Implementing Two-Factor Authentication In DSARs And Beyond

Implementing Two-Factor Authentication In DSARs And Beyond

Strong password practices are essential for keeping your company’s and users’ data safe, in processing DSARs and in your general business practices. However, passwords are just one part of the equation. For next-level protection, here’s the 411 on 2FA: two-factor authentication.

The Basics of Two-Factor Authentication

Two-factor authentication, sometimes called multi-factor authentication, is exactly what it sounds like. It is a two-step process to verify that someone is who they say they are. In addition to a password, two-factor authentication requires additional information from the user. For instance, a user might have a unique code sent to their email or to an app on their phone. The user then inputs this code as part of the log-in process. Two-factor authentication is growing in popularity across digital services, and it is a fixture of effective fulfilment of data subject access requests (DSARs).

The guiding principle of two-factor authentication is that it is more difficult to gain unauthorized access. While a log-in with just a password requires one piece of information – the password – two-factor authentication would also require a hacker to get hold of the user’s email or phone. A security incident is not impossible with two-factor authentication in place, but it is significantly less likely.

Two-factor authentication is not just an act of good digital hygiene. It is actually a key step in creating compliant privacy ops. In fact, implementing two-factor authentication was highlighted as a key recommendation in President Biden’s cybersecurity executive order issued on May 12, 2021. Let’s look at how two-factor authentication figures into the DSAR workflow as well as operations more broadly.

Two-Factor Authentication in Fulfilling DSARs

A DSAR inherently involves the exchange of personal information. Under regulations like GDPR and CCPA, users are granted the right to receive a copy of the personal information that a company holds on them. Fulfilling a DSAR also typically includes a package of associated information, such as the company’s schedule for retaining that data and any third parties with whom the data has been shared.

GDPR, widely seen as the gold standard for data privacy, requires that companies processing EU users’ data implement security measures to safeguard personal information. If a hacker poses as one of your users and you send them a copy of that user’s data, you risk financial and reputational damage for not sufficiently protecting personal information. Such an incident is a data breach. Failure to implement appropriate authentication steps was one of two violations that led to a €440,000 fine for a Dutch hospital in 2021.

Graphic representing 440,000 euro fine to a Dutch hospital in 2021.

These authentication requirements are not exclusive to GDPR. Regulations like California’s CCPA and Brazil’s LGPD call on companies to implement these reasonable measures to ward off unauthorized access. That’s where two-factor authentication comes in.

When a user submits a DSAR, your team should verify their identity before fulfilling the request. For example, if your website uses an Ethyca-powered Privacy Center, this step comes built into the DSAR process. The user must provide a unique code that is sent directly to them. While that added step makes it more difficult for a hacker to submit a DSAR, it is a simple process on the user’s end to retrieve this code.

An example of two-factor authentication, with a window requesting an email address to which a confirmation code is sent.

Whatever system your team uses to fulfill a DSAR, a robust two-factor authentication process belongs front-and-center to make sure that users remain in control of their data.

Two-Factor Authentication Across Your Business

As teams’ tech stacks continue to grow, proper access control is foundational to secure business. Alongside practices like using a password manager, teams should implement two-factor authentication for whenever staff log into any in-house databases or third-party apps that house users’ data. The core objective, as with DSARs, is to limit data access to the parties who have a right to access it.

While each system might have slightly different configurations, two-factor authentication generally falls under a heading like “Security Preferences” in your account settings. Two-factor authentication can occur by way of a special authentication app, email, or a text message (though the security of the latter remains contested). Implementing this identity check will take just a moment for your team to perform. However, it keeps out unwanted parties from accessing your systems.

The benefits to two-factor authentication vastly outweigh the small amount of time needed to perform the authentication step. First, your team can demonstrate a greater level of information security to auditors, and higher security certification can be a selling point for your product. (Note that two-factor authentication is just one step toward a security certification). Second, your team meets privacy requirements under regulations like GDPR, avoiding costly fines. And finally, your users will enjoy a streamlined experience that also takes steps to protect and respect their data.