Strong password practices are essential for keeping your company’s and users’ data safe, in processing DSARs and in your general business practices. However, passwords are just one part of the equation. For next-level protection, here’s the 411 on 2FA: two-factor authentication.
Strong password practices are essential for keeping your company’s and users’ data safe, in processing DSARs and in your general business practices. However, passwords are just one part of the equation. For next-level protection, here’s the 411 on 2FA: two-factor authentication.
Two-factor authentication, sometimes called multi-factor authentication, is exactly what it sounds like. It is a two-step process to verify that someone is who they say they are. In addition to a password, two-factor authentication requires additional information from the user. For instance, a user might have a unique code sent to their email or to an app on their phone. The user then inputs this code as part of the log-in process. Two-factor authentication is growing in popularity across digital services, and it is a fixture of effective fulfilment of data subject access requests (DSARs).
The guiding principle of two-factor authentication is that it is more difficult to gain unauthorized access. While a log-in with just a password requires one piece of information – the password – two-factor authentication would also require a hacker to get hold of the user’s email or phone. A security incident is not impossible with two-factor authentication in place, but it is significantly less likely.
Two-factor authentication is not just an act of good digital hygiene. It is actually a key step in creating compliant privacy ops. In fact, implementing two-factor authentication was highlighted as a key recommendation in President Biden’s cybersecurity executive order issued on May 12, 2021. Let’s look at how two-factor authentication figures into the DSAR workflow as well as operations more broadly.
A DSAR inherently involves the exchange of personal information. Under regulations like GDPR and CCPA, users are granted the right to receive a copy of the personal information that a company holds on them. Fulfilling a DSAR also typically includes a package of associated information, such as the company’s schedule for retaining that data and any third parties with whom the data has been shared.
GDPR, widely seen as the gold standard for data privacy, requires that companies processing EU users’ data implement security measures to safeguard personal information. If a hacker poses as one of your users and you send them a copy of that user’s data, you risk financial and reputational damage for not sufficiently protecting personal information. Such an incident is a data breach. Failure to implement appropriate authentication steps was one of two violations that led to a €440,000 fine for a Dutch hospital in 2021.
These authentication requirements are not exclusive to GDPR. Regulations like California’s CCPA and Brazil’s LGPD call on companies to implement these reasonable measures to ward off unauthorized access. That’s where two-factor authentication comes in.
When a user submits a DSAR, your team should verify their identity before fulfilling the request. For example, if your website uses an Ethyca-powered Privacy Center, this step comes built into the DSAR process. The user must provide a unique code that is sent directly to them. While that added step makes it more difficult for a hacker to submit a DSAR, it is a simple process on the user’s end to retrieve this code.
Whatever system your team uses to fulfill a DSAR, a robust two-factor authentication process belongs front-and-center to make sure that users remain in control of their data.
As teams’ tech stacks continue to grow, proper access control is foundational to secure business. Alongside practices like using a password manager, teams should implement two-factor authentication for whenever staff log into any in-house databases or third-party apps that house users’ data. The core objective, as with DSARs, is to limit data access to the parties who have a right to access it.
While each system might have slightly different configurations, two-factor authentication generally falls under a heading like “Security Preferences” in your account settings. Two-factor authentication can occur by way of a special authentication app, email, or a text message (though the security of the latter remains contested). Implementing this identity check will take just a moment for your team to perform. However, it keeps out unwanted parties from accessing your systems.
The benefits to two-factor authentication vastly outweigh the small amount of time needed to perform the authentication step. First, your team can demonstrate a greater level of information security to auditors, and higher security certification can be a selling point for your product. (Note that two-factor authentication is just one step toward a security certification). Second, your team meets privacy requirements under regulations like GDPR, avoiding costly fines. And finally, your users will enjoy a streamlined experience that also takes steps to protect and respect their data.
At Ethyca, we believe that software engineers are becoming major privacy stakeholders, but do they feel the same way? To answer this question, we went out and asked 337 software engineers what they think about the state of contemporary privacy… and how they would improve it.
The UK’s new Data Reform Bill is set to ease data privacy compliance burdens on businesses to enable convenience and spark innovation in the country. We explain why convenience should not be the end result of a country’s privacy legislation.
Our team at Ethyca attended the PEPR 2022 Conference in Santa Monica live and virtually between June 23rd and 24th. We compiled three main takeaways after listening to so many great presentations about the current state of privacy engineering, and how the field will change in the future.
For privacy engineers to build privacy directly into the codebase, they need agreed-upon definitions for translating policy into code. Ethyca CEO Cillian unveils an open source system to standardize definitions for personal data living in the tech stack.
Masking data is an essential part of modern privacy engineering. We highlight a handful of masking strategies made possible with the Fides open-source platform, and we explain the difference between key terms: pseudonymization and anonymization.
The American Data Privacy and Protection Act is gaining attention as one of the most promising federal privacy bills in recent history. We highlight some of the key provisions with an emphasis on their relationship to privacy engineering.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!
Book a Demo