CNIL has recently published token access authentication guidelines for online services.
Using token authentication allows users to access an online service, program, or website without having to re-enter their login information. With this kind of authentication, the user can access his online resources as long as the access token remains in use. This lowers the risk of account spoofing, and tokens are frequently used in a two-factor authentication process. In this case, an access token is sent to the user to verify his identity when a login session is initiated by username and password. Even though tokens can occasionally be long-lasting physical tokens, they are most frequently digital or dematerialised tokens that are sent from a server to a terminal and typically have a short validity period. It may be a code or link sent via email or SMS which contains an alphanumeric token.
Digital token authentication can be used in a number of ways, each of which come with its own set of benefits and risks.
Recent years have seen a significant increase in digital token authentication, frequently used in processes for generating, verifying, and renewing passwords. Additionally, it takes advantage of automated server connections to make it easier for users to access services like checkout processes which are saved after the transaction and accessible via email links, forms that collect consent, and pages to unsubscribe from newsletters. Token access authentication can also be used for direct online consultation of documents and data by sending a link and token to the user or robot so they can access documents and information like delivery notes, online office documents, exam results, or other data like the outcomes of a query sent to an API. In response to the user clicking on this link, the server verifies the token’s validity, accepts authentication, and activates the requested functionality. CNIL has published guidelines on token access authentication providing clarity on the risks associated with this form of authentication.
CNIL recommends being transparent and notifying users of the risks associated with token access authentication.
An access token that takes the form of a link might be thought of as a way to have constant access to personal information that is available online. This “gateway” is a weakness in and of itself, and its security risk must be considered. The access token can undermine the integrity or security of user accounts, personal information, or online spaces if it is communicated to or accessible by unauthorised third parties or is intercepted by malicious entities. Phishing methods that have become very popular include sending fake tokens by email or SMS to collect personal data that may be used to assume the victim’s identity. Sites using tokens lawfully are advised to notify their users about the hazards of using tokens and educate them about the spread of these scams.
Tokens used for authentication should always have a time limit
To validate the creation of an account or personal space, a link is typically provided to the user’s email address to verify that they are the owner of that address. Because the verification action must come after the request to create accounts, the token must be given within a few minutes. The access token must prevent the user from automatically logging in to their account after verifying their identity through link tracking. To access the functionalities of the application or online service, he must authenticate using his account credentials. A notification must then be sent to the user (by email or SMS) to verify that his email address is valid and that his account has been created. When linking to a delivery tracking page, a shipping ID number can be utilised as a token. All tokens should have a time limit, from a few minutes for links and codes to a few days for file transfers.
Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.