password and the single-use nature of the OTP adds assurance. Many participants shared they would not complete the flow if it required their real password, no matter how much they trusted their data holder.
Interestingly, the consensus from users is that one time password is seen as ‘an added layer’ or ‘extra step’ of security. Users certainly trust and feel comfortable using this form of verification, however they do not perceive it as the primary method of authenticating.
6. Users trust established brands, but expect more from them
By and large, participants inherently placed more trust in larger and more established brands. This view is held in particular to government bodies and banking sectors because of the rigid compliance requirements prevalent in these industries. This shared sentiment is based on an assumption that larger corporations have the financial means and professional resource to follow best practices, won’t on-sell their data, and are subsequently less likely to fall victim to hacking or breaches. There is also an element of reputational risk which participants believe leads established businesses to act within the best interests of customers data.
Despite the fact users placed more trust in established brands, they also have higher expectations of how brands use and store their data. They expect financial institutions and government to treat customer data as securely as possible, remain up to date with cybersecurity best practice to prevent hacking, direct adequate funding to build strong back-end systems and hire talented teams, and never share their data with third parties. When it came to other platforms (such as social media sites) participants were more accepting and had lower expectations in their security protocol and data treatment, were aware their information was being monetised, and subsequently less likely to share important data about themselves.
7. Users perceive multi-factor adaptive authentication as the norm
Participants generally had a firm understanding of the requirements of multifactor authentication, and the friction, or “extra layers”, present were considered positive, many participants typically using one time password as a secondary factor (as covered in insight #5 OTP is known (and trusted) as a second factor) in particular within banking apps.
When considering multifactor authentication in the context of sectors, it was evident in the research that most participants expected authentication to adapt and become more rigorous as the sensitivity of their data increased, as this is what occurs in their present digital experiences and matches their mental models. Users classified their personal, health and banking data as sensitive information. While not all participants shared the view that authentication should adapt, it was not because they thought less-sensitive data (such as energy data) required less stringent authentication methods. Rather, these participants believe all data to be sensitive; citing fears around the potential for hackers to piece together granular information from several data points into a much larger, detailed view of their information.
This finding further supports the recommendation for a gold standard of authentication to be implemented across the Consumer Data Right, irrespective of sector, to meet consumer expectations of security.
Research Outputs
Global Performance: Radial Graph
Global Performance is a measure developed by the research team to define success for various authentication models, made up of five separate measures:
- Recall & input
- Familiarity & completion
- Comfort & control
- Purpose & outcome
- Expectations
Each of these five measures consist of 3 different metrics (as demonstrated in the ‘Measures & Metrics in detail’ table) collected throughout the research and then collated to determine a quantifiable outcome for each measure. These 5 measures are then reflected on a five-point radial graph, demonstrating the global performance for the respective authentication model.
The initial radial graph will showcase the global performance for One Time Password authentication method, and act as a benchmark for subsequent models.
Redirect with One Time Password
Redirect with One Time Password metrics and measures outcomes. A score above 4 is considered excellent, above 3.75 is considered very good, a score below 3.25 is considered poor and below 3 is bad.
Measures and metrics | Score |
Recall & input | 4.01 (score for measure) |
Information a user needs to recall | 3.79 (score for metric) |
Users perception of length | 4.15 (score for metric) |
Number of user inputs | 4.09 (score for metric) |
Familiarity & completion | 3.56 (score for measure) |
Familiarity | 4.14 (score for metric) |
Brand influence | 3.15 (score for metric) |
Current authentication models | 3.40 (score for metric) |
Comfort & control | 3.53 (score for measure) |
User feeling in control | 3.36 (score for metric) |
Awareness of next step | 4.07 (score for metric) |
Trustworthiness | 3.15 (score for metric) |
Purpose & outcome | 3.53 (score for measure) |
Benefit awareness | 3.70 (score for metric) |
Sensitivity of value prop | 3.35 (score for metric) |
Level of positive-friction | 3.53 (score for metric) |
Expectations | 3.68 (score for measure) |
User security expectations | 3.57 (score for metric) |
Perceived security | 3.54 (score for metric) |
Sector | 3.93 (score for metric) |
The research found One Time Password to be a generally well-performing authentication method. Consumers are typically familiar with the verification requirements having regularly used the OTP model in various contexts; banking platforms specifically matching their mental models. Consistent exposure to this method means users across the board are confident with the flow and aware of what to do at each step, making it a fast and easy process to complete. OTP offers a level of convenience to users by removing the need to recall lengthy and complex passwords, and quickly auto-fills passwords from SMS text messages on some newer devices. From a security perspective, users appreciate the OTP expiration window and prefer entering a one time password in place of their actual password; subsequently reducing drop-off rates.
