A passwordless authentication enterprise journey
How to improve user experiences through identity and access management.
Despite the pace of technological change, the use of passwords has remained the same since the earliest days of computing. And yet there is strong evidence that passwords not only present a significant security risk, but also create a financial burden.
Today, there are more than 300 billion passwords being used by humans and machines worldwide, with 83% of data breaches attributed to password compromises. Along with this volume and scale, the administrative costs of password maintenance are unsurprisingly high—averaging around US$1M in annual costs per business. Costs include staff and infrastructure management, as well as passwords resets. Globally, these costs contribute to an estimated US$6T in annual cybercrime damage.
While authentication technologies, such as traditional multi-factor authentication (MFA), add layers of security and usability to the authentication process, they are not as sophisticated as passwordless technologies, such as Windows Hello for Business, Microsoft Authenticator App or FIDO2 tokens.
Passwordless technology alters the fundamental security model by moving the verification onto the device rather than passing credentials through an online connection. Aside from helping enable organizations to operate in a more robust and resilient manner, the passwordless journey can offer an enhanced user experience—reducing the need for passwords and easing access.
Over the past decade, Accenture has been undertaking a multi-phased passwordless journey. We aim to remove our dependency on passwords from all applications and identity platforms, as well as help enable our people to experience a passwordless process that evolves from good to great.
Eliminating passwords from the user experience involves technical and cultural change. In the future, people will look back and wonder why we ever used passwords.
Simon Gooch / Director, Global IT Enterprise Technology, Security, Accenture
Accenture introduced a single sign-on process as early as 2001. But passwords are susceptible to phishing and other remote attacks. Also, the Accenture policy of requiring password renewal every 75 days often meant a poor user experience for our people—there is growing evidence that password rotations are already obsolete and should be reconsidered. A decade on, we moved to MFA which has been part of our security protocols since inception.
In 2019, we began our passwordless journey with our longstanding ecosystem partner, Microsoft. Microsoft is a forerunner in passwordless authentication. The partnership meant we were well-positioned to not only accelerate our journey, but also to embrace a game-changing shift in our security model.
Passwordless solutions fundamentally change the security model by localizing authentication at the device level, which prevents remote attacks. Hackers must have access to both the passwordless unlock method (such as PIN or biometrics) and the physical device to gain access to company’s resources.
To move toward a passwordless environment, we reevaluated the identity platform for our devices and applications in our existing environment. Our strategy was based on moving our apps to Azure Active Directory (Azure AD) as part of the Accenture cloud-first, cloud-only vision. We then chose passwordless authentication solutions that met our device and application needs which include:
Windows Hello for Business (HfB)
Windows Hello for Business replaces passwords with strong two-factor authentication on devices. Since HfB is supported by all Windows workstations deployed by Accenture, any user of these devices can enroll in the program and start authenticating to their device and applications with a PIN or biometrics.
Passwordless sign-in with the Microsoft Authenticator app
This solution enables Accenture employees to use their phones to complete two-factor authentication, without the need for dedicated physical devices. Simply by completing a number match, a user can authenticate to any application on multiple devices.
A FIDO2 token is a separate physical device that typically resembles a familiar USB thumb drive. The tokens can be used to complete device and application sign-in on any Accenture workstation.
Temporary Access Passcode (TAP)
Without passwords, it can be difficult to initially enroll a user in any of the above solutions. Temporary Access Passcodes enable Accenture to securely overcome this complexity. A time-limited passcode is given to a verified user to help enable them to register passwordless methods and recover access to their account without the need for a password.
Discovering all applications and audiences being used within an organization is challenging, especially without a directory to serve as a “source of truth.” We decided to move to Azure AD and use Azure’s passwordless options to find all apps and begin phasing out the use of passwords. For apps without passwordless options or the ability to move to Azure AD, we considered alternatives to adapt them, implemented technology to transform them or took the decision to decommission the app.
A cultural shift
As with any change program, it’s important to not only enable adoption throughout the whole organization, but also engage the hearts and minds of our individual users. But to play their part, users needed to understand what was being asked of them. This involved:
A targeted communications approach that customized messages by type, role and situation and identified the actions required. We also took a regional approach to stakeholder engagement, asking local leaders for support in promoting the change, helping the global effort to feel more personal.
A map of the full journey was created from our foundational steps of simply identifying passwordless options, all the way to our end goal of working in a completely passwordless environment. We used an easy-to-understand infographic from our digital experience team in sharing this journey.
A keen focus on specific stakeholders included embedding the new process and tools in the onboarding process for new joiners and offering a “white glove” approach to our senior leaders.
A partnership with the provider using the latest tools, such as the Microsoft Authenticator app’s “Nudge” functionality, and leading practices, such as sentiment tracking.
Above all, we made it clear that password and passwordless actions are likely to co-exist for a period of time. And we encouraged a change of mindset—in short, we stressed the idea that passwordless means safer and easier business operations.
Today, we’ve reached a stage in our multi-phase passwordless journey where we have removed the requirement for password authentication from the user experience. With 699,000 employees provisioned, managed and maintained, it’s in our best interests to make security and identity management as simple—and automated—as possible.
We’ve proven the benefits. The adoption of passwordless has led to faster login times, more reliable experience, fewer failed authentications and improved overall security posture.
Ongoing, we expect to help accelerate the login experience further and help reduce IT support costs related to all password maintenance activities. By demonstrating the improvement in our global deployment of passwordless security, Accenture aims to be one of the first large-scale enterprises operating a pure passwordless model.
Today, reducing passwords from all user authentications remains a goal—in part because the technology is still being developed to make it a reality. However, we have made excellent progress and learned along the way:
Compatibility takes time
Verifying application compatibility can be time-intensive. Planning is required to help ensure all applications and Accenture devices support passwordless solutions.
Finding applications is challenging
A rigorous effort is required to identify all applications that continue to use a password prompt. This is especially challenging with the vast number of applications in the Accenture environment.
It helps to develop a strategy for “outliers”
Not all legacy solutions will be compatible with passwordless; it is critical to identify outlying use cases and develop clear remediation paths.
Be multi-device compatible
Users often log into the same application on different devices (for example, a laptop versus mobile device). Adopt passwordless solutions that are compatible with multiple devices for a smoother transition.
Communicating with users throughout the journey is critical to improvement. Focus on user benefits, value across the organization and highlight the differences in operating in a passwordless model.
Users enabled for Windows Hello for Business
Registered employees using the Microsoft Authenticator App for passwordless sign-in
Azure AD authentications per day
Of Windows device sign-ins occur with a passwordless method
Active passwordless applications
Managing Director – Global IT, Enterprise Technology
Managing Director – Global IT, Enterprise Technology, Security
Director – Global IT, Security & Identity
Director – Global IT, Security & Identity
Amanda Clevey Brown
Senior Manager – Global IT, Technology Vision & Strategy
Director – Global IT, Corporate Technology, Journey & Change Management
Senior Manager – Global IT, Journey & Change Management