DSB Item - Attacker Model, Security Controls, Authentication and Identity Proofing Risk Framework (Initial consultation)

[CDR-API-Stream]

Problem Statement

In Decision 182, the Data Standards Chair approved four recommendations. This Future Plan item covers Recommendation 3 and the targeted consultation to determine appropriate risk-based security controls and supported authentication methods.

Feedback strongly supported the development of an attacker model to identify the risks the Information Security model seeks to address, and the controls required to manage those risks. This attacker model can leverage the FAPI 2 attacker model as a baseline developed by the OIDF.

The Data Standards Chair notes that the Future Directions report includes several key recommendations to enhance security, flexibility, and choice for consumers. These recommendations seek to adopt a risk-based approach to assessing which authentications methods be supported and when they are appropriate. In considering which authentication methods are suitable, the convenience and consumer experience of different authentication mechanisms should be considered against the actions being instructed and the risks both within a given sector and across the CDR. This recommendation supports and complements the Future Direction report's recommendations.

A risk-based authentication framework should look at when and how second factors of authentication are required and opportunities to support decoupled authentication (otherwise referred to as app2app).

In conjunction broadening authentication standards, the risk framework should consider the identity proofing requirements when initiating different actions.

Key Future Directions Recommendations

• Recommendation 1.1 – Balanced approach to safety, efficiency and effectiveness
• Recommendation 4.14 – Authentication requirements by data holders
• Recommendation 4.15 – More explicit requirements for accredited persons to authenticate customers
• Recommendation 5.11 – Authentication requirements for payment initiation
• Recommendation 8.1 – Support for development of authentication solutions interoperable with the Consumer Data Right
• Recommendation 8.2 – Minimum assurance standard for authentication to apply to data holders and accredited data recipients
• Recommendation 8.3– Minimum assurance standard for authentication to include a risk taxonomy and matrix
• Recommendation 8.10 – When diverging from open international standards

[JamesMBligh]

Significant planning on this item has been conducted but it has been shifted to Q1 2022 for ongoing work

[JamesMBligh]

A plan for engagement has been developed and has been internally circulated and reviewed. Currently working through the budgetary process to determine an appropriate timetable to schedule the actual engagements