As the world’s largest online travel agency, Booking.com is making it easier for everyone to experience the world. The company has pioneered the “connected trip,” bringing together all their customers’ travel needs — from transport to accommodation to entertainment — to create a seamless travel experience for every customer.
To provide that connected trip, Booking.com needs a connected workforce. Creating seamless travel experiences requires the team to have fast, frictionless access to the systems and tools they need to do their jobs effectively. This seamless experience for customers requires a sophisticated identity security fabric, built to protect a connected workforce. Prior to using Okta, however, Booking.com’s on-premises identity solution limited their team’s ability to work efficiently and productively.
How legacy technology limits productivity
One challenge was the speed it took Booking.com to connect new apps to their previous identity solution, as Richard Pilkington, engineering manager - identity at Booking.com recalls. “Back in 2019, there was an explosion in SaaS apps being used within the industry. Connecting those apps to our legacy solution was a long, slow, and very inflexible process. It took a week or two just to connect apps for our teams to use. It also required developers with special privileges to connect them, which created a bottleneck to getting apps into our landscape.”
Booking.com also faced challenges in provisioning users. Integrating employee information from their HR system to their identity management system involved custom apps and custom scripts, which could take developers anything from two days to a few weeks to implement, creating a significant drain on resources. “Our identity platform was legacy technology, to which we were bolting on modern requirements,” recalls Pilkington. “We needed a modern identity system to support the modern authentication needs of the industry.”
Choosing a modern identity provider for seamless access
One of Booking.com’s key requirements for their new identity platform was that it could integrate with their HR source out of the box, with no need for custom scripts, giving the company the agility to quickly change their identity processes as required. They made their selection after running a proof of concept with Okta Workforce Identity. “We have a standing rule when selecting technology at Booking.com to go with the best of breed, regardless of the stack,” Pilkington explains. “We ranked Okta Workforce Identity as the best of breed. It had out-of-the-box connectors to our HR system and directory service, it was easy to plug and play different authentication factors, and we could modify the authentication policies very quickly and easily.”
Fast app onboarding for the SaaS era
Booking.com implemented Workforce Identity in 2019, with Okta Professional Services helping to accelerate the migration and ensure the architecture was set up to meet the company’s requirements. The migration enabled the company to handle new SaaS integrations easily and ensure every new app was protected by Okta Single Sign-On. With a small number of apps initially behind Okta, that number has now risen to more than 1000 apps, meaning Booking.com has onboarded a new app every two to three days. The team originally handled that process by integrating with a new app in the Okta Admin Console. As the number of requests for new apps increased, however, this became time consuming for the identity team. Instead, they began to use the Okta Provider for Terraform to allow teams across the company to onboard their apps themselves, removing the bottleneck and enabling teams to onboard apps in as little as 15 minutes.
“In our previous setup, we wouldn’t have been able to manage directory services with Terraform,” says Pilkington. “With the Okta Provider for Terraform, we have the change management control and visibility we need, and we can easily roll back any changes when necessary.”
Making it easy for teams to onboard apps has meant they are more willing to secure their apps with Okta, improving Booking.com’s overall security. At the same time, delegating responsibility for onboarding apps allowed the identity team to focus on harder identity challenges that require more specialized focus.
Automating the way to more efficient operations
Workforce Identity has also solved Booking.com’s challenges around user provisioning. With Lifecycle Management, Booking.com has automated the onboarding and offboarding of employees. Okta’s integration with the company’s HR system ensures that when a user’s contract terminates, they automatically lose access to Booking.com’s systems, helping the company to secure its environment and remain compliant.
As the company’s user provisioning requirements have increased in complexity, the identity team has used Workflows to automate more and more processes to meet the demands of the business. For example, when the auditing team asks for lists of active users, they can pull and share this data automatically, saving the identity team valuable time, which they can use to focus on more strategic projects.
“As the business’s needs have grown more complex, our use of Okta has evolved,” Pilkington explains. “With a powerful orchestration engine like Okta, we can respond and deliver quality as soon as the business needs it. With Workflows, it's just drag and drop and you have the integration you are looking for. Workflows really is the glue between our various systems for provisioning, authentication, and other business processes.”
Improving security and user experience with FastPass
Booking.com’s use of Workforce Identity has continued to evolve with the introduction of Okta FastPass, which enables passwordless, phishing-resistant authentication for employees. By removing passwords from the authentication process, Booking.com has secured their systems against the risk of stolen credentials and phishing attacks. At the same time, authentication has become simpler and faster with the support of biometric methods such as fingerprint scanning alongside FastPass for MFA. With FastPass, users experience a 57% reduction in authentication time.
“With FastPass, we’ve been able to improve security and improve the user experience at the same time,” says Pilkington. “It’s revolutionary in the way it makes authentication so quick and straightforward — it almost feels like cheating.”
In addition to providing phishing-resistant authentication, FastPass also bolsters Booking.com’s security by enabling device context checks to determine how secure a user’s device is before allowing access to a protected application. Available with Adaptive MFA, these checks enable Booking.com to restrict a user’s access based on device posture and other contextual signals that can be used to set minimum security requirements.
Securing today’s systems to meet tomorrow’s challenges
Booking.com plans to increase its use of Identity Threat Protection, with the ultimate goal of using continuous evaluation to remove the need for repeat logins and provide an even smoother user experience for their workforce.
At the same time, the company is also improving its security posture by using Device Access to extend Okta’s protection to how users log in to their Mac laptops. This ensures employees are secured from the moment they power up their computers, while delivering a familiar login experience that users already expect from Okta. As Pilkington spells out, “Whenever a user interacts with our systems, be it SaaS or on-prem hosted applications, they are greeted with an Okta login screen. Why wouldn't you bring that to your device sign-in screen? It just makes sense. It provides a single pane of glass and a single friendly user experience. It also allows us to have one less credential that users need to know, while simplifying IT support flows.”
Device Access leverages Apple’s Platform Single Sign-on extension in its support for macOS, bringing identity security and more efficient account management to Apple devices. It integrates seamlessly with FastPass to streamline the enrollment process and help companies like Booking.com get closer to their goal of becoming fully passwordless.
As Booking.com’s use of Workforce Identity continues to evolve, it still serves the same vision that led the company to choose Okta in the first place: providing seamless access for employees so they can provide seamless travel experiences for their customers. This comprehensive journey—from automated app provisioning to phishing-resistant authentication and continuous threat protection—is a testament to the power of a holistic identity security fabric in practice. “Okta has allowed us to be a lot more flexible and responsive to the ever-changing business landscape,” Pilkington concludes. “It has enabled us to move faster and freed our teams to focus on what is most important for our customers.”
About Customer
Founded in 1996 in Amsterdam, Booking.com has grown from a small Dutch startup to one of the world’s leading digital travel companies. It is available in 43 languages and offers more than 28 million total reported accommodation listings, including over 6.6 million listings of homes, apartments, and other unique places to stay. Part of Booking Holdings Inc., the company’s mission is to make it easier for everyone to experience the world.
