Advantages of Two-Factor Authentication After GDPR

The European Union's General Data Protection Regulation (GDPR) went into effect on May 25, 2018, establishing a set of regulations to standardize data protections across the continent, provide greater privacy rights and control to individuals, and protect citizens of the EU from privacy violations that may occur during a data breach. 

As a result of these regulatory changes, companies globally are reexamining their compliance with existing data protection rules and updating existing procedures to follow best practices in protecting users’ privacy.

Key Features of GDPR

The GDPR requires companies to put into place appropriate technical and organizational measures to implement the data protection principles and safeguard individual rights.

It is important that IT professionals integrate data protection and privacy from the design stage complete through the entire lifecycle.

In this article, we will look at Two-Factor Authentication (2FA), one of the most effective ways to protect personal data and private information shared online and uphold the principle of ‘integrity and confidentiality’ enshrined in the new regulation, which requires personal data to be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

What Is Two-Factor Authentication (2FA)?

Two-Factor Authentication (2FA) is a system that uses two different, but related methods to identify a person. It is a more secure method of identification than a reusable password. By combining the random number of a token with a private PIN, the resulting passcode provides more trustworthy user authentication.

With 2FA authentication, your identifying credentials will fit into two of the following three categories: something that only you know (such as a password or PIN number), something in your possession (such as a mobile phone or smart card), or something that cannot be changed (such as a retina scan or your fingerprint). Simply using two different passwords would not satisfy the test, because they are included in the same category. And who needs more passwords to remember anyway?

Many of us have already used 2FA. For example, when you go to an ATM to withdraw money, you need both a PIN number and a bank card to complete the transaction. 

One-time passwords (OTPs) and Public key infrastructure (PKI) are the most common ways we secure data.

OTP and 2FA

OTP is basically a single use, randomly generated password valid for one login session on a computer. For a user attempting to authenticate, this temporary password is delivered by text message to a mobile phone previously registered within a system.  Although OTP can be used by itself for authentication, it is most effective as part of a 2FA setup where the user would use his or her ID, PIN and the OTP to access a system.

PKI and 2FA

Public Key Infrastructure (PKI) is a system used to manage public-key encryption and digital signature services. It offers several advantages for information security, including:

• Authentication - capable of unique identification of the information originator and user.

• Privacy -  helps protect against unauthorized information and data access.

• Data integrity - prevents the alteration of data, whether on purpose or by accident.

• Non-Repudiation - Provides verifiable and incontrovertible proof of the origin and integrity of selected data.

User Experience

2FA is able to recognize devices, so returning from the same phone or computer will often provide the second factor of authentication without adding an extra step for the user. Hackers and cybercriminals will have the most difficult work to do in a 2FA environment, and that is exactly the way it is intended.

Use Case

Envilope, a Gibraltar-based blockchain technology company where users send a virtual envelope with the ability to securely lock emails, digital files, or secure messages containing text, images, audio, video - anything that can be sent online.  The company is implementing functionality where users can assign 2FA to any ‘object’ within their GDPR-compliant ecosystem.

For example, a user could upload a file and set a rule that it can only ever be opened if an authorized recipient receives a PIN code via SMS, that they then have to enter before they can open any Envilope containing that document. This 2FA can be applied to any object within the system: uploaded files, Envilopes, recipients, .nve files. The sender could set rules that specify Envilopes always require 2FA, that specific recipients always require 2FA, and so on. The 2FA can be set as a PIN code delivered via SMS, email, or both.

Future of Privacy

2FA is advisable whenever sending, receiving or accessing sensitive data—like financial accounts, and health records. Recognizing sensitive data is often shared by and across devices, Google, Facebook, Apple, and other companies have integrated 2FA functionality into their login processes. 

The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to verify that a person seeking access to electronic protected health information (ePHI) has authorization. Two-factor authentication can satisfy this HIPAA requirement.

Some companies require 2FA, while others may offer it as an extra option that users can enable, but the responsibility rests with the users. Although users must request 2FA in these circumstances, financial and reputational risk (and liability) shift to the organization and ultimately to the IT department. It is for this reason that security professionals should loudly advocate for 2FA. 

The recent adoption of GDPR can facilitate this conversation. The 2017 Cost of Data Breach Study from the Ponemon Institute, sponsored by IBM, puts the global average cost of a data breach at $3.6 million, or $141 per data record. Along with the draconian penalties for failure to comply with GDPR -- up to €20 million or 4% of annual turnover – companies are wisely considering 2FA and other best practices for enhanced data protection and privacy.