Latest Posts:
Search for:

Analyzing critical legal trends and developments across data, cyber, AI and digital regulations from around the world and beyond borders

In Cyber

France: CNIL’s Guidance on Multi-Factor Authentication

by , and 9 Mins Read

New guidelines, new investigations. Interviewed in October in the context of the Cybersecurity Awareness Month, the CNIL President, Marie-Laure Denis, revisited the CNIL’s recommendations to secure large databases of April 1st 2025, issued following the significant increase of data breaches in 2024, affecting several million data subjects. It appears that 80% of major breaches identified in 2024 were enabled by the compromise of an employee or contractor account, which was protected only by a password. These recommendations consider multi-factor authentication (“MFA”) as a key measure to secure remote access to large databases. The CNIL President stressed that investigations will begin in 2026, focusing in particular on the implementation of MFA. This could result in sanctions in cases of non-compliance.

What is at stake? Companies that process personal data and either have an establishment in France or handle data about individuals residing in France (and therefore fall within the CNIL’s jurisdiction) can be subject to CNIL investigations. These companies should promptly ensure that their use or provision of MFA complies with the GDPR, as interpreted by CNIL’s guidance on MFA.

Entities subject to MFA-related requirements, such as payment service providers (under the PSD2 Directive No. 2015/2366), qualified authentication certificate providers (under the eIDAS Regulation No. 910/2014), or providers of digital healthcare services (under the General Security Policy for Health Information Systems), are particularly impacted by this guidance.

What is an MFA? The CNIL defines MFA as a method aimed at verifying proof of identity before granting access to the resources of an information system (computer, network share, website, mobile application, etc.) and that requires the user to provide at least two of the three following verification factors (called “authentication factors”):

  • A knowledge factor, i.e. a secret to be memorized (e.g. a password, or confidential code such as a PIN (Personal Identification Number)).
  • A possession factor, i.e. a secret element that cannot be memorized (e.g. a cryptographic key), allowing participation in authentication protocols (e.g. OTP protocols) and contained in a unique physical object that ideally protects this element from extraction. In practical terms, this may be:
    • a hardware token, i.e., a dedicated hardware device, ideally equipped with a security component, provided by the verifier (e.g. a smart card, an authentication USB key, an OTP authenticator, etc.); or
    • a device-bound soft token based on an application associated with an enrolled device.
  • An inherent factor (i.e. a physical characteristic that is inseparable from a person) which may be morphological (e.g. a fingerprint), behavioral (e.g. voice) or biological (e.g. DNA).

What are the key takeaways? In its guidance, the CNIL specifies the application of the main GPDR principles to MFA. In particular, it is worth noting the following key takeaways:

