The report Application of Authentication Frameworks: A Report to the Data Standards Chair was developed in response to the evolving needs of the Consumer Data Right (CDR) ecosystem, commissioned from PwC Indigenous Consulting. The purpose was to evaluate the applicability and adequacy of current Data Standards authentication frameworks, compare them with global standards, and recommend enhancements to ensure the continued security, usability, and scalability of CDR data practices. Due to supplier delays, the report was accepted in June 2024.
The process involved close collaboration with the Data Standards Chair (Chair) and key stakeholders from the Data Standards Body (DSB). It included bilateral discussions to align on priorities, challenges, and opportunities. Insights were drawn from a comprehensive review of existing and emerging authentication frameworks, including international standards such as ISO/IEC 29115:2013, NIST SP 800-63-3, and the eIDAS Regulation, as well as Australia's Trusted Digital Identity Framework (TDIF) (then current at the time of analysis). This comparative analysis informed the assessment of risks, gaps, and best practices applicable to the CDR's unique context.
The report highlights the pressing need for a risk-based approach to authentication, emphasising the importance of aligning with global cybersecurity standards, addressing aggregated data risks, and including offline consumers. It also outlines practical recommendations for improving the CDR's risk management maturity, mandating multi-factor authentication, and aligning terminology with TDIF to enhance clarity and consistency. These recommendations aim to support the Chair in meeting legal obligations while safeguarding consumer trust and system integrity as the CDR ecosystem expands.
The report underscored the need for a proactive, adaptive approach to authentication within the CDR, balancing security, usability, and inclusivity while leveraging international standards and insights.