GDPR Requires Better Methods Of Authentication

Just over a year ago the EU General Data Protection Regulation (GDPR) came into effect and this law is now enforcing a far more secure data management regime.  The GDPR  goes wider than just the EU as it effects any global organisations which works within the EU. It has brought tighter data and privacy rights for users.

As many of the cyber-attacks on organisation come from phising emails and weak or stolen passwords and could quite easily have been prevented by organisations improving their customer authentification process.

Indeed, one-time passwords (OTPs) have been shown to be easily susceptible to phishing attacks.  What is needed are authentication methods that transcend the legacy of the password and centrally stored shared secrets (including OTPs) in favor of an approach that leverages public key cryptography and allows users to authenticate locally with devices they use every day.

As the regulatory landscape that businesses need to navigate is becoming more complex, patching systems to satisfy the bare minimum of GDPR simply will not do going forward. Not only does this risk backfiring as the risk of breaches rises, but it also ignores the customer who in many cases expects, or even demands, smoother methods of authentication than have been offered in the past.

Biometrics Authentification 
Over the past few years, more and more consumers and businesses are coming into contact with biometric authentication in their daily lives.  This is largely due to more readily available biometric capabilities in every-day devices as well as the increased robustness of security in biometrics, which is continuing to stimulate an increased trust in replacing password entry with swiping a finger, speaking a phrase or looking at a camera on a device.

Defined as ‘sensitive personal data’ under GDPR, biometrics are now tightly regulated and any handlers of it must perform stringent assessments prior to any processing taking place. That is good news, and has not hindered continued development of services leveraging biometrics securely.

On the contrary, entities can now leverage biometric authentication while avoiding the liability associated with having to collect, control, or process the data themselves. 

Turning the Tide
The last ten years has seen the development of international standards for authentication that are a natural fit with the new regulatory requirements, while also helping to augment innovative technologies that simplify and strengthen authentication for businesses and users alike. 

The Fast IDentity Online Alliance (FIDO) has developed standards that not only provide stronger authentication with a better user experience, but that also fully comply with regulations pertaining to data security, biometrics, consent and individual rights.

Indeed, the international standards community has been working diligently over the past several years to deliver a common mechanism that strictly complies with GDPR and other regulations without requiring online service providers to purchase or distribute special software or hardware to their users.

This emerging open standards ecosystem for user authentication, complete with third-party certification programs for independent validation, is well positioned to reduce the risk and costs of GDPR compliance around the world.

Infosecurity Magazine:

You Might Also Read:

Clayden Law: GPPR Is 1-Year Old:

Using Identity Access Management:

 

 

 

« Expert Hacker Spared Jail
Cyber Security Threats Are Growing In 2019 »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

it-sa 365

it-sa 365

it-sa 365 is a digital platform for connecting IT security vendors and experts with those who bear responsibility for IT security in management and technology.

maCERT

maCERT

maCERT is the national Computer Emergency Response Team for Morocco.

Karlsruhe Institute of Technology (KIT)

Karlsruhe Institute of Technology (KIT)

KIT is a leading research and education institutions with strong capabilities in information systems and security.

Global Station for Big Data & Cybersecurity (GSB)

Global Station for Big Data & Cybersecurity (GSB)

GSB is an interdisciplinary research hub to cover big data, information networks, and cybersecurity.

CyberTrap

CyberTrap

CyberTrap is an advanced highly-interactive deception technology allowing real-time analysis and control of security breaches.

Tempered Networks

Tempered Networks

Tempered Networks delivers the first purpose-built platform for IIoT cybersecurity that allows customers to connect and secure devices in minutes without the need for specialized skills.

e-Crime Bureau

e-Crime Bureau

e-Crime Bureau is a specialized company offering cyber/computer forensics, cyber security consulting services, forensic audit and investigations services and training to clients across Africa.

Joint Accreditation System of Australia and New Zealand (JASANZ)

Joint Accreditation System of Australia and New Zealand (JASANZ)

JASANZ is the joint national accreditation body for Australia and New Zealand. The directory of members provides details of organisations offering certification services for ISO 27001.

Echosec Systems

Echosec Systems

Echosec Systems is a data discovery company delivering social media and dark web threat intelligence. Our web based security software delivers critical information for situational awareness.

Singular Security

Singular Security

Singular Security help public and private organizations minimize cybersecurity risk and pass their IT compliance audit.

UK Cyber Security Council (UKCSC)

UK Cyber Security Council (UKCSC)

The role of The UK Cyber Security Council is to champion the cybersecurity profession across the UK, provide representation for the industry, accelerate awareness and promote excellence.

Trusted Security Solutions (TSS)

Trusted Security Solutions (TSS)

TSS are specialist in IT Security and providing Cybersecurity Solutions & Services combined with storage and backup.

Sendmarc

Sendmarc

Sendmarc automates the process of protecting your domain from being used in email impersonation and phishing attacks.

Telindus

Telindus

Telindus is the strategic IT partner for the flexible organization of the future. We build optimal IT infrastructure with four components: networking, cloud, cybersecurity and data & AI.

DruvStar

DruvStar

DruvStar provides B2B cybersecurity around threat management to strengthen businesses across attack vectors.

Securadin

Securadin

Securadin - Defending Your Data Security. We will assist you in learning how to maintain the confidentiality, integrity, and availability of your organization's assets.