For the Un-carrier, the customer is everything
T-Mobile sets out to transform its technology so it can move at the speed of customer expectations. IT responds by providing customer care agents the latest technology at their fingertips, but they struggle to onboard apps and strengthen security protocols.
A decision to minimize customer care friction
After evaluating several identity solutions, the T-Mobile team chooses The Okta Identity Cloud to help minimize login frustrations and application toggling for care agents. Okta Professional Services helps accelerate time to value for onboarding apps at T-Mobile.
Slashing the operational budget
In 18 months, T-Mobile replaces its Oracle stack, along with 80 on-prem servers. With Okta managing identity, the company’s 50,000 retail employees go from 60-70 authentication events per day down to 7-10. Help tickets plummet, along with employee anxiety.
Balancing usability with a secure perimeter
T-Mobile uses Okta Adaptive Multi-Factor Authentication to balance usability with security, configuring contextual policies that allow them to target the riskiest subset of access requests and limit off-network access to some applications.
A partner for continual, transformative change
T-Mobile transitions away from monolithic systems to microservicesers. With an authentication platform and open protocols and standards, T-Mobile can build custom applications more quickly, onboard users more easily and ensure strict security policies are in place. Over 170 apps were onboarded in 18 months, rather than 12 applications the year prior.
"Okta was a game-changer for us. … Having an authentication platform that you can easily integrate with greatly accelerates the underlying system you’re trying to build."Warren McNeel, Senior Vice President of IT, T-Mobile
- Reduction in authentication events for retail employees from 60-70 per day down to 7-10
- Dramatic reduction in operational costs, with reduced Oracle licensing and maintenance costs, along with deprecating 80 on-prem servers
- Ability for developers to focus on core business features for new applications
- Robust and well-documented tools and APIs that allow T-Mobile to treat identity as a repeatable product
- Support for modern identity protocols, including OAuth and OpenID Connect
- Plummeting number of help tickets for password requests
- Improved stability and reliability
The Un-carrier shakes up an industry
When John Legere took the CEO job at T-Mobile in 2012, he brought with him an unusual approach: Take time to listen directly to customers and frontline employees. Champion the unconventional solutions that they put forward to long standing industry problems.
Today, that “Un-carrier” strategy continues, harnessing passion and commitment at every level of the T-Mobile organization to revolutionize an entire industry. T-Mobile has been the fastest-growing company in the space for the past seven years, adding nearly two million new users in Q4 2019 and increasing total service revenues more than 6% year over year.
“T-Mobile is a customer-first company, and that bleeds into every single part of our culture,” says CIO Cody Sanford, a 20-year veteran of the company. The Un-carrier strategy is all about exceeding customer expectations, which means removing barriers for the frontline employees serving those customers.
Building blocks to a more agile company
Transitioning to a customer-centric approach was about more than a shift in policy, however. “Ultimately, every experience we create for our customers is delivered through technology,” says Sanford.
The company’s legacy Oracle stack wasn’t designed to move at the rate of customer expectations. To achieve the agility and responsiveness that T-Mobile needed for its Un-carrier aspirations, Sanford began guiding it through an IT transformation.
That was no simple process. T-Mobile comprises a complex ecosystem, including 100,000+ retail and call center partners and employees as well as thousands of corporate employees, wholesale partners, and prepaid and postpaid customers.
In addition to customer-facing T-Mobile applications and digital properties, the company runs thousands of enterprise applications. “To create the experiences that our customers expect from us, all of those things have to work in harmony,” says Sanford.
T-Mobile’s IT journey over the past five years has involved overhauling the entire technology stack, moving to cloud-native applications, embracing a DevOps working model, moving to product-centric design, and building a development team that can create experiences and products at speed. It’s a model that every modern company aspires to.
Partnerships have also been essential. “Very little of what we did was invented at T-Mobile,” says Sanford. “We’ve been very fortunate to partner with a number of companies that made sure our transformation actually delivered on the promises of the technology.”
The identity challenges at the root of complexity
At the start of their journey, the T-Mobile team was using several different systems for identity and access management (IAM), says Warren McNeel, senior vice president of IT. Different T-Mobile applications used different IAM systems to validate users, and that lack of consistency led to frustration for customers and care agents alike.
T-Mobile’s identity systems and databases starkly reflected the company’s complexity, and that complexity showed up every day in frontline customer care situations. Representatives commonly used multiple applications on a single call, logging into each one separately and navigating between them as the call progressed.
It wasn’t uncommon for T-Mobile retail employees to authenticate into various systems 60 or 70 times a day—“a clunky experience that could lead to bad practices security-wise,” says Kris Wilson, senior director, product and technology at T-Mobile. Friction escalated between customers and T-Mobile representatives as they fumbled with passwords and toggled between systems.
To add insult to injury, those systems frequently experienced major outages. Representatives would be forced to take out a piece of paper, write down a customer request, and get back to them when the outage was over.
