examining-the-impact-of-gdpr-on-risk-based-authenticationOn May 25, a new piece of legislation is coming into force in the European Union (EU). The General Data Protection Regulation (GDPR) is probably the most important change to data privacy regulation in 20 years; it’s going to impact the way companies collect, process, and store consumer data. Organizations subject to the GDPR have to take a close look at how their identity and access management processes and security controls will support their ability to comply with the regulation, and make the appropriate adjustments, if necessary. There’s a plethora of information available on this topic, but our CTO, Nishant Kaushik, took a look at this impact from a slightly different angle.

On his blog, Nishant asked the question “Will GDPR Kill Risk-Based Authentication?” His question is based on an exploration of how risk-based authentication (RBA) services that are based on collecting data (anonymized or not) across multiple organizations will collect, process, and store consumer data—in this case, for the purposes of doing authentication—on behalf of their customer organizations. As he points out, that makes the consumer data subject to the GDPR, raising some pertinent questions about how the RBA service model can continue to work in a GDPR world.

What GDPR Means for Our Customers

Uniken’s REL-ID also uses a whole set of user, device, and app data as the basis for its invisible mutual multi-factor authentication. So, of course, we took a look at what GDPR means for our customers. Since REL-ID is not a hosted solution and uses unique cryptographic keys to ensure that you only use data from your unique client interactions, it does not introduce the complication of co-mingled or shared data that risk-based authentication services add. The data remains completely within the control of the organization. Organizations have complete visibility and control over what data is collected as part of the device fingerprinting, as well as easily audit the data and respond to right to be forgotten (RTBF) requests. In fact, using REL-ID application programming interfaces (APIs), organizations can actually give their customers the ability to see the device and historical information themselves and self-manage it.

The fact that REL-ID operates on a deterministic, whitelist-based model (compared to the heuristic, blacklist-based model of risk-based authentication) means that we have no need for the "network effect" that risk-based authentication services require to be effective. It also means that REL-ID is complementary — it is able to exist in conjunction with risk-based solutions, and effectively increase their usefulness by dramatically filtering down the cases where the risk score might end up in a false positive situation. Because the cryptographic credentials at the heart of REL-ID are split between the client and the server, such that neither side is individually sufficient to establish an authenticated connection, the compliance of the strong authentication solution is enhanced since it is practically impossible to compromise  even against advanced attacks like domain name server (DNS) poisoning and network hacks.

Improving Compliance

In addition to being GDPR compliant, REL-ID helps organizations improve their overall compliance with the GDPR (and other regulations like the Payment Services Directive 2 [PSD2]) by satisfying critical requirements for strong authentication and data protection. ENISA published a study that provides guidelines on the appropriate measures to comply with the GDPR. This includes implementing two-factor authentication (2FA) for high-risk and medium-risk cases, something REL-ID provides easily without impacting the customer experience. It also explicitly highlights the need to improve mobile application security as the use of mobile devices, especially personal devices, increases the exposure to theft and accidental loss. Again, REL-ID's unified defense in depth can help secure all personal data on the device because it quickly and easily adds the security elements of rootkit/jailbreak and malware detection, strong authentication, secure channel to encrypt data in transit, and data privacy APIs to encrypt all data stored on the device.

So, if you’re worried about complying with GDPR, PSD2, or other data privacy and security regulations, contact us today to set up a demo of REL-ID and see how we can quickly and easily provide you all the protections you need.