As a global financial platform, Adyen powers transactions for some of the world’s most trusted brands, like Meta, Microsoft, and eBay. In the financial services world where security is critical, Adyen’s commitment to a Zero Trust architecture is a core principle. The company is constantly seeking ways to stay ahead of evolving threats. Recently, the team set its sights on a new, albeit ambitious, goal: achieving total phishing resistance across the organization.
For Adyen, this wasn't just about rolling out a new security tool. It was about enabling nearly 5,000 employees to easily and securely access company data. By rolling out Okta FastPass and Identity Threat Protection, Adyen achieved 99.6% phishing-resistant coverage across all access flows and 90% faster authentication. They also mitigated a potentially damaging phishing attack that resulted in zero compromised accounts. Together, these outcomes translate to a stronger security posture, higher user satisfaction, and reduced operational overhead.
Beyond traditional security
Even with strong security controls like Adaptive MFA, Adyen's team knew that attackers were getting smarter. Leandro Dimitrio, Systems Engineer at Adyen, says, “We made the decision early on to deploy FastPass in the most secure and scalable way possible.” They understood that, while Adaptive MFA could flag a suspicious login, weaker authenticators, like SMS or a one-time passcode (OTP), remained susceptible to attacks.
Beyond user login, Adyen's team saw additional risks. They needed to secure long-lived sessions, like those in Gmail, and prevent a user or potential adversary, from moving the session from a company-managed laptop to an unmanaged device.
To solve these challenges, Adyen needed a solution that could secure the initial login, continuously monitor user sessions for threats, and enforce policies both during and after login.
A "phishing resistant-first" approach
Adyen’s first step was a comprehensive deployment of Okta FastPass. To achieve this, the team eliminated all weaker authentication methods and guided users through enrollment with FIDO2 or a device-bound passcode. Weaker authenticators, like SMS, push notifications, or OTPs, were removed as fallback options. This prevents attackers from easily exploiting user accounts through phishing.
This policy covers nearly 5,000 users across macOS, Windows, and mobile, delivering a simple, consistent, and secure experience from day one. It’s fully integrated into their mobile device management and enterprise asset management systems. And the real game changer? Device provisioning is fully automated with Okta Workflows.
AI-driven identity threat detection and response
Adyen’s defense didn't stop at the front door. The team implemented Identity Threat Protection to detect and stop identity-based attacks during and after authentication.
With Identity Threat Protection, Adyen continuously tracks session risk, detecting anomalies in expected session behavior or known active threats. If a threat is detected, Identity Threat Protection can perform real-time actions, like step-up MFA, Universal Logout, or custom actions via Okta Workflows.
“Identity Threat Protection helps ensure devices remain compliant during the session,” Alexander Makarov, IAM Staff Engineer at Adyen, explains. “It also terminates abnormal session activity and prevents employees — and potential threat actors — from moving sessions from managed to unmanaged devices. This is particularly important as we hold banking licenses in different countries and our laptops are locked down.”
Universal Logout is enabled for a number of Adyen’s most critical applications, like Salesforce, Google Workspace, Slack, and Zoom. This immediately terminates all user sessions across Okta and these apps to stop identity-based attacks. These policies help Adyen maintain a strong identity security posture for all users at all times.
“To increase visibility and streamline SOC responses, all Identity Threat Protection events are streamed to Adyen's SIEM, enabling the SOC team to quickly triage and investigate security incidents.” Makarov continues. “This layered model enhances visibility, narrows the response window, and aligns our threat response with modern attack patterns.”
Adyen is also eager to see more SaaS vendors deliver Universal Logout out-of-the-box, bringing stronger, more consistent protection across all their applications.
Result: A secure and more productive workforce
The combined power of FastPass and Identity Threat Protection helped Adyen achieve:
- Zero compromised accounts: During a sophisticated phishing campaign that mimicked Okta's login page, Adyen experienced zero compromised accounts. Because there was no OTP option to exploit, attackers were unable to steal credentials. This validated Adyen’s strict policy on FastPass authentication in a real-world scenario.
- 99.6% phishing-resistant coverage: Adyen achieved near-total coverage across all employee access flows by enabling FastPass on day one and guiding users through the transition. A phased deactivation of unused authenticators like Google Authenticator and SMS helped drive 99% adoption within 100 days.
- 90% faster authentication: While security was the priority, the user experience also saw a significant boost. Authentication times dropped from 30 seconds to just 3 seconds per app, a 90% improvement.
- Time savings and productivity: Automation in identity workflows, from secure provisioning to offboarding, saved the engineering team 13-15 hours per week. It also helped accelerate audit processes, improve overall user lifecycle throughput, and increase reliability.
- Improved user satisfaction: The Net Promoter Score (NPS) for the new system soared to 82%, a testament to how security and usability can go hand-in-hand.
*All data is based on the customer's own data.
Makarov explains, “With Identity Threat Protection and Okta FastPass, it was a complete win-win. Our users love the effortless, intuitive, and passwordless experience, and we have achieved a massive leap forward in our security posture.”
Adyen’s blueprint for zero trust success
Here are Adyen’s four key best practices for any organization looking to replicate their success:
- Phishing-resistant authentication: Reduce phishing exposure via weaker authentication methods by rolling out phishing-resistant authentication to all users.
- Policy-driven device enrollment: Automate device enrollment based on strict compliance and posture requirements.
- Continuous device posture enforcement: Continuously enforce device assurance policies to detect when a session moves from a managed to an unmanaged device.
- Continuous risk monitoring: Monitor user and session behavior during and after authentication to immediately detect, prevent, and remediate threats, like session hijacking.
- User training and awareness: Educate employees so they understand the new workflows and can recognize phishing attempts.
Adyen’s journey with FastPass and Identity Threat Protection is a powerful example of how a proactive, defense-in-depth strategy can create a security posture that is highly resilient and efficient. This means you can implement a solution that works for your technology and your people. For a company as focused on the future as Adyen, that foundation will allow them to scale confidently, no matter what new threats emerge.
To learn more about Identity Threat Protection, visit the product hub or sign up for a demo.
To learn more about Adyen’s customer story, watch the video.