Recall & Input (4.01)
Familiarity & Completion (3.56)
Comfort & Control (3.53)
Purpose & Outcome (3.53)
Expectations (3.68)
Consumer Behavioural Archetypes
Each Archetype has specific needs for how authenticating to share CDR data should work in order for them to trust and understand it.
- Sceptics are less trusting of organisations and/or technology. They generally value control, and are adverse to sharing data based on experience with current practices.
- Assurance Seekers want to read additional information. They generally value familiarity and external reference/support, and are apprehensive to new experiences.
- Sensemakers need to understand how the process works. They generally value details, and can trust the process if given enough valuable information.
- Enthusiasts are excited to get the benefits of authenticating to share CDR data. They generally value simple experiences once trust is established.
System Usability Scale
The raw SUS score was evenly distributed for Redirect with One Time Password. The overall SUS score of 82.5 is considered very high. The coloured markers correspond to the Consumer Behaviour Archetypes as described above.
Fogg Behaviour Model
All research participants have been categorised into archetypes based on their behaviours, and then mapped using the Fogg Model Diagram above. The coloured markers correspond as described in the Consumer Behaviour Archetypes section.
The Fogg Behaviour Model (FBM) compares consumer ability to complete authenticating to share CDR data against their motivation to do so in this context. Based on the chart, for most participants, the desired behaviour (progressing with the login using OTP) will happen when prompted (presented with OTP to continue). Surprisingly, some participants lacked both the ability and motivation to continue with OTP when prompted by the option to do so. This can be inferred in the diagram above by those who fall under the red ‘Action line’. Those who fall below the Action line are not likely to have the desired behaviour when prompted, while those who fall above it are more likely to act when prompted. Almost all Sense Makers (yellow) fall above the action line, there is only 1 that is just below the action line. For the Assurance Seekers (orange) who fell below the action line, there is potential for them to move above the threshold by increasing their ability, this can be achieved by simplifying the flow, for example.
Action line Considerations
Note that the Action line is indicative of the likelihood of a behaviour to happen when prompted in this context, but Fogg does not offer a hard and fast formula to plot it's exact location.
Summary
Redirect with One Time Password is satisfactory for most use cases, however there are several areas where the current process and consumer experience could be uplifted, such as:
- More easily recalled customer key: Customer ID is potentially problematic, with only half of all participants interviewed able to recall their banking Customer ID number off the top of their head; the other half find their banking Customer ID either by entering the relevant banking app with biometrics to find it, or store it on their device in the notes or contacts app. The practice of storing a Customer ID on a device brings rise to concerns around security and the ease in which OTP can be breeched if your device falls into the wrong hands, many participants having experienced theft or loss of their mobile phones.
- Extra security features: The research found giving consumers extra security features, such as options for multifactor authentication and alerting them that they will be automatically logged out, can contribute to feelings of being in control. The inclusion of educational elements, for instance explaining how a DH triggers an SMS, can be beneficial for those with lower levels of digital literacy.
- Visual trust markers: Standardising Data Holder UI to include the components identified in Insight #4 Users rely on visual trust markers such as; fast loading times, the inclusion of corporate information such as ABNs and phone numbers as well as cybersecurity badges could assist in increasing user perception of security and trust. The research team want to reiterate the importance for further research to explore how those with accessibility needs assess trustworthiness, and what indicators can be employed to uplift security in this context.
- OTP Autofill: At present DH’s elect to autofill numpads when a device has received an SMS containing an OTP. Uplifting standards to encourage DH’s to automatically autofill OTP from SMS can increase security and reduce cognitive load for users who have to toggle between their messaging app and the DH website.
One Time Password is a sufficient authentication model and could offer better consumer experience with some minor improvements, however, there are several shortcomings which could be addressed with the introduction of other models.
- Across the board, OTP did not match user expectations contextually; as most participants were familiar with the model as a second factor of authentication and did not perceive it as strong enough when used as a primary, stand alone model. An improved CX could see App-to-App included as a supported authentication model; striking a balance between convenience and security, as it’s perceived by users to be more trustworthy than redirect or browser-based methods. App-to-App can easily include multifactors of authentication occurring in a stepped format (at various points in a flow). This method will be explored in the following round of research.
- To exceed expectations, authentication can extend beyond simple multifactor authentication. Implementing OTP as a step-up, secondary form of verification when used in conjunction with a gold standard primary authentication method could go far in exceeding user perceptions of security and trust. Step-up authentication requires additional levels of authentication to adapt as the risk profile and sensitivity of the action increases, and could be implemented across the Consumer Data Right, irrespective of sector.
These changes could go far in exceeding user perceptions of security and trust across the Consumer Data Right. Further research is being undertaken to determine other models to support.
Quick links to CX Guidelines:
Overview
Consent
Authenticate
Authorise
Consent Management
Notifications
Accessibility statement
→ cx@dsb.gov.au → cx.dsb.gov.au | cds.gov.au