Executive Summary
This report contains findings and recommendations based on Round 1 of CX research that was conducted on the ‘Redirect with One Time Password’ (OTP) in September of 2022 as part of the Authentication Uplift project. The purpose of the research is to identify consumer experience considerations to support and inform an expanded approach to Consumer Data Right (CDR) authentication. The objective is to give consumers more choice and freedom when authenticating themselves with data holders, while maintaining financial grade security.
Twenty-two consumers participated in the research in total; ten consumers participated in 1:1 interview sessions which ran for 90 minutes each and twelve consumers participated in unmoderated prototype testing. Prototypes of the Redirect with One Time Password flow were used to facilitate discussion and generate insights in relation to authentication more generally.
Consultation
This project relates to NP280 which is open for consultation from 14 December 2022 to 27 January 2023.
Context
The authentication stage is the second step in The Consent Model and involves a consumer verifying who they are with their Data Holder (DH). This step is required so the data holder can connect the data recipient's authorisation request to the correct CDR consumer.
Authentication in the CDR regime is limited to a single consistent, authentication model, referred to as the 'Redirect with One Time Password' flow. No other flows are currently supported. ‘Redirect with One Time Password’ was previously tested in June 2019 against two models; ‘Redirect to Known’ and ‘Decoupled’, and was found to be the preferred authentication model by research participants. The outcomes can be accessed in Phase 2 Stream 3 report.
This research has been informed by the following:
- In December 2021, the Government noted support for the Inquiry into Future Directions for the CDR’s recommendation to review the approach to authentication. The Inquiry stated that ‘the convenience and consumer experience of different authentication mechanisms should be considered’ when assessing how to expand CDR authentication support.
- The Independent Information Security Review published in July 2022 separately highlighted that the current approach to CDR authentication does not meet minimum security requirements, and adjustments are warranted.
- The CDR community have also requested changes to the current CDR authentication model, which the DSB is considering as part of this work (see CR405, CR554 and CR542).
- Decision 182 – Information Security Uplift For Write aka action initiation This consultation sought community input on how the info sec profile might evolve to explicitly support write operations.
Findings
The research found OTP to be a generally well-performing authentication method. Consumers are typically familiar with the verification requirements having regularly used the OTP model in various contexts, with banking platforms specifically matching their mental models. Consistent exposure to this method means users across the board are confident with the flow and aware of what to do at each step, making it a fast and easy process to complete. OTP offers a level of convenience to users by removing the need to recall lengthy and complex passwords, and (in some instances) quickly auto-fills passwords from SMS text messages. From a security perspective, users appreciate the OTP expiration window and prefer entering a one time password in place of their actual password; subsequently reducing drop-off rates.
While OTP is satisfactory for most use cases, there are several areas where the current process could be improved. Customer ID is potentially problematic, with only half of all participants interviewed able to recall their banking Customer ID number off the top of their head; the other half find their banking Customer ID either by entering the relevant banking app with biometrics to find it, or store it on their device in the notes or contacts app. The practice of storing a Customer ID on a device brings rise to concerns around security and the ease in which OTP can be breeched if your device falls into the wrong hands, many participants having experienced theft or loss of their mobile phones. The research found giving consumers extra security features, such as options for multi-factor authentication and automatic log-out, can contribute to feelings of being in control. The inclusion of educational elements, for instance explaining how a DH triggers an SMS, can be beneficial for those with lower levels of digital literacy. An improvement to consumer experience could see App-to-App included as a supported authentication model; striking a balance between convenience and security, as it’s perceived by users to be more trustworthy than redirect or browser-based methods.
One Time Password is a sufficient authentication model and could offer better consumer experience with some minor improvements, however, there are several shortcomings which could be addressed with the introduction of other models. Across the board, OTP did not match user expectations contextually; as most participants were familiar with the model as a second factor of authentication and did not perceive it as strong enough when used as a primary, stand alone model. Implementing OTP as a step-up, secondary form of verification when used in conjunction with a gold standard primary authentication method could go far in exceeding user perceptions of security and trust. Step-up authentication requires additional levels of authentication to adapt as the risk profile and sensitivity of the action increases, and could be implemented across the Consumer Data Right, irrespective of sector. We explore early stage recommendations in the summary section of this report.
Research artefacts at a glance
The following artefacts have been produced following the research and represent our findings. Each artefact is explored in further detail in the Research Outputs section of this report.