  • MFA cannot be considered as a general and systematic security measure required by the GDPR, in particular by Articles 5(1)(f) and 32 of the GDPR which emphasizes the need for appropriate technical and organizational measures to ensure confidentiality and integrity during data processing. It is necessary to balance the security benefits provided by MFA with the potential consequences for the data subjects (e.g., discouraging access to the service, collecting additional personal data). For processing operations involving sensitive data under Article 9 of the GDPR (e.g., health data) and high-risk activities for data subjects (e.g. system and network administration, access to professional email), the CNIL recommends the use of MFA. For low-risk processing or operations, MFA should be allowed but not imposed.
  • To ensure data protection by design and by default, MFA based on knowledge and possession factors shall be prioritized whenever possible, particularly in a professional context, instead of the use of an inherent factor, which entails higher risks for data subjects given the processing of sensitive data.
  • As regards the GDPR qualifications, the entity which rolls out an MFA solution within its information system is considered as the data controller. The entity that chooses to use a SaaS-based MFA provider will be considered the data controller, while the SaaS solution provider will act as the processor. Please note that this remains a case-by-case analysis to be carried out considering the effective roles of the entities.
  • The minimization principle requires the data controller to ensure that the personal data processed for authentication is necessary for the provision of such authentication service. By way of example, an employee’s personal mobile phone (possession factor) could be used for authentication in several ways : (1) sending a one-time password (“OTP”) via SMS, which would require the employer to process the employee’s personal phone number; or (2) install a time-based OTP application on the employee’s device, which stores a key provided by the employer and then displays OTP codes upon request. This second method should be preferred as this requires less data (i.e. it does not require the employer to collect or use the employee’s phone number). Likewise, the employer shall implement security measures ensuring that a minimum of personal data is processed (e.g. segregation between the data processed by the OTP application and the employees’ other personal data on their private devices).
  • Appropriate data retention periods shall be defined. Data controllers may refer to the CNIL’s Deliberation No. 2022-100 of July 21, 2022 adopting a recommendation on passwords and other shared secrets, and repealing Deliberation No. 2017-012 of January 19, 2017 (“the CNIL’s Recommendation on Passwords”) for guidance on the retention of data related to knowledge-based factors and to the Regulation on Access through Biometric Authentication in the Workplace for guidance on the retention of biometric data in professional contexts. The retention modalities for data related to possession factors depend on the technology used (e.g. OTPs are not retained after use, whereas certificates are retained until expiration or revocation). Retention periods of authentication systems logs may be defined on the basis of specific legal provisions which may justify particular retention durations, depending on the nature of the processing (e.g., the Regulation on Access through Biometric Authentication in the Workplace). In the absence of specific provisions, it is recommended to refer to the CNIL’s Deliberation No. 2021-122 of October 14, 2021 adopting a recommendation on logging, which generally advises a retention period of 6 to 12 months.
  • Data subjects’ rights shall be ensured. In particular, the purpose of MFA may be described as securing the processing, without specifying the specific security measures implemented. Information of Articles 13 and 14 GDPR may be provided at various stages of account management where access is conditioned by MFA (during user registration ; when authentication factors are issued or activated ; during use of the MFA solution for authentication purposes ; when the account is suspended or revoked ; when the account is reactivated or renewed, or when authentication factors are replaced).
  • Security measures shall be implemented to secure MFA. Such security measures depend on the types of factors used through the MFA solution:
    • For solutions involving a knowledge factor, the data controller must comply with the CNIL’s Recommendation on Passwords.
    • For solutions involving a possession factor, the CNIL recommends that the data controller ensure that such solutions are based on cryptographically robust proof verification protocols and involve dynamic proofs of possession (to ensure systematic verification of the authenticity of the hardware device).
    • For solutions involving an inherent factor, the data controller must consider performance metrics (notably false acceptance rates for unauthorized access and false rejection rates for denied access) depending on the usage context, as well as resistance to presentation attacks (i.e. Presentation of an artifact or human characteristics to a biometric system with the intent to illegitimately influence its decision).

The importance of soft law. Although the CNIL’s guidance on MFA is not legally binding, its status as “soft law” should not be underestimated. As explained by the CNIL, such guidance is to encourage providers to integrate privacy protection from the design stage of their products or services and guide them on the legal applicable requirements. In practice, the CNIL relies on its guidance in the context of its enforcement action. For example, in the context of cookies or passwords, the CNIL has consistently referred to its guidelines and recommendations to interpret the French Data Protection Act and the GDPR, in order  to support its sanctions decisions. Therefore, non-compliance with these “soft law” instruments may expose organizations to audits, investigations, and potential sanctions.

CNIL enforcement activities. The stress on authentication methods is not new. The CNIL has long emphasized the importance of strong authentication measures as part of compliance with the GDPR security requirements. In its 2025-2028 strategic plan authentication and security are explicitly identified as enforcement priorities in the context of the mobile application and digital identity  (link here, available in French). This focus is also evidenced in the CNIL enforcement activities. The CNIL has already fined several companies across diverse business sectors (e.g., online media, distribution and logistics services, online payment, psychic services or real estate transactions)  for having implemented weak password policies that are in breach with the GDPR and the CNIL’s Recommendation on Passwords and thar are thus in breach of the GDPR security requirements.. In such sanction decisions, the CNIL decisions highlight two main issues: insufficient password strength at the time of creation and insecure storage methods in the context of authentication.

Conclusion. In light of the above, we recommend companies to act now and align their practices with the CNIL’s expectations. A proactive approach should include the key following aspects:

  • Conduct gap analyses and internal audits to assess current authentication frameworks;
  • Update authentication policies to reflect best practices;
  • Ensuring that staff are adequately trained and aware of security obligations;
  • Ensure smooth coordination of IT and legal teams on the topics of the authentication; and
  • Prepare for potential CNIL investigations.
Categories:
Tags:
Author

Magalie Dansac Le Clerc is a partner in Baker McKenzie's Paris office. A member of the Firm's Information Technology and Communications Practice Group, she is a Certified Information Privacy Professional (CIPP).

Author

Juliette is a member of the Information Technology and Communications team and focuses on new technologies, computer technology, internet and telecommunications.

Author

Raphaëlle Mauret is a member of the Tech & Data Group of Baker McKenzie in Paris. She mainly focuses her practice on electronic communication, cybersecurity, data protection regulation and IT contracts.

Related Posts