Every time IT wanted to change anything, whether it was onboarding a new application or a new employee, the process was complex, repetitive, and slow.
As a result, T-Mobile teams were often forced to find their own solutions. “Time-to-market was a security risk. The longer it took for us to onboard applications, the more people looked for alternate solutions,” says Wilson. “They created their own siloed credential stores, so we couldn’t monitor things or apply policies holistically.”
T-Mobile clearly needed a better way to make authorization decisions. “If you don’t have a single solution, you’re rebuilding it time and time again, adding cost, time, and complexity,” says McNeel. “We needed a simple solution that we could use over and over again for both internal platforms and cloud native systems.”
When identity aspirations reflect company values
To simplify IAM, the team began looking for a leader in the space with technology they could feel confident deploying across the company. “We needed a partner that was modern, cloud native, and that could help obfuscate all the complexity in our ecosystem and make it seamless,” says Sanford. Security was table stakes. Reliability was crucial—along with the ability to speed time to market for new applications and services.
With this criteria in mind, the team evaluated a number of identity solutions, including OneLogin, Microsoft Azure Active Directory (AD), Oracle’s Identity Cloud Service, and Okta. The T-Mobile team planned to deploy an API strategy that would allow them to expose functionality to product and technology teams, get more reuse out of their work, and reduce their technology footprint and security surface area.
“When you think about how identity plays into security with APIs, if you’re building identity multiple times into multiple systems, you’re multiplying the number of exposure points,” says McNeel. “We wanted to limit that by going to a single identity solution.”
T-Mobile also wanted to make sure their identity partner was a good fit with the company’s Un-carrier mindset. “We’re maniacally focused on our customers,” says McNeel. “It’s important for us to partner with companies that have a similar culture—who think along those same lines, and Okta fit that bill for T-Mobile.”
More app integrations completed. Fewer resources required.
The T-Mobile team spent time getting to know the Okta Professional Services team and Okta technology, and planning a strategy for T-Mobile’s retail and call center operations. They moved from trial to execution once they saw how quickly they could collapse the number of applications and logins that frontline customer care agents would have to deal with during their day.
“We developed a lot of confidence after looking at Okta against the other solutions out there,” says McNeel. “We felt comfortable that it was a secure solution that would be well managed and would meet the criteria we’d lay out for operations.”
Okta’s support for modern protocols, such as OAuth and OpenID Connect, played a role in the team’s decision, as well its ability to automate processes with Okta Lifecycle Management. “Okta gave us the opportunity to reduce manual processes and manage credentials and information much more quickly,” says McNeel. “We could cover more applications and integrations with a smaller resource base.”
“The other major benefit of Okta for us was its cloud-native technology,” says Sanford. “That ability for our developers to be able to hand off identity management to the experts would be a major unlock for getting applications out the door faster.”
Down payment on the future—and a secret sauce
Today, 200,000 T-Mobile care representatives, retail associates, and knowledge workers access their work using Okta. “Anybody who is doing business on behalf of T-Mobile is leveraging Okta day in and day out,” says Wilson.
“Launching Okta was a huge down payment on our future vision,” says Sanford. Initial deployment took six months, which included four months of detailed planning with Okta’s Professional Services team. They helped create a templated “factory model” for onboarding apps at T-Mobile, which dramatically improved time to value.
“Four months of planning paid dividends in terms of how quickly we’ve been able to onboard apps,” says Wilson. “Every week, Okta Professional Services was there with us, jumping through different hoops for different, nuanced applications. Today, protocol standardization is our secret sauce.”
The T-Mobile team has replaced their entire Oracle stack, eliminating a vast on-prem infrastructure as well as licensing and support costs. “We had upwards of 80 application servers and multiple data centers that we had to maintain,” says Wilson. “That’s now down to about six virtual machines, for a massive cost savings to our operational budget.”
Over the past five years, the team has gone from five identity providers to two, and Wilson considers that a major win. At the same time, his team has been impressed by the rate at which they can onboard apps with Okta, compared to Azure AD. To date, the Okta team has integrated 220+ applications, while Azure is at around 20.
The usability unlock for customer care agents
Okta Adaptive Multi-Factor Authentication (MFA) is an important part of T-Mobile’s identity solution. “Part of the beauty of Okta is the balance it provides in terms of when to trigger MFA and when not to,” says Wilson. With Okta, the team can easily configure contextual MFA policies based on details, such as location, device, or access frequency. “It allows us to target the riskiest subset of access requests, rather than blanketing everybody,” he says.
In addition, Okta MFA gives the team visibility into where users are coming from and allows them to limit off-network access to some applications completely. T-Mobile IT is working with Okta to create context-aware authentication and authorization policies that allow them to enforce access requirements for high-risk applications.
