Love them or hate them, passwords have been a key part of our interactions with technology for decades. Today they are integral to how we access our online accounts and gain access to the systems we use to work and live in a modern environment.

However, as technologies have evolved and online criminals have become craftier, passwords have emerged as one of the biggest security risks for organizations. According to Verizon's 2024 Data Breach Investigations report, over the past 10 years, stolen credentials have appeared in almost one-third (31%) of breaches.

As we know from the headlines, a single breach can cost millions of dollars and significantly erode a organization’s reputation. And unfortunately, attempts to make passwords more secure have been ineffective.

• Password expiration protocols are ineffective against modern threats, as compromised credentials are often used within hours.
• Complexity requirements and frequent changes reduce productivity, increase costs and are still insufficient against cybersecurity threats.

One factor less commonly considered: the company cost of maintaining a password-based access security system. In Avanade’s case, over the course of a year, it takes our employees an average of 60 minutes to periodically reset their password and update their various system accesses. Multiply that by our 20,000 eligible employee accounts and that’s 20,000 hours per year.

Clearly, it was time for a change.

What is passwordless?
Passwords are vulnerable to hackers because they can be used from any device and need to be remembered by users. Passwordless technology reduces this threat because a person’s credentials are paired directly with their device.

Passwordless authentication replaces passwords with two or more verification factors secured and encrypted on a user’s device, such as a fingerprint, facial recognition, a device PIN or a cryptographic key. To access an account, bad actors would need to physically possess a person’s device and know their PIN or have their biometrics, which are difficult to acquire and cannot be obtained remotely.

For end users, passwordless security means less hassle and more secure, simpler and more efficient access. For an organization, overall security is improved.

Goodbye, passwords
But wait. Imagine telling your teams it is time to leave their passwords behind.

Creating, changing and protecting our passwords has become almost an art form. To help people break up with their passwords and move on to safer and more modern authentication methods, the project team created a comprehensive plan that stretched from deployment of new access and security protocols to change and communication programs that would help people progress from one world to the next.

Brave new world
To be honest, we started with a couple of key advantages: Avanade is a technology company. Our cloud-first approach has been at the center of our IT strategy for many years, providing a strong foundation has allowed us to focus on security, increasing and adapting our security posture as threat environments have evolved.

With this as our starting point, we assembled the verification factors that would underpin our passwordless system:

• Windows Hello for Business, which replaces passwords with strong multi-factor authentication on Windows 11 platforms, is used with either a biometric or PIN to authenticate users without a password being stored.
• Microsoft Authenticator app, a free mobile app on iOS and Android that can replace or augment passwords with push notification approvals, one-time passcodes and additional verification of a biometric gesture on the device or the device PIN.
• FIDO2-compliant security keys, such as a USB key or NFC-enabled smartcard.

This combination of technologies provides users with a range of authentication options from which to choose.

Then, with the framework in place, our change enablement teams went to work, letting employees know about the coming change and providing plenty of information in a variety of formats about how and when the switchover would happen.

The results
Today 99% of eligible Avanade users are passwordless, on the way to 100%.

Satisfaction is high among those now enjoying a passwordless experience. “I was one of the laggards,” one long-time Avanade employee said. “I resisted to the very end, but now I love it. I am a total advocate.”

As a result of Avanade’s leap into the passwordless world, it is experiencing significant company benefits:

• A higher degree of trust and security – and a reduced risk of a data breach that could impact our employees, clients or company operations.
• An improved employee experience. Signing in is faster, with no more passwords to create, store or remember.
• A dramatic reduction in IT support team costs from password resets.
• Establishment of a firm foundation for the continued evolution of online security.

Updating our approach to password security required employees to change the way they do something, which takes some time to get used to, but the long-term benefits are worth it. Our people’s personal information, our client data and Avanade company operations are safe. And we are well-positioned to continue to adapt our security approach as the risk landscape evolves over time.

Ready to explore the benefits of going passwordless? Avanade technologists and IT experts are glad to share our experience and lessons learned, as well as work with you to chart your own customized journey to a passwordless future.