Security

RSA Conference 2024: How to Deploy Passwordless Authentication

Accenture is using biometrics to finally replace obsolete passwords.

Bob is the managing editor of BizTech magazine.

Passwordless authentication has been a dream for cybersecurity professionals and end users alike for many years, yet it has always seemed elusive — something promised but never delivered.

Kris Burkhardt wants you to know that the dream is real for most of the more than 700,000 employees of the management consultant giant Accenture, where he is global CISO. “I think this is probably one of the most important advances we’ve ever seen in identity,” Burkhardt told a large audience at RSA Conference 2024 in San Francisco on Monday. “It’s a big deal.”

The reason it’s so important, Burkhardt said, is because it’s one of the rare times when a security best practice — which passwordless authentication is — makes end users’ lives easier.

“We ask a lot of our users,” he said. “We ask them to do multifactor authentication, mobile device management, we want you to make sure you put the right labels on your documents so the rights are protected. It’s a lot. We take, take, take and never give,” he said. “So, I’m excited about this. It’s the first time since, probably, single sign-on where security interests and usability interests align.”

Click the banner to learn how to assess your zero-trust maturity level.

Why Passwords Have to Be Replaced

It’s widely acknowledged that passwords are a huge obstacle to securing networks. Burkhardt noted that the average data breach cost was $4.45 million in 2023, according to the Cost of a Data Breach Report by IBM that year, and that about half of them involved credentials, per the Verizon 2023 Data Breach Investigation Report.

Consequently, when it comes to passwords, “we have all sorts of rules,” Burkhardt said. “It hasn’t been a great experience for users because we’ve just kind of propped up this password thing by adding complexity. You have to have numbers and special characters, they have to be a certain length and have to change every so often. And so we propped that up with password managers. I won’t call it a house of cards, but it’s certainly not user friendly, and it leads to a lot of risk.”

A passwordless environment, by contrast, enables three security advantages, he said:

Phishing resistance. A person without a password can’t be phished because the purpose of a phishing scam is to learn the target’s password. “That’s probably reason enough” to do away with them, he said.
Multilayered security. Eliminating a password may seem to remove the “something you know” factor in a typical two-factor authentication protocol, even if “something you have,” such as a cellphone, remains. But passwords can be replaced with something else users have, such as their face or a separate passkey device.
Reduced risk from other attack vectors. Once a password has been compromised, it can be used to access any number of accounts where it’s being used. People should use different passwords for different accounts, but they don’t.

DISCOVER: Build an agile and integrated cyber resilience strategy for your organization.

Passwordless Authentication: How It Works

The case for ditching passwords has long been clear. But the reason they live on is that the technology to replace them, in the past, typically required a separate piece of hardware that a user would carry around; namely, a passkey. Most people don’t want to do that.

Biometric authentication has started to change that. For Accenture, the introduction of Windows Hello — a Microsoft authentication solution, built into Windows 10 and 11 operating systems, that uses face or fingerprint ID or a unique PIN to authenticate users — was a critical factor in enabling passwordless authentication.

“Passwordless is really about unlocking a secret key that lives on a device,” Burkhardt explained. “The secret that you know as a user — your PIN code, fingerprint or face — are never transmitted over the network, and that’s what is used to grant users a session token that gives them access to corporate accounts, and it’s just a great user experience. You open up your laptop, you’re logged in because it sees your face, and off you go.”

I think this is probably one of the most important advances we’ve ever seen in identity. It’s a big deal."

Kris Burkhardt Global CISO, Accenture

Still, he acknowledges that deploying passwordless authentication was at times challenging, specifically on three fronts. First, the company had to ensure that its employees had the hardware to support it, whether it was on their computer or on a phone. Next, it had to ensure that all of its applications would support passwordless authentication. “We have a lot of applications, and we needed to understand what they are, configure them properly, upgrade them — do whatever we needed to do to make them compatible.”

Finally, it needed to properly configure its Microsoft Azure Active Directory (now called Entra ID).

“Those were the big rocks,” Burkhardt said. With those obstacles mostly cleared, Accenture is focusing on transitioning its employees, and is now about 80 percent of the way through it. “So, 80 percent of our people now don’t have a password. This works. They do it every day.”

Most employees log in via Microsoft Hello on their computers, while some use Microsoft Authenticator, a mobile authentication app, on their phones. (A relatively small number log in using a separate FIDO 2 passkey device, due to the sensitive nature of their client work.) After an employee has set up two of those methods, the password is replaced with “128 bits of random data,” Burkhardt said. “We don’t know what it is, they don’t know what it is. There just has to be something in AD for AD to work.”

“If you think about authentication methods and security,” he added, “there is this upward-curving arrow that takes us from the bad old security to the best stuff. We’re pretty close to best now.”

Keep this page bookmarked for articles and videos from the event, follow us on X (formerly Twitter) @BizTechMagazine and join the event conversation at #RSAC.