Use Two-factor authentication to comply with GDPR
A recently published study from ENISA — the European Union Agency for Network and Information Security which advises member states and private sector organizations in implementing EU legislation, provides guidelines on how to take the appropriate measures and apply appropriate security to comply with the General Data Protection Regulation (GDPR). ENISA’s recommendation includes two-factor authentication and mobile application security as technical measures in high-risk situations to ensure cyber security, prevent phishing and data breaches, and protect the user experience.
The GDPR becomes the main legal framework for data protection in the EU and represents a significant step towards enhancing the privacy of EU citizens. Additionally, GDPR is applicable to any company offering goods or services to EU citizens, regardless of its size, location or industry, dealing with personal data as a data controller or as a data processor.
Significantly, and as defined in Article 32 of the GDPR, one of the core obligations for these companies is applying technical measures to secure this personal data by stating that data controllers and processors “shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.”
The implications and costs of non-compliance can be substantial — up to 4% of annual global turnover or €20 Million, whichever is greater. They are also obliged to report all breaches within 72 hours, risking significant brand damage in return.
ENISA Guidelines for GDPR Compliance
ENISA’s study on how to adopt organizational and technical security measures in order to achieve compliance with GDPR, makes use of a risk-based approach to define the appropriate measures in different areas.
For example, in the area of secure access, access control, and authentication, ENISA recommends implementing two-factor authentication in high-risk cases and in certain medium impact cases, as follows: “Two-factor authentication should preferably be used for accessing systems that process personal data. The authentication factors could be passwords, security tokens, USB sticks with a secret token, biometrics etc.” At OneSpan, we would recommend taking that next step to deploy multi-factor authentication (MFA) functionality, which would include two or more authentication factors, to prevent unauthorized access.
In the area of mobile devices, ENISA mentions that mobile devices increase the exposure to theft and accidental loss. Moreover, they are likely to be used for personal purposes, so special care must be taken to ensure that business-related data is not compromised. This results in the guideline that “two-factor authentication should be considered for accessing mobile devices, and personal data stored at the mobile device should be encrypted.”
Finally, when it comes to application development, ENISA recommends ensuring that personal data security and data privacy are taken into consideration. During the development lifecycle for mobile apps, this encompasses “best practices, state of the art and well acknowledged secure development practices, frameworks or standards should be followed,” even for low risk cases.