Last month, Target reached a breach settlement of $18.5 Million in fines for the 2013 security breach that exposed the data of millions of customers across 47 states and the District of Columbia. In addition to this fine, the settlement additionally requires Target adopt a “comprehensive information security program” and includes implementing network security best practices of encrypting payment card information, separating cardholder data from the rest of the computer network – and implementing policies regarding multi-factor authentication.



As software architect at RADAR and a member of the RADAR development team, I was interested in the inclusion of multi-factor authentication (MFA) in the terms of this settlement. MFA is a network security best practice, and I am encouraged to see it promoted for wider use – it has even been implemented with the cast of Game of Thrones, requiring MFA to access the scripts as a security measure against leaks of upcoming plot lines.

Multi-Factor Authentication

What is Multi-Factor Authentication?

MFA, sometimes called two-factor authentication, is a way to gate technology with an extra layer of protection on top of the typically required user name/email and password to access an application. A user is prompted to provide separate evidence to authenticate their identity before granting access, generally at least two of the following authentication categories:

  • Something they know, such as a username, password or PIN
  • Something they have, such as a security code sent to a mobile device or accessed via an authentication app
  • Something they are, such as fingerprints, voice recognition, or other biometric indicators

One example of MFA we’re all familiar with: when you visit an ATM to withdraw funds, only the combination of both a bank card (something you have) and a PIN (something you know) allows the transaction to take place.

At RADAR, we are committed to providing our customers opportunities to implement privacy and security best practices. That’s why we offer MFA for the RADAR platform without additional cost.

Why does Multi-Factor Authentication Matter to Privacy Professionals?

MFA is a best practice in security. Implementing MFA means even if your password is compromised or stolen, there is still an additional layer of authentication required to access the system. For privacy professionals, implementing MFA can be an indicator of good overall security posture to watchful regulators such as the attorneys general in the Target case. MFA has also been cited as a good measure to ward off phishing attacks. Such was the case for Bowling Green State University, which accelerated its plan to require MFA after an increase in phishing attacks on campus.

MFA is also already required or strongly recommended by a number of regulators and online services. The Payment Card Industry Data Security Standard (PCI DSS) issued guidance in February 2017 that requires MFA to prevent unauthorized access to computers and systems that process payment transactions. The Social Security Administration announced that beginning June 10, 2017, MFA will be required for all account holders logging into the “My Social Security” portal. In the California Attorney General’s 2016 California Data Breach Report, multi-factor authentication is considered a minimum security requirement for consumer-facing online accounts with sensitive personal information.

Related Reading: