The EU’s new General Data Protection Regulation (GDPR) does not outlaw authentication with only username and a static password – but it outlaws the use of too weak protection of sensitive information about EU citizens, writes Bjørn Søland, technical expert at identity and security company Nexus Group.
The GDPR requires organizations to do risk assessments, and if an assessment shows that using username and a static password as authentication method will not lead to problems, then it is okay to use passwords.
Passwords will be outlawed by the GDPR
For example, one (very impractical) scenario could be that the software handling the sensitive information about EU citizens is installed locally on a computer without internet connection, which is locked up in a room with very good physical access control.
But in the overwhelming majority of real-life scenarios, passwords offer a low level of security, and are therefore outlawed by the GDPR.
It will be interesting to see how organizations are going to do their risk assessments and what conclusions they will come to regarding the use of passwords – and what conclusions the auditing bodies will come to. But in my opinion, organizations should not dare to risk their compliance by sticking with passwords – especially not since there now are so many other reasons to switch to two-factor authentication (2FA).
1FA + 1FA is not 2FA
And for those of you who do not think about security daily, I would like to underline that 1 plus 1 not always equals 2 in security arithmetic. Authentication with username and a static password (one-factor authentication, 1FA) for login to the computer and then another layer of 1FA for login to the system with sensitive information about EU citizens do not equal 2FA. It might not seem obvious to everybody, but 1FA + 1FA = 1FA.
It is already mandatory to protect cloud services containing sensitive information about individuals with 2FA, and we at Nexus help organizations with this daily. This has also given us a good knowledge of what the login situation looks like for both cloud and on premise services; and let me put it like this: both we and all organizations handling sensitive information about EU citizens will have a lot to do until May 25, 2018.