As cyber threats become more sophisticated, companies are under growing pressure to reinforce access controls across their systems and applications. In that context, two-factor authentication, or 2FA, has become one of the most effective and widely adopted security measures.
Passwords alone are no longer enough in many environments. Credential theft, unauthorized access, and phishing attacks have made it essential to add extra layers of verification to make sure that the person logging into a corporate account is genuinely who they say they are.
From a security standpoint, 2FA fits neatly within the controller’s obligation to implement appropriate technical and organizational measures, ensuring a level of security proportionate to the risk, as required under Article 32 of the GDPR. It also reflects the principle of accountability in Article 5(2) and the duty to build in privacy and security by design and by default, as set out in Article 25.
In some sectors and environments, that expectation is even stronger. Under frameworks such as NIS2, two-factor authentication is specifically recognised as part of cybersecurity risk management.
There is little room for debate on the value of 2FA itself. The real question is not whether to use it, but how to roll it out in a way that is legally sound and operationally fair.
When the personal phone becomes a work tool
A still common approach in many organisations is to require employees to use their personal mobile phones to receive verification codes or install authentication apps for access to corporate tools.
At first glance, this looks like a convenient solution. It is inexpensive, easy to deploy, and it seems to shift very little burden onto the company. But from a data protection perspective, that convenience can be deceptive.
In an employment relationship, the balance of power is not equal. The employer directs and organises the work, while the employee operates within that framework. That imbalance is precisely why asking someone to use a personal device for work purposes deserves close scrutiny.
Once the personal phone becomes a required tool for accessing work systems, it is no longer just a private device. It becomes part of the work setup. And that changes the legal and practical analysis.
Why consent is not always enough
In data protection law, consent must be freely given, specific, informed, and unambiguous. That standard is hard to meet in an employment context when the employee has little real choice.
If access to work tools depends on using a personal mobile phone, it is difficult to argue that consent is truly voluntary if no genuine alternative is offered. A theoretical option is not the same as a real one.
That is why this kind of arrangement has to be assessed case by case. The company should look at the purpose of the measure, the information provided to employees, the legal basis relied upon, the proportionality of the solution, and whether practical alternatives exist.
In this setting, the key GDPR principles come into sharp focus: lawfulness, fairness and transparency, purpose limitation, data minimisation, and accountability. The legal basis must be carefully considered, rather than defaulting automatically to consent simply because it seems convenient.
The company should provide the means
This is not only a data protection issue. It also goes to the heart of the employment relationship.
If the company decides that a security measure is necessary to protect its systems, it is only reasonable that it also provides the means to implement that measure. Otherwise, the burden is shifted onto the employee, who is being asked to contribute a personal resource to support a business requirement.
That does not sit comfortably with the logic of employment law, where the worker provides services within the employer’s organisational structure, rather than supplying the means of work themselves.
The Spanish legal framework also recognises digital rights in the workplace, including the right to privacy when using digital devices at work. While that provision is mainly aimed at employer access to company-issued devices, it reflects a broader principle: technology in the workplace must still respect privacy and data protection boundaries.
For this reason, making the personal phone the only route to 2FA can become problematic where no proportionate alternative is available. In cases like this, specialist Privacy support can be especially useful.
What the AEPD has looked at
The Spanish Data Protection Agency has treated these situations with caution, particularly where employees’ personal devices are used for clearly work-related purposes.
One relevant example is Resolution PS/00456/2025, in case EXP202406971, which concerned the use of employees’ personal mobile phones as a two-factor authentication mechanism in the workplace. According to the available information, the AEPD found an infringement and imposed an initial fine of EUR 80,000, later reduced to EUR 48,000 after acknowledgement of responsibility and voluntary payment.
The broader message is clear: 2FA may well be appropriate, but it should not be deployed in a way that shifts organisational responsibilities onto workers.
That said, the issue should not be overstated. It would be wrong to say that any use of an authentication app on a personal device is automatically unlawful.
In case AI-00074-2024, for example, the AEPD examined a situation involving authentication and remote access within the Administration of Justice, taking into account the requirement for two-factor authentication under the ENS for access from uncontrolled environments, such as internet access or remote working.
So the problem is not 2FA itself. The real issue is the specific way it is implemented.
Better alternatives to consider
Before requiring employees to use their personal phones, companies should consider less intrusive solutions that fit better with the employment relationship.
These may include corporate phones, physical tokens, security keys, authentication tools tied to company-managed devices, or similar solutions that do not rely on the employee’s private device.
This assessment should also be documented. Under Article 5(2) of the GDPR, the controller must be able to demonstrate compliance with the data protection principles. Article 24 adds that appropriate technical and organisational measures must be chosen in light of the nature, scope, context, and purposes of the processing.
For that reason, reviewing these measures through a dedicated Privacy service can help ensure that security, compliance, and internal policy are properly aligned.
Security and compliance need to move together
2FA is a sensible and often necessary security measure. But if it is poorly implemented, it can create a compliance problem of its own.
Protecting corporate systems is a legitimate goal. The challenge is to do so without unnecessarily intruding into the employee’s private sphere or forcing them to use personal resources for business purposes.
Information security should not be built by passing organisational costs or obligations on to workers. The company must protect its systems, but it must do so in a proportionate way and with due respect for employees’ rights.
If your organisation is reviewing its authentication model, access policies, or data protection compliance, Inprosec’s Privacy service can help assess the situation and design an appropriate approach.