You may have seen the recent headlines covering the story of a snoozing mother who, while taking a nap on the couch, was innocently hacked by her 6-year-old. The child purchased $250 worth of toys on Amazon using her mother’s fingerprint for authentication. What an ingenious young one indeed!

Humorous as this story may be, it points out one of the many new risks associated with the shift toward internet-based shopping and banking. The internet provides cybercriminals with an anonymous platform from which to exploit ineffective information security programs.

In this case, the “child genius,” as New York Magazine dubbed the 6-year-old, naively discovered that the only obstacle keeping her from a Pokemon shopping spree on Amazon was her sleeping mother’s fingerprint, which she easily acquired. But if it’s that easy for a child to gain unauthorized access, just how easy is it for savvy fraudsters to do the same?

Breaking Authentication Is Child’s Play

Authentication, the process through which a user’s identity is verified, is the front door of any security program to effectively combat cybercriminals. Unfortunately, 63 percent of confirmed data breaches involve weak, default or stolen passwords, according to Verizon’s “2016 Data Breach Investigations Report.” It is clear, then, that many organizations have struggled to develop authentication to its full extent, despite the numerous access management solutions on the market.

Porous Passwords Are the Weakest Link

End users represent the weakest link in the cybersecurity chain. According to Entrepreneur, 3 out of 4 consumers use duplicate passwords, many of which go unchanged for five years or more. Additionally, per the “Norton Cybersecurity Insights Report,” one-third of users do not password-protect their smartphones or desktop devices.

Alarmingly, Keeper Security found that “123456” was the most popular password of 2016, making up 17 percent of the 10 million passwords included in the study. Users put themselves at even further risk by recycling passwords across multiple accounts. CSO Online reported that 99 percent of account breaches originate from password reuse.

Much Ado About Passwords

What can IT leaders do to protect their organizations from poor authentication practices? One way to strengthen passwords is to compliment them with stronger security. Despite Bill Gates’ 2004 prediction about the death of the password, traditional authentication isn’t going away anytime soon. We can, however, certainly limit the extent to which authentication solutions rely on passwords.

Risk- and context-based authentication, for example, considers risk factors, such as time of day, device or browser type, to determine whether an access request should be approved, challenged or denied. Similarly, continuous authentication tools verify users’ identities beyond the initial login stage in a process also known as behavioral biometrics. Multifactor authentication requires users to input a biometric indicator, such as a facial image or voice, or a one-time password.

Room for Improvement

IT leaders should provide users with rules that meet general authentication best practices. They should, for example, require users to create alphanumeric passwords longer than six characters that do not contain dictionary terms.

IT executives should also establish federation for single sign-on (SSO) capabilities, which allow users to log into multiple applications with a single set of credentials at the beginning of a session. Identity federation is an often misunderstood concept that impacts the user’s experience throughout a session. Federation occurs when a group of organizations or partners forms a trusted union in which identities and/or attributes can be shared among all applications.

Whatever methods you choose to employ to combat weak authentication practices, it’s critical to stay well-informed of trends within the cybersecurity space. With new regulations, governance requirements and market expectations for security, awareness is the foundation of any information security strategy.

More from Identity & Access

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today