Until recently, all Michigan Medicine employees faced a similar challenge: remembering and juggling multiple passwords to complete their daily work.
Imagine: Go to work, sign in with your uniqname, enter a password known as Michigan Medicine (Level-2), and use Duo to authenticate. Next, log onto the VPN but with a different work password—known as UMICH (Level-1). Check a paystub … but wait! Which password? Guess. Wrong. Frown, enter the other password, and repeat that dozens of times a workday. Imagine new employees, eyes wide in confusion each time a login screen appears.
In 2020, a small group of Michigan Medicine colleagues at Health Information Technology and Services (HITS) expressed to each other, “Wouldn’t it be amazing if we just needed one password?” They brainstormed an experience that converged simplicity and security and said, “Let’s make it happen.”
Following a pandemic and two years of collaboration across U-M, user research, and project work – the days of wrangling Level-1 and Level-2 passwords are soon gone. New employees won’t know what it was like to forget which password was the “paycheck password.” They join the era of the sync, where the UMICH passphrase provides Michigan Medicine access to all U-M and Michigan Medicine systems.
Bidding adieu to unnecessary complexity, Michigan Medicine transitioned to a single 15-character passphrase. Though “15 characters” sounds exhausting, employees commented that phrases are easier to remember and type than the chaos of Shift keys with numbers and symbols.
It also keeps data safe: Research shows that longer, unique passphrases already in use at U-M are harder to crack, adding additional security. Prior to the sync, Michigan Medicine’s password policy no longer met recognized standards and needed to be updated.
Addressing the bothersome feeling of password changing, the user experience was designed to be as easy as a few clicks and keystrokes. For those unable to sync, the passwords will seamlessly sync when the time comes, ensuring a hassle-free transition.
Added benefit? Combating login fatigue. By simplifying the login process, Michigan Medicine aims to boost productivity and reduce frustration among its workforce. Over 20,000 password-related issues each year contribute to about seven months of lost productivity and high support costs.
The cherry on top: There is no annual reset. Fewer Duo authenticator prompts and the convenient ‘Remember Me for 7 days’ feature make logins more bearable, and the Microsoft Authenticator app streamlines Microsoft 365 logins on iOS devices.
“Though the Michigan Medicine password structure is changing, our technology under the hood is not. Building on top of our existing two-account infrastructure made this project possible. Access to Michigan Medicine applications will remain the same,” explains Megan Lowry, a senior Customer Experience analyst at HITS.
The journey wasn’t without hiccups. Early on, the project paused to assess the consequences and meaning for the community. Jeff Cline, an Identity and Access Management subject matter expert, says, “Then things were back on track, and the project was approved, but doing so led to a different set of requirements and new coding.”
Cline continues, “The campus and Michigan Medicine Information Assurance (IA) teams reviewed SBARs (Situation, Background, Assessment, and Recommendation) we put together. We ensured that both IA teams were on the same page and actively involved.”
Employee feedback has been met with frustration and cheers. Yet another password process seems tiring, but the prospect of bidding farewell to annual resets is met with enthusiasm. Brandon Boucher, Service Desk manager, observes, “People like it. The team has done a great job getting this in front of people. During the pause, people were itching with anticipation. Asking, ‘can we do this and when can we do this’?”
Has the Service Desk been flooded? Boucher admits he was surprised. “The contacts we’ve had related to the sync are significantly lower than what I would have expected for a rollout this large.”
An idea four years ago that was set in motion resulted in HITS leading a transformation in Michigan Medicine’s digital landscape. For now, the whole project team monitors the sync’s effectiveness.
“The Service Desk is monitoring based on a contact volume level and how much it increases,” says Boucher. “While we’re doing that, we’re looking into why customers are calling.”
“That’s one of our main KPIs (Key Performance Indicator) that we’ll observe,” Lowry points out, “Are our contacts about account management issues going down over time?”
Cline, a Michigan Medicine employee of 20 years, gives a huge team kudos. “This project has probably been the best I’ve been on in terms of team collaboration,”
Boucher agrees. “We’ve had a lot of bumps, but the way the project team would come together and work through things … I haven’t had that kind of experience on any other project that I’ve been a part of since I’ve been here.”