Thales Blog

How FIDO 2 authentication can help achieve regulatory compliance

June 24, 2021

Sarah Lefavrais Sarah Lefavrais | IAM Product Marketing Manager More About This Author >

Businesses are governed by an increasingly complex network of regulations, jurisdictions, and standards which dictate security and privacy requirements. One common denominator in all regulations is the need for strong authentication.

Strong authentication is the key to eliminate a large percentage of cyber-attacks, including those based on stolen credentials and subsequent credential stuffing. The retail sector, especially, is a lucrative target for credential stuffing attacks, resulting in billions lost every year.

FIDO2 offers a high-assurance strong authentication, because it is based on passwordless, multi-factor authentication technologies, where at least one factor is public key cryptography. One of the great benefits of FIDO2 is that it is not susceptible to phishing, man-in-the-middle and other attacks targeting user credentials.

As such, FIDO2 can become an enabler for regulatory compliance. In the following paragraphs we will examine use cases where FIDO2 simplifies compliance with privacy and security regulations, namely GDPR, CCPA and PSD2.

Compliance with GDPR and CCPA

According to both regulations, data subjects, citizens of the EU and the State of California have the rights of access, rectification, erasure, and portability on their personal data. A key component of delivering these capabilities securely is to ensure the authenticity and validity of the identity of individuals exercising these data rights. Therefore, organizations storing and processing such personal data need to demonstrate that an individual has requested that their data be changed. Failure to do so could trigger violations of other regulatory requirements.

To enforce a multi-factor authentication regime, many organizations employ solutions with biometrics as a second factor. However, according to GDPR, biometrics are “sensitive personal data” and “processing of biometric data shall be prohibited” unless the organization meets a handful of conditions. One of the conditions required for lifting the restriction of processing biometrics is to store this data locally on a privately owned device and not transmit this attribute outside of the device. During the authentication process, only a token indicating the success or failure of the individual’s recognition is to be transmitted.

FIDO2 standard and supported devices embrace protection of personal data and enable a simplified yet efficient authentication. FIDO2 is based on public key cryptography, while the keys are generated and stored locally on the authentication device, without any server-side shared secrets. The authentication response is encrypted, protecting from phishing and man-in-the-middle attacks, while the biometrics are only stored and processed on the user’s device.

Compliance with PSD2

The European Union Payment Services Directive (PSD2) aims at creating an integrated European payments market, making payments safer and more secure to protect consumers. One of the key requirements of PSD2 is the need for Strong Customer Authentication (SCA) through the use of multiple authentication factors where “the breach of one of the elements does not compromise the reliability of the other elements.” To achieve this security requirement, the PSD2 directive requires payment service providers to employ a “multi-purpose device” which will protect the independence of authentication factors through “the use of separated secure execution environments.”

Banks and payment service providers can leverage the FIDO2 accredited devices to meet the compliance requirements of the European Banking Authority. The use of asymmetric cryptography helps to mitigate all known attacks that target “shared” credentials like passwords. The biometrics and the security keys used prove the “what you are” and “what you have” authentication factors, while offering enhanced user convenience. Finally, as noted above, the biometrics never leave the FIDO2 authentication device enabling the compliance with the GDPR and CCPA requirements for sensitive personal data protection.

As we have seen from the previous articles, FIDO2 offers a user convenient, passwordless, multi-factor authentication solution, which can be integrated with other established authentication mechanisms. The question that businesses need to answer is which device to choose from those offered by various vendors.

Continue the conversation on FIDO here: FIDO 2 authentication: A truly frictionless access control beyond weak passwords, Will FIDO replace other types of authentication?, and 5 benefits of combining your PKI with FIDO2 to secure your apps.