Global Performance
Consumer Behavioural Archetypes
System Usability Scale (SUS)
Fogg Behaviour Model
Project goals
This research project aimed to:
- Identify appropriate authentication models to support in the CDR;
- Provide CX input to the authentication framework to assess incoming/supported models;
- Strike a balance between security, consumer experience and value delivery;
- Help organisations provide intuitive, informed, trustworthy consent experiences with positive outcomes.
Research Objectives
- Understand current consumer behaviours, pain points and needs regarding authentication
- Identify appropriate consumer experience criteria and metrics to assess authentication models
- Inform the development and proposal of new standards, and/or the revision of existing standards
- Identify appropriate models to be considered for adoption that are interoperable, flexible and adaptable
- Uplift authentication standards to offer improved experience, choice, convenience, inclusivity and security as well as alignment to consumers' existing digital experiences
- Understand how consumer behaviour/attitude may shift for different use cases (e.g. banking vs energy) using the same authentication method
- Explore the impacts of different elements and mechanisms
Hypothesis
- Authenticating without needing to recall or manually enter information is preferred by users
- A familiar authentication method is perceived as more intuitive and will increase the likelihood of task completion
- If a user is informed of the next steps and contextual requirements of an authentication flow, then they will feel more comfortable and in control
- Informed user authentication can be supported by stating the purpose and outcome of the authentication. ("Why and what for?")
- The model meets or exceeds the user's expectations of friction, security and experience
Hypotheses 1-4 were largely validated by the research. Hypothesis #5 remains to be validated by further research and investigation.
Research Approach
The following 4 major components of authentication were explored:
- Channel: This is the channel where authentication is performed. For example: mobile, desktop, kiosk etc.
- Modality: Modalities are the inputs used for authentication. For example: Biometric, Pin code etc.
- Authentication method: This is the method by which an authentication is performed. Out of many factors of authentication method, these 3 are mostly recognised:
- Knowledge based: Something the user knows, such as a password or the answer to a security question
- Inherence based: Something that the user is, as represented by a fingerprint or iris scan
- Possession based: Something the user possesses such as a one-time password generator, certificate, or smart card
- Notification method: This is the different ways a user is alerted about the authentication requirement. For example: Push notification, Email notification etc.
Combination of elements tested in Round 1
Channel | Modality | Notification method | Authentication method | Elements of auth |
App to browser | One time password | SMS | Possession based | - Something the user Knowns (Customer ID)
- Something the user has (Phone/OTP) |
Use case
The use case tested involved a consumer going through a fictional phone app flow to get an indicative interest rate for a car loan. The participant was told they bank with a real-world DH.
Methodology
Data is being collected throughout various points in the research. We are running both moderated and unmoderated testing sessions, both feeding in to the final outputs. Moderated testing sessions involve a moderator to be present to guide the participants through tasks. Unmoderated tests do not involve moderators and as such participants run through the test independently as they would in a natural environment.
Moderated sessions: 1-on-1 interviews
- Number of participants: 10
- Activities: Screener, Interview, Prototype test, In-depth interview, Post-task Survey
- Duration: 1.5 hours
Unmoderated sessions: Maze Online platform
Research Findings & Insights
Research findings and insights include key observations and themes identified during moderated research sessions, supported by participant quotes. Some findings may go beyond the scope of the research topic, but have been included for completeness. Recommendations to uplift the CX may also be included – though this has not been the focus for the research team – as the goal is to identify appropriate authentication models for the CDR.
1. Friction is multifaceted
The research found the principle of friction to be multifaceted, with factors manifesting in various ways. The first, unsurprisingly, is that friction can be viewed by participants as negatively or positively impacting on an authentication experience, i.e. there are ‘healthy’ or ‘unhealthy’ levels of friction in a given flow. Furthermore, the research revealed friction can occur both online and offline for users.
Many participants in particular raised frustrations around one-time passwords interrupting their workflow when having to search for devices (mobile phones, DigiPasses) in order to receive their one time codes. In more complex scenarios, several participants shared details around having lost access to previous mobile numbers (either through theft, loss, moving/travelling overseas, or simply updating numbers) and the challenges this presented when accessing platforms which require one time passwords delivered to mobile numbers.
One may hypothesise that higher levels of friction create more frustrating experiences for users, however the research does not support this. On the contrary, many research participants expressed discomfort in regard to the speed and few required steps in which they were able to authenticate when granting access to financial data; they believed more steps involved in authentication processes offered higher barriers to entry and subsequently improved security. So while participants experienced some frustrations when accessing devices to receive one time passwords, they generally appreciated lengthier processes when accessing sensitive data. This highlights the importance of assessing context when determining appropriate authentication models.