Nearly six months after GDPR came into effect, despite great planning and attention, many companies are still struggling to get their businesses fully compliant. Strategic Marketing Director at MEF Member Tyntec, Jean Shin, here discusses how multifactor authentication can aid compliance by granting consumers the necessary access to their own personal data, while ensuring it is safe from others.
In May 2018, the General Data Protection Regulation (GDPR) came into force after several years of development. Yet despite a great deal of time to prepare, companies around the world are still getting up to speed with the privacy regulation designed to protect the personal data of European Union citizens.
Under the regulation, organizations must ensure that they gather and protect their customers’ personal data properly, or face penalties. Companies must design and build their business processes and systems with safeguards to protect personal data from unauthorized access (including from hackers), and with the highest-possible privacy settings by default. A central element of the GDPR is also about data access: Customers have the right to easily access the data organizations collect and be able to ask them to erase it.
There are plenty of hurdles for companies to tackle in the wake of the GDPR. Putting the necessary systems and processes in place has been a steep challenge for even the most well-prepared organizations, which may need to invest in, test and implement a variety of new technology solutions that address compliance. But one essential method can boost a company’s GDPR compliance efforts immensely – multi-factor authentication. It provides customers with the data access the GDPR requires, including on mobile devices, while at the same time it offers a first line of defense against unauthorized access which can lead to data breaches.
The protective power of multifactor authentication
Most data breaches result from stolen credentials, including passwords, through hacking, phishing, or internal security issues. In an attack on consulting firm Deloitte in 2017, a single stolen administrator password helped criminals gain access to the company’s email system.
And in a famous 2013 hack, 40 million customers of retail leader Target had data stolen. Such breaches can be very costly, both in terms of a tarnished company reputation and financial damage. According to research by the Ponemon Institute, the average cost of a data breach globally was USD 3.62 million in 2017.
To protect against unauthorized access, multifactor authentication requires a user to verify their identity by presenting two or more pieces of evidence successfully in order to gain access to an account during logins or transactions. Those factors should be based on something only the user knows; something only the user has; and something only the user is.
The most common methods of verification for multifactor authentication include a randomly-generated pass code send by SMS or generated by an app; a phone call; or a biometric device that reads fingerprints or does retinal and iris scans.
To improve security, those factors need to be of different types. For example, if one factor is a password, the second should be something else, to create additional layers of complexity that would require additional fraudulent activity to break.
Today’s consumers want to easily complete logins and transactions on any device, at any time. For example, perhaps a bank customer wants to login to her bank account on her mobile phone early in the morning to check her balance. With multifactor authentication, she enters her password but then is also required to enter a one-time verification code before gaining access to her account details.
It’s a win-win – she is able to check her balance quickly from the device of her choice, while knowing that the bank she deals with takes her data privacy seriously. At the same time, the bank is able to comply with regulations to protect her data and keep it private.
Multifactor authentication can boost GDPR compliance
To comply with the GDPR, the issue of data protection and access is key. The GDPR requires organisations to provide customers easy access to their data, while at the same time protecting them from unauthorized access. Thanks to the different types of factors used to verify identity in a practical, user-friendly way, multifactor authentication can play a critical role in boosting compliance.
Data breaches will continue to be a major issue for organizations, who have to constantly battle hacking, phishing scams and internal security issues. And now that the GDPR has been fully implemented, there will be consequences for companies that don’t keep EU citizen data secure.
But multi-factor authentication is a relatively straightforward, basic way to secure access points and protect customer data — from sensitive healthcare information to private financial numbers and account details — from those with malicious intent, as required by the GDPR.
By implementing multifactor authentication, companies can move towards full compliance with European privacy regulations, with proper data protection and access — as well as maintain the trust they have built with loyal customers, which a data breach can quickly destroy.
Download the Essential Guide to Strong Customer Authentication
With the global average cost of data breach surging to US$3.86 million (2017 Cost of Data Breach Study, Ponemon Institute), customer-facing security is high on the agenda for any businesses allowing web access to any part of their customer journey.
Tyntec’s new guide explains what multifactor authentication is, why it’s important and how to get started in 10 steps.