You may have seen the recent headlines covering the story of a snoozing mother who, while taking a nap on the couch, was innocently hacked by her 6-year-old. The child purchased $250 worth of toys on Amazon using her mother’s fingerprint for authentication. What an ingenious young one indeed!

Humorous as this story may be, it points out one of the many new risks associated with the shift toward internet-based shopping and banking. The internet provides cybercriminals with an anonymous platform from which to exploit ineffective information security programs.

In this case, the “child genius,” as New York Magazine dubbed the 6-year-old, naively discovered that the only obstacle keeping her from a Pokemon shopping spree on Amazon was her sleeping mother’s fingerprint, which she easily acquired. But if it’s that easy for a child to gain unauthorized access, just how easy is it for savvy fraudsters to do the same?

Breaking Authentication Is Child’s Play

Authentication, the process through which a user’s identity is verified, is the front door of any security program to effectively combat cybercriminals. Unfortunately, 63 percent of confirmed data breaches involve weak, default or stolen passwords, according to Verizon’s “2016 Data Breach Investigations Report.” It is clear, then, that many organizations have struggled to develop authentication to its full extent, despite the numerous access management solutions on the market.

Porous Passwords Are the Weakest Link

End users represent the weakest link in the cybersecurity chain. According to Entrepreneur, 3 out of 4 consumers use duplicate passwords, many of which go unchanged for five years or more. Additionally, per the “Norton Cybersecurity Insights Report,” one-third of users do not password-protect their smartphones or desktop devices.

Alarmingly, Keeper Security found that “123456” was the most popular password of 2016, making up 17 percent of the 10 million passwords included in the study. Users put themselves at even further risk by recycling passwords across multiple accounts. CSO Online reported that 99 percent of account breaches originate from password reuse.

Much Ado About Passwords

What can IT leaders do to protect their organizations from poor authentication practices? One way to strengthen passwords is to compliment them with stronger security. Despite Bill Gates’ 2004 prediction about the death of the password, traditional authentication isn’t going away anytime soon. We can, however, certainly limit the extent to which authentication solutions rely on passwords.

Risk- and context-based authentication, for example, considers risk factors, such as time of day, device or browser type, to determine whether an access request should be approved, challenged or denied. Similarly, continuous authentication tools verify users’ identities beyond the initial login stage in a process also known as behavioral biometrics. Multifactor authentication requires users to input a biometric indicator, such as a facial image or voice, or a one-time password.

Room for Improvement

IT leaders should provide users with rules that meet general authentication best practices. They should, for example, require users to create alphanumeric passwords longer than six characters that do not contain dictionary terms.

IT executives should also establish federation for single sign-on (SSO) capabilities, which allow users to log into multiple applications with a single set of credentials at the beginning of a session. Identity federation is an often misunderstood concept that impacts the user’s experience throughout a session. Federation occurs when a group of organizations or partners forms a trusted union in which identities and/or attributes can be shared among all applications.

Whatever methods you choose to employ to combat weak authentication practices, it’s critical to stay well-informed of trends within the cybersecurity space. With new regulations, governance requirements and market expectations for security, awareness is the foundation of any information security strategy.

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today