In my experience, people in the workforce typically remember 20 to 40 different combinations of usernames and passwords to perform their jobs. Additional complexity comes from the hundreds of existing digital accounts we all manage as consumers.

This can lead to sticky notes, digital files filled with passwords, misremembered phrases and reuse of the same password for multiple accounts. No wonder passwords are the root cause of over 80% of security breaches.

Plus, I'm tired of consistently being prompted to remember and enter all my passwords and credentials.

Luckily for organizations and users, open standards technology can help. So, get ready to say goodbye to these horrible user experiences we’ve been dealing with over the past 20 years.

No password? How does it work?

First, let's define this process, because many organizations will be confused by all the choices—and even by determining what passwordless is and isn't. For example, it isn't single sign-on. Nor is it multi-factor authentication, or the use of one-time pins via short message service, or email.

The idea is to base identity verification on what might be called 'possession factors' that uniquely identify users. This can be a one-time password generator, a registered mobile device, a hardware token or biometrics such as fingerprints and retinal scans. Using this in combination with zero trust creates a very strong security solution that continuously authorizes access. Benefits can include improved security, reduced costs and happier users.

Good news lately, except ...

In the past year, the digital identity software industry has seen a flood of passwordless software vendors, with traditional digital identity software vendors also following suit. This is good news, except ... with so many choices to vet, organizations may face challenges in selecting the correct vendor. Also, as highlighted in my previous blog post, any organization with old digital identity software may struggle to jump straight to passwordless without modernization of tools and processes.

One other consideration—and potential advantage—is the ability to also put passwordless to work in operational technology (OT). This is because most of the systems on production floors are mission-critical, and compromise can mean significant damage. Recent pipeline attacks are only one example.

For the safety of the workforce, some organizations have policies that devices with batteries cannot be on the production floor. In the past, I have witnessed separate authentication mechanisms for IT and OT due to safety requirements like these, and because of a lack of industry maturity. But, as I highlighted earlier, passwordless technology also exists to improve security and safe experience for OT.

To accelerate adoption, reduce friction

When friction occurs, users find a way around, typically circumventing security to make their lives easier. One of the organizations working toward an answer is Fast Identity Online (FIDO), an alliance that created the open standard focusing on passwordless. FIDO works to help phones, hardware tokens, sensors and software support its asymmetric encryption; now FIDO adoption support and implementation is on the rise. FIDO2, released in 2018, supports WebAuthN for browsers, operating systems and websites. However, there are challenges: Registering FIDO authenticators is currently a one-off process for each device and managing these devices falls to the organization.

These challenges should not be permitted to hold organizations back from adopting systems that don't require passwords. As I said at the top, the juice is worth the squeeze.

Recommendations for implementing passwordless

  • Understand your current capabilities and build your roadmap, including knowing how your entire organization authenticates through every channel.
  • Work closely with business stakeholders to define and align your new authentication experience.
  • Select a vendor that can supplement and integrate your existing digital identity investments and understand their roadmap. Given the explosion of vendors in this space, do not be surprised if you encounter mergers and acquisitions in this changing landscape.
  • Take time to think through the process of managing these new tokens for authentication as well as the device registration process. Focus on low-friction, high-reward processes driven by automation. Don’t turn this into a call center sunk cost to manage device registration.
  • Integrate solutions with adaptive security and zero trust solutions to further enhance your organization's security.

The FIDO, FIDO2 and WebAuthn tools are not Accenture tools. Accenture makes no representation that it has vetted or otherwise endorses these tools and Accenture disclaims any liability for their use, effectiveness or any disruption or loss arising from use of these tool.

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this article is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

This document makes reference to marks owned by third parties. All such third-party marks are the property of their respective owners. No sponsorship, endorsement or approval of this content by the owners of such marks is intended, expressed or implied.

Copyright © 2021 Accenture. All rights reserved.

Damon McDougald

Managing Director - Accenture Security, Identity and Access Management Lead

Subscription Center
Subscribe to Security Blog Subscribe to Security Blog