Passwords + GDPR = big risk of non-compliance

The EU’s new General Data Protection Regulation (GDPR) does not outlaw authentication with only username and a static password – but it outlaws the use of too weak protection of sensitive information about EU citizens, writes Bjørn Søland, technical expert at identity and security company Nexus Group.

The GDPR requires organizations to do risk assessments, and if an assessment shows that using username and a static password as authentication method will not lead to problems, then it is okay to use passwords.

Passwords will be outlawed by the GDPR

For example, one (very impractical) scenario could be that the software handling the sensitive information about EU citizens is installed locally on a computer without internet connection, which is locked up in a room with very good physical access control.

But in the overwhelming majority of real-life scenarios, passwords offer a low level of security, and are therefore outlawed by the GDPR.

It will be interesting to see how organizations are going to do their risk assessments and what conclusions they will come to regarding the use of passwords – and what conclusions the auditing bodies will come to. But in my opinion, organizations should not dare to risk their compliance by sticking with passwords – especially not since there now are so many other reasons to switch to two-factor authentication (2FA).

1FA + 1FA is not 2FA

And for those of you who do not think about security daily, I would like to underline that 1 plus 1 not always equals 2 in security arithmetic. Authentication with username and a static password (one-factor authentication, 1FA) for login to the computer and then another layer of 1FA for login to the system with sensitive information about EU citizens do not equal 2FA. It might not seem obvious to everybody, but 1FA + 1FA = 1FA.

It is already mandatory to protect cloud services containing sensitive information about individuals with 2FA, and we at Nexus help organizations with this daily. This has also given us a good knowledge of what the login situation looks like for both cloud and on premise services; and let me put it like this: both we and all organizations handling sensitive information about EU citizens will have a lot to do until May 25, 2018.

Published 29 March, 2018

This website uses cookies

Cookies consist of small text files. They contain data that is stored on your device. To enable us to place certain types of cookies we need to obtain your consent. At Technology Nexus Secured Business Solutions AB, corp. ID no. 556258-0414, we use the following kinds of cookies. To read more about which cookies we use and storage times, click here to access our cookies policy.

Manage your cookie-settings

Necessary cookies

Necessary cookies are cookies that must be placed for basic functions to work on the website. Basic functions are, for example, cookies which are needed so that you can use menus on the website and navigate on the site.

Functional cookies

Functional cookies need to be placed on the website in order for it to perform as you would expect. For example, so that it recognizes which language you prefer, whether or not you are logged in, to keep the website secure, remember login details or to be able to sort products on the website according to your preferences.

Cookies for statistics

For us to measure your interactions with the website, we place cookies in order to keep statistics. These cookies anonymize personal data.

Cookies for ad-tracking

To enable us to offer better service and experience, we place cookies so that we can provide relevant advertising. Another aim of this processing is to enable us to promote products or services, provide customized offers or provide recommendations based on what you have purchased in the past.