Source: New Zealand Privacy Commissioner – Blog
Two factor authentication (sometimes called multi-factor authentication) is a good way to keep your information safe and secure.
This security requires two separate forms of identification to access an account, device, or system. Often this involves entering a password then confirming a code by a second message to your phone or email. This is designed allow you safer access to your systems. It provides an additional step of verification and greater security.
We encourage all agencies (businesses and organisations) to use two-factor authentication to protect the information they hold.
When a cyber security privacy breach occurs, the question compliance officers will ask is “have you taken reasonable cyber security steps to protect the personal data you hold?” Not taking reasonable steps is a breach of the Privacy Act and the trust that your customers or clients have placed in you to keep their information safe.
What is reasonable depends on the size of the organisation and the scale and sensitivity of the personal information they hold.
Two factor authentication is like an extra wall between you and people who would steal your data.
Two-factor authentication is a bare minimum we would expect for small businesses or organisations that hold or share personal information digitally. If you are a small business that has a cyber-related privacy breach and don’t have at least two factor-authentication in place expect to be found in breach of the Privacy Act.
The small business Insights Report showed agencies’ confidence that they understood what privacy meant didn’t translate into having relevant privacy policies and procedures in place.
