Noting Paper 326 - Authentication Uplift Context

[CDR-API-Stream]

Update: 13 October 2023

Please find attached a noting paper on authentication uplift. This incorporates not only Phase 1 (#327) but also work planned for future phases. This noting paper invites feedback but will not result in proposed Data Standards. The intention is to inform consultation for future phases and decision proposals.

NP326 - Authentication Uplift Context.pdf

This consultation will be open for feedback until 15 November 2023.

[CDR-API-Stream]

A noting paper for authentication uplift has been published in the original comment.

This consultation will be open for feedback until 15 November 2023.

[WestpacOpenBanking]

Westpac welcomes any changes to the CDR that supports stronger authentication, and a move away from the OTP model which current complicates our customers authentication experience and limits our ability to uplift to more modern, secure authentication techniques.

We recommend the CDR adopts a principles-based authentication framework to be defined in the Rules, requiring ALL participants employ a best practice authentication capability, that appropriately balances the requirement for good friction with a seamless experience.

We recommend that no standards are made relating to Authentication techniques such as FIDO nor interaction flows. Participants are best placed to identify what is best practice and what authentication techniques are best for their industry, product, service, and customer base, and what is good and bad friction. The burden of compliance will likely hold back an organisation’s ability to strengthen their digital channels to best meet their customer’s needs.

We also recommend the use of rules to ensure contestability, to provide the ACCC the ability to enforce change on participants that create unnecessary friction through their authentication flows.

We look forward to future rules relating to Action initiation use cases, however, recommend that the analysis, and any changes to standards remain focused on addressing the issues already identified (through health check or git) and consider structural issues with MI427 which must be resolve before high risk use cases can be considered.
Issues with decoupled flows due to representative model.

The introduction of Sponsored Accreditation and the absence of standards and rules addressing the authentication and authorisation of this new participant model introduced risks which will only be exacerbated with the introduction of Action Initiation and higher risk use cases which move beyond data sharing. Without rules or standards applied to ADRs authentication, there exists a risk of attack on a consumer from a compromised ADR without strong authentication, pushing actions to customer devices.

Identity Federation and SSO

Identity and the Federation of Identity Providers are outside of the scope and intention of the Consumer Data Right. The CDR should not be a vehicle for Identity Federation and mechanisms such as SSO should not be considered without any rules which support the operation and governance of this capability.

We recommend that any requirements relating to Identity Federation and SSO be achieved through changes being explored within the governments Digital Identity Initiative. We have been engaging with Dept of Finance on their Digital Identity Consultation and will continue to provide feedback on all identity related topics here.

[paige-skript]

Skript is generally supportive of the authentication uplift proposals. We consider the benefits to Australian consumers will be improved security controls and more intuitive and reliable user experiences while authenticating with a Data Holder.

We have submitted our feedback on Phase 1 of the Authentication Uplift under DP 327.

Regarding Section 6.4: ADR Authentication: protecting data held by data recipients

We are supportive in general of more defined authentication requirements for ADRs. Our offerings have been built with security controls in mind from the start, and this includes authentication controls such as MFA. We are also constantly working towards industry best practices, and welcome further discussions around authentication requirements for ADRs in the data standards.

[CDR-API-Stream]

This consultation is now closed. Thanks to everyone for engaging and providing comprehensive feedback. Responses will be reviewed and considered.