GDPR has now been in effect for a few months, which has been very evident from the amount compliance statements and tick boxes we all must review to access online services. While informing users about data processing, requesting their consent and complying with it is important, there are also many practical organizational and technical security measures which must be implemented to truly pass the bar of GDPR.
One good practical guideline of these measures is provided by European Union Agency For Network and Information Security. https://www.enisa.europa.eu/publications/guidelines-for-smes-on-the-security-of-personal-data-processing
The guideline recommends two-factor authentication for access to systems that process personal data. How broadly this should be applied in a typical IT landscape greatly depends on the definition of “personal data”, which for GDPR is much wider than many people realize. As a result, the recommendation should be carefully considered for most corporate IT systems, excluding only those for which it is clear it does not apply.
As the scope and use of multi-factor authentication (MFA) expand, the characteristics of the solution used also become more important:
- With more employees using MFA more frequently, the user experience should be as good as possible without compromising on security. Difficult to use or maintain solutions reduce productivity and could make users resent or even attempt to bypass necessary security measures
- The only thing worse than having to use a difficult authentication solution is having to use more than one. A single solution must be able to fulfill all the access management requirements.
- Availability of MFA solution is critical, both on a system and on an individual user level. On a system level, it must provide zero-downtime operation. On individual users level, multi-factor authentication cannot become a “single point of failure”, which prevents users from performing their work.
To address these requirements, RCDevs continuously develops and improves its solutions. Good examples of these are One-Tap Approve/Deny login, comprehensive integration capabilities and easy to use self-service.