Accenture introduced a single sign-on process as early as 2001. But passwords are susceptible to phishing and other remote attacks. Also, the Accenture policy of requiring password renewal every 75 days often meant a poor user experience for our people—there is growing evidence that password rotations are already obsolete and should be reconsidered. A decade on, we moved to MFA which has been part of our security protocols since inception.
In 2019, we began our passwordless journey with our longstanding ecosystem partner, Microsoft. Microsoft is a forerunner in passwordless authentication. The partnership meant we were well-positioned to not only accelerate our journey, but also to embrace a game-changing shift in our security model.
Passwordless solutions fundamentally change the security model by localizing authentication at the device level, which prevents remote attacks. Hackers must have access to both the passwordless unlock method (such as PIN or biometrics) and the physical device to gain access to company’s resources.
To move toward a passwordless environment, we reevaluated the identity platform for our devices and applications in our existing environment. Our strategy was based on moving our apps to Azure Active Directory (Azure AD) as part of the Accenture cloud-first, cloud-only vision. We then chose passwordless authentication solutions that met our device and application needs which include:
Windows Hello for Business (HfB)
Windows Hello for Business replaces passwords with strong two-factor authentication on devices. Since HfB is supported by all Windows workstations deployed by Accenture, any user of these devices can enroll in the program and start authenticating to their device and applications with a PIN or biometrics.
Passwordless sign-in with the Microsoft Authenticator app
This solution enables Accenture employees to use their phones to complete two-factor authentication, without the need for dedicated physical devices. Simply by completing a number match, a user can authenticate to any application on multiple devices.
FIDO2 token
A FIDO2 token is a separate physical device that typically resembles a familiar USB thumb drive. The tokens can be used to complete device and application sign-in on any Accenture workstation.
Temporary Access Passcode (TAP)
Without passwords, it can be difficult to initially enroll a user in any of the above solutions. Temporary Access Passcodes enable Accenture to securely overcome this complexity. A time-limited passcode is given to a verified user to help enable them to register passwordless methods and recover access to their account without the need for a password.
Discovering all applications and audiences being used within an organization is challenging, especially without a directory to serve as a “source of truth.” We decided to move to Azure AD and use Azure’s passwordless options to find all apps and begin phasing out the use of passwords. For apps without passwordless options or the ability to move to Azure AD, we considered alternatives to adapt them, implemented technology to transform them or took the decision to decommission the app.