Federated Authentication and the GDPR Principles

The General Data Protection Regulation’s Article 4(1) establishes six principles for any processing of personal data. It’s interesting to compare how federated authentication – where a student authenticates to their university/college, which then provides relevant assurances to the website they want to access – performs against those principles when compared with traditional direct logins to websites.

Lawfulness, fairness and transparency (processed lawfully, fairly and in a transparent manner)

Personal data required to maintain an account on a website will normally be processed on the grounds that it is necessary for a contract between the site and the user. For federated authentication, where there is rarely a direct contract between the site and the user, it is generally considered that a more appropriate legal basis is the legitimate interests of home organisation and service provider in providing the service requested. Both situations therefore permit only “necessary” data to be exchanged, but federated authentication additionally requires both home organisation and service provider to consider the fundamental rights and freedoms of the individual.

Purpose limitation (collected for specific, explicit and legitimate purposes and not processed incompatibly)

With direct login, the purpose(s) of processing are set in the contract the website offers to the user. Federated authentication agreements between home organisations and service providers typically require that the information provided may only be used for access and service personalisation decisions. Federated authentication technology also provides a practical limit on incompatible processing, since the pseudonymised information provided will often be of little use for other purposes in any case. For example federated authentication requires much less information for the website to protect itself against misuse, since federation agreements normally require the home organisation to enforce any breaches of policy by its users.

Data minimisation (adequate, relevant and limited)

Where a user registers themselves for access to a website, that website is likely to obtain significant amounts of (self-declared) information about who the user is. For websites attempting to implement particular authorisation policies (for example, that the user is a member of an organisation holding a licence) this may well be both excessive and inadequate. By contrast, federated authentication can provide exactly the membership information the website needs, without any unnecessary personal information. Federated thus achieves better adequacy, relevance and limitation.

Accuracy (accurate and kept up to date)

As noted under minimisation, traditional login relies on information provided by the individual user. The website has no way to determine whether it is accurate, either at the time it is provided, or later. Each time a user logs in using federated authentication, the site is provided with current information from the home organisation’s own records.

Storage limitation (kept in a form that permits identification no longer than necessary)

Direct login requires the website to maintain all its account details, essentially indefinitely, since it has no way to determine when the user is no longer interested in the service. Federated authentication can be done without the website retaining any personal data, since the necessary assurances are provided by the home organisation each time the user accesses the site. Where a site wishes to let users retain information between sessions (saved searches, progress, etc.) this can be done using a pseudonymous identifier, unique to that site, provided by the home organisation. Again, there is no need for the website to retain any other information about the user.

Integrity and confidentiality (appropriate security, using technical or organisational measures)

With direct login, integrity and confidentiality are a matter for the service provider. With federated authentication, personal data are held by the home organisation, which has a strong incentive to keep it secure to protect its own systems and the individuals (students and staff) with whom it needs a strong, long-term trust relationship. Furthermore the authentication process only reveals to the home organisation which websites the individual has authenticated to, not which content on those sites they accessed.

Federated login therefore appears clearly better for five of the six GDPR principles, and at least equal to direct login on the other.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *