top of page
  • Stewart Room

Is multi factor authentication compulsory in law?

Updated: Oct 27, 2023

How does a person prove who they are when using a computer system? The operational security answer is the process of authentication; we register ourselves with the system through the selection of a username and when we login we authenticate ourselves by giving our password, which we selected during the registration process. The reason why the password authenticates us is because it's known only to us. The computer system itself will not know the password (or it should not), but it will hold a one way hash of it, which was generated by a cryptographic algorithm when the user registered. When the user enters their password on login, another hash is created, which the computer system compares with the one stored and if they match, the user is authenticated and they can use the computer resources that they are registered for.

What I've just described is known as single factor authentication. The password is it. If you have to apply another credential, that is known as two factor authentication. If you have to apply more, that is multi factor. It's important to keep these ideas in mind, as they'll be useful in a moment.

For further context, authentication revolves around the ideas of something you know, something you have and something you are. The password is something you know, but these can be weak and easily guessed. Another problem is password reuse and sharing. Or other poor security hygiene, such as writing it down and leaving it available in a place where others have access.

Something you have used to be represented by small physical devices that the banks dished out. They came in many varieties, but now they're app based on smart phones etc. Some also had the advantage of being able to add "freshness" to authentication, through the use of constantly changing numbers.

Something you are is your biometrics, which has moved rapidly from fingerprints to facial recognition and voice recognition.

All forms of authentication are vulnerable to attack, but the more factors that are applied, the greater is the defence in depth.

But what does the law require? If you've followed my blogs, you'll know the answer, which is that the detail of law is found in operational security itself.

Interesting, a blog from the Information Commissioner's Office caught my eye yesterday. The covering post on LinkedIn said:

"You should not use single-factor authentication if it can lead to access to personal data. Instead, use multi-factor authentication for example signing in to a social media account with your username and password but also needing a pin sent via text to log in."

What's happening here is the effect that I've described before: the law is incorporating operational security, to add clarity to the details. If we take ICO's blog as representative of it's likely views in enforcement actions, then we'd reasonably conclude that the absence of multi factor authentication will constitute a breach of the GDPR's security rules.

But remember the difference between two and multi factor. ICO talks about multi, not two, so there is still some ambiguity, as it seems from what's been described that ICO considers that two factor constitutes multi factor. They're not alone in that, as often 2FA and MFA are used interchangeably, but there is still a distinction.

If we apply the categorisation that I've outlined, then my view of the law is that it cannot be reasonably interpreted as always requiring multi factor. My sense of the consensus of expert opinion for operational security is that there is a difference between 2FA and MFA.

However, if you aren't using at least 2FA to protect systems holding personal data, you can extrapolate that you might have potential for legal problems.


Recent Posts

See All


Commenting has been turned off.
bottom of page