Strong authentication as part of the GDPR strategy
Obviously, passwords alone are not enough to protect company assets, networks, applications, and data. According to Verizon analytics, in 2017, 81% of data leakages worldwide were due to incorrect credentials, stolen or weak passwords. The number of leaks along with the costs of companies and the consequences of these violations increases annually. In order to neutralize these risks, a business should never forget about ensuring the security of its data.
Multifactor authentication is still an indispensable element in the modern digital environment. The cumulative annual growth rate of the hardware tokens market is 8%. Authentication helps to increase security by combining one or more “factors” by helping to identify the person requesting access and verify that he is exactly who he claims to be. These factors include what you have (a smart card or mobile identifier stored on a smartphone or other device); what you know (for example, a PIN), and something that you are (biometric data).
An increasing number of companies are seeking to ensure compliance with regulatory standards, and strong authentication with the event log becomes a rather relevant requirement. Two striking examples are the European Union regulations on the PSD2 payment directive for financial institutions and the privacy requirements of the General Data Protection Regulation of the General Data Protection Regulation (GDPR) for citizens. However, such requirements apply not only to EU companies, but also to many organizations from other parts of the world. Most companies will be affected by the law of GDPR, as well as their country's government initiatives, such as HIPAA for US healthcare.
One of the reliable methods for deploying multifactor authentication for employees is to use a hardware token. This is often a small pocket device that calculates a sequence of numbers that is valid for a limited period of time and used as a one-time password (OTP). The user enters this code (something that he has) plus a PIN code (something that he knows) to confirm his identity to gain access. In fact, this value is compared with the value calculated on the internal server authentication platform using the same techniques and source data, including time and event counters, authentication keys and algorithms. If the OTP matches the received value, the user is granted access, and this event is logged in the audit trail of the platform.
Hardware tokens have been around for more than a decade, and they are still popular with many organizations. Employees understand how to use them, and the tokens themselves do not fail for a long time. In addition, tokens have already gone beyond the standard form factor in the form of a key fob. Today, there are devices that fit in the wallet. They are strong enough to be used, and they can be used even by visually impaired people.
The scope of application of hardware tokens can be completely different:
- Authentication for access to workstations, cloud applications, remote access to resources;
- Conducting financial transactions, updating data, executing orders;
- Encryption of signatures, hard drives, email, etc.
Not all authentication requirements for companies are the same, and many organizations are looking for a “compromise” between different types of authenticators. For the convenience of business today on the market there are many different types of tokens. Among them:
- Generators one-time passwords. OTP tokens generate a random password that cannot be reused. The use of these devices can be part of a strategy for complying with PSD2 and GDPR directives.
- BlueTooth tokens. These devices send a unique secure code via Bluetooth and NFC, ensuring ease of use and security. Helps to meet PSD2, GDPR and FIPS 140 requirements.
- Smart USB tokens. They support all the functions of a smart card based on public key infrastructure (PKI), and there is no need to use card readers. Ensure compliance with FIPS 140.
Modern devices offered on the market today also have a number of advantages:
- Security. The devices are autonomous and resistant to cracking, support several options for security standards, such as 3DES, OATH and FIDO.
- Flexibility. Today, there are many form factors tokens. They are convenient to use (one click of the mouse button), and their service life is quite long.
- Complexity. A complete ecosystem of tokens is usually provided along with the infrastructure to provide effective support.
- Compliance with the requirements. Many organizations around the world require strong authentication to ensure secure access and to protect confidential information. The use of hardware tokens will help ensure compliance with the complex regulatory requirements of regulatory authorities.
In today's dynamic environment, trusting users who present their personal data and effectively managing access to resources requires a comprehensive solution for personal identification, which is based on strong authentication. The introduction of such solutions will improve the reliability of user identification and provide effective protection for the company from current and future threats.
Olivier Frion, Global Solution Marketing Director, IAM Solutions HID Global