You may have seen the recent headlines covering the story of a snoozing mother who, while taking a nap on the couch, was innocently hacked by her 6-year-old. The child purchased $250 worth of toys on Amazon using her mother’s fingerprint for authentication. What an ingenious young one indeed!

Humorous as this story may be, it points out one of the many new risks associated with the shift toward internet-based shopping and banking. The internet provides cybercriminals with an anonymous platform from which to exploit ineffective information security programs.

In this case, the “child genius,” as New York Magazine dubbed the 6-year-old, naively discovered that the only obstacle keeping her from a Pokemon shopping spree on Amazon was her sleeping mother’s fingerprint, which she easily acquired. But if it’s that easy for a child to gain unauthorized access, just how easy is it for savvy fraudsters to do the same?

Breaking Authentication Is Child’s Play

Authentication, the process through which a user’s identity is verified, is the front door of any security program to effectively combat cybercriminals. Unfortunately, 63 percent of confirmed data breaches involve weak, default or stolen passwords, according to Verizon’s “2016 Data Breach Investigations Report.” It is clear, then, that many organizations have struggled to develop authentication to its full extent, despite the numerous access management solutions on the market.

Porous Passwords Are the Weakest Link

End users represent the weakest link in the cybersecurity chain. According to Entrepreneur, 3 out of 4 consumers use duplicate passwords, many of which go unchanged for five years or more. Additionally, per the “Norton Cybersecurity Insights Report,” one-third of users do not password-protect their smartphones or desktop devices.

Alarmingly, Keeper Security found that “123456” was the most popular password of 2016, making up 17 percent of the 10 million passwords included in the study. Users put themselves at even further risk by recycling passwords across multiple accounts. CSO Online reported that 99 percent of account breaches originate from password reuse.

Much Ado About Passwords

What can IT leaders do to protect their organizations from poor authentication practices? One way to strengthen passwords is to compliment them with stronger security. Despite Bill Gates’ 2004 prediction about the death of the password, traditional authentication isn’t going away anytime soon. We can, however, certainly limit the extent to which authentication solutions rely on passwords.

Risk- and context-based authentication, for example, considers risk factors, such as time of day, device or browser type, to determine whether an access request should be approved, challenged or denied. Similarly, continuous authentication tools verify users’ identities beyond the initial login stage in a process also known as behavioral biometrics. Multifactor authentication requires users to input a biometric indicator, such as a facial image or voice, or a one-time password.

Room for Improvement

IT leaders should provide users with rules that meet general authentication best practices. They should, for example, require users to create alphanumeric passwords longer than six characters that do not contain dictionary terms.

IT executives should also establish federation for single sign-on (SSO) capabilities, which allow users to log into multiple applications with a single set of credentials at the beginning of a session. Identity federation is an often misunderstood concept that impacts the user’s experience throughout a session. Federation occurs when a group of organizations or partners forms a trusted union in which identities and/or attributes can be shared among all applications.

Whatever methods you choose to employ to combat weak authentication practices, it’s critical to stay well-informed of trends within the cybersecurity space. With new regulations, governance requirements and market expectations for security, awareness is the foundation of any information security strategy.

more from Data Protection