Strong authentication, transparent access, and GDPR compliance – I can really have it all?

Over the last few years, we have all seen what happens when IT professionals underestimate the risk of a data breach, and choose an authentication solution that is poorly suited to protecting sensitive information [0].  And while data subjects bear the brunt of any resulting breach, they have little control over the level of protection provided for their personal information.  Users can help to prevent the worst outcomes by choosing and protecting their passwords with care, but passwords alone are not secure enough, and stringent password policies lead to user frustration.  As more and more business processes become digital, the mobile workforce increases, and customers expect anywhere, anytime access, it becomes less and less defensible to place the onus for security solely on the user.

Sources of good practice [1][2] provide guidance on how to improve the strength of password authentication.  But, it is gradually becoming accepted [3] that there is a limit to the degree of protection that passwords alone, regardless of their length, complexity, or frequency of update, can provide.  Stronger mechanisms are called for in an increasing number of situations.

Regulators and law makers have accepted their responsibility for eliminating the most egregious instances of data breach.  And the General Data Protection Regulation (GDPR), which is to be introduced in Europe in 2018, is a notable example.  It requires system designers to take into account the likelihood and potential severity of a breach when designing a security architecture, including its authentication mechanisms.  Failure to make an informed and honest assessment of the risk can have severe consequences, as the GDPR has punishing maximum penalties built into it.

Improving authentication methods and reducing reliance on passwords, means introducing a second authentication factor, such as “something you have” or “something you are,” that an adversary cannot easily replicate.  Because of the publicity generated by recent data breaches, users are becoming increasingly concerned about the security of their personal information, while demanding a lower friction, more transparent, experience.  Organizations can meet these expectations by implementing two-factor authentication based on mobile technology.  With authentication methods such as mobile push, users are able to make use of their mobile device and, with just a swipe or the touch of a button, they are able to access a VPN or customer portal, approve transactions, and complete many other tasks.  And now vendors can offer an even more transparent, low-friction authentication experience with intelligent methods such as adaptive authentication, which is a risked-based approach that only requires step-up authentication when the risk becomes elevated.

These developments make it worthwhile to take a fresh look at your authentication solution in order to combine the best security with a digital experience that maximizes user satisfaction, all while keeping in mind new regulatory requirements.

Get the white paper: https://www.entrust.com/digital-security/hsm/solutions/compliance/global/gdpr

[0]: https://esj.com/articles/2012/11/12/keylogger-security-risk.aspx
[1]: https://pages.nist.gov/800-63-3/sp800-63b.html#appA
[2]: https://people.scs.carleton.ca/~paulv/papers/expiration-authorcopy.pdf
[3]: https://www.gartner.com/doc/3773163/dont-waste-time-energy-tinkering

Entrust Datacard