How Accenture employees got rid of passwords
Consulting firm Accenture has swapped out insecure, phrase-based passwords for PINs and biometric-based online logins across the vast majority of its global workforce.
Why it matters: Most people struggle to come up with complex passwords that are easy to remember but difficult for hackers to guess.
- And many employees also repeat their passwords across personal and work accounts — making it easier for malicious actors to break into multiple companies at once using just one person's stolen password.
Zoom out: The cybersecurity industry has been pushing biometric and PIN-based logins as an alternative to passwords.
- Those alternatives look like someone using their fingerprint to unlock their laptop or using a PIN sent to their phone to sign in to an account.
The big picture: Accenture has spent the last three years transitioning more than 600,000 employees worldwide to both PINs and biometric logins for their online tools.
- Before the transition, Accenture required employees to reset their passphrase every 75 days — but each passphrase had to be unique, and employees often forgot what their new phrase was.
- The company ultimately had to assign part of its IT team to just resetting passwords all day, Merim Becirovic, global CTO of Accenture's IT organization, told Axios.
What they're saying: "We used to joke before this program, 'Man, are we ever going to get to a world where there [are] no passwords,' and here we are," Becirovic said.
- "It did not take long [to achieve], but it's such a powerful experience factor," he added.
Between the lines: Accenture had already transitioned its online systems to the cloud right before the pandemic, which laid the foundation for its journey to passwordless logins.
- Heading to the cloud brought all of the company's key assets into one place, eliminating questions about which networks are connected online, which servers they want to run the passwordless technology on, and where to store backup data for logins and other "ancillary things that support it," Becirovic said.
- "When you're in the cloud, you can focus more on the business capability you are trying to enable, and that is my opinion of where the scale and speed come from," Becirovic said.
Details: Accenture started rolling out passwordless logins through pilot programs among smaller groups of employees.
- The first test group was roughly 10,000 employees, and group sizes eventually grew as large as 40,000 at a time.
- The company worked with Microsoft, which they were already using for other tech needs, to tie online logins to PINs sent to employees' phones.
- Some other logins are based on biometrics, too, Becirovic said.
The intrigue: These transitions sometimes make users cranky because they would rather stick with the familiar, phrase-based passwords.
- But Becirovic said most of Accenture's employees prefer the new system — especially since it means they no longer have to come up with a new, unique password every 75 days.
- While Becirovic wasn't able to comment on whether the transition to passwordless has discouraged hackers from targeting the company's systems, he said that his IT team now has time to focus on more consequential tasks, rather than resetting employee passwords.
Yes, but: Accenture's journey won't be easy for just any organization to replicate.
- Its path is traditional for corporate, for-profit companies, he added.
- Not all legacy IT systems can operate without passwords. And certain manufacturing and other critical infrastructure organizations that operate legacy, physical devices, like a gas pipeline, will have a harder time ditching passwords.
Be smart: Any company eyeing a transition to passwordless shouldn't view the endeavor as a one-off project, Becirovic said, given how integrated the program is across an organization.