According to Verizon’s 2017 Data Breach Investigations Report (DBIR), 63% of confirmed breaches stemmed from compromised credentials, and 81% of hacking-related breaches involved either stolen or weak passwords.
So what’s the takeaway? Better identity authentication is key to mitigating breach risk under the GDPR.
Legacy authentication systems reliant on a single, simple factor (e.g., a user-generated password, challenge question, or text-based one-time password) don’t stand a chance against hackers, and increase the risk of non-compliance with the GDPR.
Clearly stronger authentication methods are needed, yet each new bit of friction introduced into the system risks alienating consumers. The more complicated login becomes, the more likely your customers are to give up and go to the competition.
Overcoming modern fraud and authentication problems — while actually improving customers’ online experience — calls for a completely new way of thinking.
Decentralized credentials shatter the attack surface
Storing all authentication credentials in a single, central database creates a lucrative and all too enticing target for hackers. We saw prime examples of this in the CloudFlare leak of 2017 and the Yahoo! data breaches of 2016.
Decentralization removes the target by shifting credential storage and authorization to the end point. Without a centralized target, hackers have no way of stealing and reusing identity information at scale.
How does decentralization work? Rather than end-users supplying credentials to an application in one central public authentication layer (in band), the application requests authorization directly from a layer on the device that is only accessible to the end-user (out of band).
Separating the authentication process from the application reduces the business’s liability and keeps encrypted credentials — and risk — dispersed.
This approach not only creates a stronger authentication mechanism that is more convenient to the end-user, it has the added benefit of being more GDPR friendly. GDPR compliance requires only collecting and storing those data necessary for an intended purpose, a requirement intended to reduce the amount of data hackers may access in a breach.
A decentralized approach goes further in minimizing the amount of personal data you have to store and secure, significantly reducing your attack surface.
Decentralized risk = decreased breach risk
Single-factor authentication is another form of centralization. It concentrates one hundred percent of the risk in one of the three factors of authentication:
- Knowledge – Something you know. (e.g., password, PIN code, challenge question)
- Possession – Something you possess. (e.g., physical device, security token, smartphone)
- Inherence – Something you are. (e.g., fingerprint, facial recognition, iris scan)
The knowledge factor of authentication has received a lot of bad press lately, and for good reason. The theft – over the last decade – of over 6 billion usernames, passwords and online credentials has given those hackers and fraudsters a steady supply of ammo with which to chip away at cyber defenses. These credentials enable fraud attempts, feed account takeovers, and lead to lateral attacks that compromise not just singular accounts, but whole systems and databases. Using a single possession or inherence factor of authentication isn’t that much more secure, because there is still a single point of failure.
MFA requires users to authenticate by using more than one authentication type concurrently. It is most effective when knowledge, possession, and inherence authentication factors are used dynamically, allowing users and admins the flexibility to select their preferred method of authentication. This layered approach provides a strategic advantage. It’s more secure, and if cybercriminals are targeting or circumventing one authentication method, you could switch methods.
From a consumer experience perspective, multifactor authentication can also reduce friction if executed properly. If users are allowed to choose their preferred authentication methods, they’re more likely to prefer your authentication experience over your competitors; a boost to your brand.
Reduced exposure to breach risk under GDPR
There’s no silver bullet that will make your organization GDPR compliant, but decentralized multifactor authentication ultimately leads to a reduced attack surface — and therefore reduced breach risk. This in turn lowers the chance that your organization could incur hefty fines under the GDPR, not to mention the potential loss of brand reputation.
When done well, the above practices can also improve your customers’ user experience and give your business a competitive edge. Don’t let identity authentication be the weak link in your GDPR compliance efforts.
To learn more about how to secure the customer journey while mitigating breach risk under the GDPR join our upcoming webtalk on Thursday, May 10, titled, 4 GDPR Hacks to Mitigate Breach Risks Post GDPR.