Reactions from the front lines have been most pronounced among teams at the company’s 7,000 retail stores. “We have successfully deployed Okta across one of the largest retail fleets in any industry,” says Sanford. “Millions of sign-ons every week have been simplified, thanks to Okta.”
T-Mobile users no longer manage multiple sets of credentials and have gone from those 60 or 70 authentication events per day to just seven to ten. In Sanford’s calls with those 50,000+ employees, he receives deep appreciation for how much easier it is to serve customers now.
“Anyone who works in a large retail organization knows that not having to spend time on things that are unimportant to customers is the single biggest unlock you can do for your employees,” he says.
Because T-Mobile users can now SSO into every tool they use, the IT service desk has seen a reduction in help requests. “Folks now have a single user credential, so they no longer have to call in to reset some siloed credential that they were using for a one-off app,” says Wilson. “All of those tickets were gone from the moment that app was integrated into Okta.”
For partners: Secure, streamlined connections
The Okta Integration Network has helped streamline the interface between T-Mobile and its partners, who interact with the company using a wide variety of their own applications and API connectors. “Identity used to be more of a liability than an asset,” says Wilson. “The second we started deploying Okta, we suddenly had access to all of these prebuilt adapters and integration points.”
Okta API Access Management helps keep all of those API calls secure. For API lifecycle development and implementation, the company uses an Okta partner, Apigee (now part of Google Cloud). The Okta-Google Cloud solution creates an ideal state for T-Mobile’s API ecosystem, providing a streamlined system for third-party integration and layering security policies over it.
“T-Mobile employees and partners all experience the same Okta authentication processes and it’s simple,” says McNeel. “They didn’t have to do anything differently—in fact they had to do less once we put the solution in place.”
For developers: Identity as a product
From a developer standpoint, the identity part of each project is done—they don’t need to spend precious time thinking about security protocols. “Okta team members are experts in the space, which allows us to focus on the things that are most important in the apps we’re building,” says McNeel.
Overall, T-Mobile IT has shifted its stance on identity, treating it as a product rather than a service. “Folks interact with our product via tools and APIs. The more robust and well-documented the offering, the easier it is for development teams to serve themselves,” says Sanford.
“That ability for our developers not to think about identity management databases, rules, permissions, and all those things that come with legacy identity management platforms—that, from a developer perspective has been a major unlock for getting applications out the door faster,” he says.
T-Mobile’s identity strategy combines agility with a security posture that features fewer points of failure and fewer authentication elements to manage. “When you centralize identity, it becomes much easier to manage and control,” says McNeel.
The result: Game-changing agility
The IT team cherishes its newfound ability to respond with agility to the needs of customers and the business. A few years ago, they would have been lucky to complete four to five large-scale code deployments per year. “Now we do hundreds a week, sometimes thousands,” says Sanford.
“Okta was a game-changer for us,” says McNeel. “We’re no longer customizing APIs individually for all the different data access points we want to protect, all the roles that get different treatment.”
“Having that all consolidated on the Okta platform is huge,” says Wilson. “Having an authentication platform that you can easily integrate with greatly accelerates the underlying system you’re trying to build.”
A partner for continual, transformative change
With Okta as its identity foundation, the T-Mobile team can quickly consolidate directories, automate processes, and secure assets so that the combined company can act quickly on the Sprint merger.
T-Mobile is also taking part in the beta program for Okta Workflows, to further automate and streamline manual processes without code. “We’re piecing together entire provisioning sequences, for example, with systems that are external to Okta,” says Wilson.
The team is also working with Okta partner Secret Double Octopus to eliminate passwords altogether, since they’re at the root of so many security breaches. “The world of passwordless authentication is extremely enticing, especially when you think about the diversity of the ecosystem of users we have here,” says Wilson.
“We want to be at the forefront of that evolution in security,” says McNeel.
The team plans to give retail employees more mobility in the next few years, offering them tablets they can carry around the store, rather than centralized kiosks. Okta technology will play a large role there.
The Okta Customer First team is an integral partner in T-Mobile’s ongoing evolution. “I can’t think of many weeks I’m not on the phone with Okta for multiple calls, and it’s not just issues or challenges we’re facing,” Wilson says. “Usually, it’s the opposite—it’s roadmap discussions, strategic conversations about where we want to take the platform.”
“I don’t value that lightly,” he says. “I can’t think of many partners that have been there with us every step of the journey in the way that Okta has and continues to be.”
As America's Un-carrier, T-Mobile US, Inc. (NASDAQ: TMUS) is redefining the way consumers and businesses buy wireless services through leading product and service innovation. The company's advanced nationwide 4G LTE network delivers outstanding wireless experiences to 84.2 million customers who are unwilling to compromise on quality and value. Based in Bellevue, Washington, T-Mobile U.S. provides services through its subsidiaries and operates its flagship brands, T-Mobile and Metro by T-Mobile.