Authentication in the Age of GDPR

Written by

It’s been over a year since the enforcement of the long-planned General Data Protection Regulation (GDPR) began, marking the start of a new regulatory era for data management. GDPR impacts not only firms resident in the European Union, but around the world, as any organization doing business with EU citizens must now adhere to stricter security practices and stronger privacy rights for users.

This naturally has also had a significant impact on authentication practices, with organizations bolstering their strong customer authentication in response to evolving regulatory requirements. 

A great majority of data breaches result from weak or stolen passwords, and many of them could be prevented by readily available multi-factor authentication set-ups.

That being said, not all forms of MFA are created equal: SMS-based authentication, for example, is easily intercepted by malware. Indeed, one-time passwords (OTPs) have been shown to be easily susceptible to phishing attacks. What is needed are authentication methods that transcend the legacy of the password and centrally stored shared secrets (including OTPs) in favor of an approach that leverages public key cryptography and allows users to authenticate locally with devices they use every day.

As the regulatory landscape that businesses need to navigate is becoming more complex, patching systems to satisfy the bare minimum of GDPR simply will not do going forward. Not only does this risk backfiring as the risk of breaches rises, but it also ignores the customer who in many cases expects, or even demands, smoother methods of authentication than have been offered in the past.

Over the past year, this has only become more critical - especially in the payments sector as firms also prepare to comply with the Strong Customer Authentication (SCA) requirement as stipulated in the Payment Services Directive 2 (PSD2) Regulatory Technical Standard (RTS). 

The promise of biometrics
Over the past few years, more and more consumers and businesses are coming into contact with biometric authentication in their daily lives. This is largely due to more readily available biometric capabilities in every-day devices (driven by falling costs of installing biometric sensors in handsets) as well as the increased robustness of security in biometrics, which is continuing to stimulate an increased trust in replacing password entry with swiping a finger, speaking a phrase or looking at a camera on a device.

Defined as ‘sensitive personal data’ under GDPR, biometrics are now tightly regulated and any handlers of it must perform stringent assessments prior to any processing taking place. That is good news, and has not hindered continued development of services leveraging biometrics securely.

On the contrary, entities can now leverage biometric authentication while avoiding the liability associated with having to collect, control, or process the data themselves. Instead, the norm is shifting towards storing such data exclusively in a secure part of the chipset on the consumer’s device, where they can be securely leveraged as part of the biometric authentication workflow. 

The turning tide
The past decade has seen the development of international standards for authentication that are a natural fit with the new regulatory requirements, while also helping to augment innovative technologies that simplify and strengthen authentication for businesses and users alike.

The Fast IDentity Online Alliance (FIDO) has developed standards that not only provide stronger authentication with a better user experience, but that also fully comply with regulations pertaining to data security, biometrics, consent and individual rights.

Indeed, the international standards community has been working diligently over the past several years to deliver a common mechanism that strictly complies with GDPR and other regulations without requiring online service providers to purchase or distribute special software or hardware to their users.

FIDO’s new web authentication standards from the World Wide Web Consortium (W3C) are implemented by the world’s most popular web browsers; manufacturers of security tokens, personal computers and mobile phones are shipping on-device authenticators that are interoperable with these updated web browsers.

This emerging open standards ecosystem for user authentication, complete with third-party certification programs for independent validation, is well positioned to reduce the risk and costs of GDPR compliance around the world.

What’s hot on Infosecurity Magazine?