Skip to main content

Use of personal data for Multi-Factor Authentication and Password Reset

BU is introducing new measures to help protect BU systems and data held within its systems.  These include multi-factor authentication (MFA) (i.e. requiring system users to verify their identity using additional factors alongside the current use of usernames and passwords) and more frequent re-set of system passwords. 

For these purposes, we will be asking all system users (staff and students) to complete a registration process for MFA and an automatic password re-set service (SSPR). This asks users to provide personal contact details (personal email address and phone number other than a BU extension) and other personal information which will be used as the answers to security questions.  Users can also choose to use an authenticator app (the Microsoft Authenticator app) as an authentication factor, by downloading the app to their smartphone and entering a code provided by the app when prompted by the BU system.

Why are we doing this?

BU has ongoing legal duties to ensure the integrity of its systems and protect personal data and other information held within its systems.  Cyber attacks on organisations’ systems are becoming increasingly common and have a very significant impact on organisations and individuals.   A cyber security incident could result in loss of personal information of BU staff, students and third parties (e.g. research participants), lock users out of BU systems and resources, and disable key operations.  A worst-case scenario could involve BU being unable to access and use core systems for a significant period: this recently happened to another university.  This could affect systems from Office 365/email to SITS and Brightspace, and processes such as payroll.   Successful cyber attacks very often start through use of a compromised email or system account, i.e. where the attacker is able to log into the system using the account details of an authorised user.  MFA and password reset are intended to make that much more difficult.

BU has piloted the use of MFA within the organisation and feedback from the pilot group did not include any privacy concerns. MFA is already generally used to manage public access to services such as banking, and therefore widely accepted as an expected level of protection in many sectors.  The data protection regulator, the Information Commissioner, would expect us to justify and explain any decision not to use available security measures.  MFA is becoming a standard or expected security measure, along with regular password-reset. 

In this context BU has carefully assessed the risks and benefits of introducing the MFA and automatic password reset processes. We consider that it is necessary to use MFA and SSPR to ensure appropriate protection for BU systems.

The authentication process must by definition use some information which is personal to you or personally accessible only by you.   As set out below, the personal data you provide for these purposes will be kept secure and used minimally.   However we encourage you to use the authentication app for MFA, as this reduces the amount of personal contact information you need to input each time while still providing the direct personal verification required for security purposes.  BU can provide guidance for staff on how to keep your personal devices secure. 

The legal basis for processing this information is that it is necessary for legitimate interests pursued by BU, i.e. ensuring the security and appropriate protection of BU systems and the information held within those systems (article 6.1(f) of the General Data Protection Regulation).  We consider that this interest is not outweighed by the interests or rights of the data subjects, taking account of the secure way in which we will hold the data (see below) and the fact that the data subjects (staff and students) would themselves be likely to experience adverse impact from any security breach of BU systems.   An alternative legal basis may be that this processing is necessary for the compliance with BU’s legal obligations under the data protection legislation with regard to use of appropriate technical and organisational measures to ensure the integrity and confidentiality of personal data (article 6.1(c) of the GDPR). 

How is the personal information held by BU?

The details you provide will always be kept securely within the Microsoft Office system (the BU Microsoft Azure tenancy).  The information will only be used for authentication.  The information will only accessible to you (via your BU login to Office365) and to a small number of BU privileged administrators.  (These administrators will have access to the contact information you provide but not any answers you provide for security questions).  

If you have read the information above but still have questions or concerns about providing your personal data for these purposes, please contact the BU Data Protection Officer, James Stevens, at dpo@bournemouth.ac.uk