Cazoo: Placing Okta at the wheel of identity management while revolutionising car retail online

Most of us are used to being able to order whatever we want from wherever we want, and expect our new purchase to arrive within days, if not hours. But what about when it comes to buying a car?

Cazoo launched in December 2019 and has been one of the fastest growing businesses in the UK over the past few years, pioneering the shift to online car buying. Cazoo owns and fully reconditions its cars to the highest standard before offering them online for either home delivery or collection in as little as 72 hours. And it will buy any car directly from consumers, offering a guaranteed price with the option of either home pickup or drop-off at one of its locations with same day funds transfer.   

Consumers have embraced the Cazoo proposition of buying a car entirely online and in less than 3 years since launch they have sold over 100,000 cars in the UK.  And with Cazoo being the UK’s largest independent used car retailer, its workforce expanded to match pace, growing to over 3,500 employees.

With that growth came a challenge: how to provide seamless IT experiences for the people working behind the scenes at Cazoo, while securing sensitive data held by the company and complying with international regulations. Cazoo turned to Okta for the solution, with a particular view to using Okta Identity Engine. 

 “Innovation is important to us and the technology we use is no exception,” explains Richard Owen, Security Architect, Cazoo. “We’ve been cloud-first from day one, but our existing identity provider wasn’t able to keep up. Okta offered out-of-the-box products that addressed a whole host of use cases that were a priority for Cazoo.”

Adopting an HR-driven approach to IT provisioning

Cazoo, like many businesses that experience rapid growth, anticipated the challenges of managing its expanding workforce effectively and sought to augment its existing infrastructure. One of the key challenges was ensuring that new starters were provided with the right tools for their job in a timely manner.

Prior to Okta, Cazoo spent 20 minutes on each new employee, provisioning them into their directory and two birthright apps. Cazoo knew they needed to automate this process as its business was growing fast. 

Cazoo grew by over 2,500 employees within a year. If Cazoo had continued their approach of manual directory and app provisioning this burden would have cost 1,000 hours or £45,000 of admin time over this period. Originally, outside of the two birthright apps, Cazoo didn’t do any further provisioning for new joiners. This process led to a confusing user experience upon joining. So the company turned to Okta. 

Now Okta completely automates 10 birthright role specific apps upon a user joining in an office role and two birthright role specific apps for users in a non-office role, saving 4,000 hours or £178K of admin time over this period, with further app requests beyond this handled much quicker. 

With Okta, Cazoo was able to effectively and efficiently automate this process, using Lifecycle Management (LCM). This HR-driven approach to IT provisioning ensures that, as soon as someone new joins Cazoo and their details are entered into HiBob, the company’s HR platform, they are passed on to Okta automatically. For any apps that LCM doesn’t support out of the box, Cazoo uses Okta Workflows to help fill in those connections, ensuring that the appropriate level of access is granted to the apps relevant to each role. 

This approach covers the entire Joiners, Movers, Leavers (JML) lifespan of each Cazoo employee. Any changes that are made during their time with the company, whether that’s a change of name due to marriage or perhaps moving to a new role, are updated automatically in Okta. Any apps that are no longer needed are removed, and any apps that need to be provided are added. When an employee moves on from Cazoo, their access to apps and IT infrastructure are automatically removed, at the touch of a button. 

“Lifecycle Management ensures a seamless experience for our users, throughout their time with us,” Richard says. “Our support traffic has dropped significantly as a result, so we’re confident that new joiners will be up and running and ready to go from day one, without having to call on HR or IT to problem solve.”

Now, with Okta and its role-based access control, maintaining transparency and accountability couldn’t be simpler, resulting in peace of mind for Cazoo and its customers. Okta allows Cazoo to vastly speed up the documenting of access as well as the deprovisioning process, saving the company time and money. 

Boosting security while providing seamless user experiences 

Okta Single Sign On (SSO) and Multi-Factor Authentication (MFA) are the engines driving this improved security posture. With SS0, Cazoo employees have a one-stop shop for authenticating their identity and delivering secure access to all of the apps they need to do their jobs. SSO also ensures that any former employees are unable to access sensitive information, once HR-driven deprovisioning has automatically occurred, as well as saving costs in licences for apps that are no longer in use. With the Okta Integration Network (OIN), the tech team can utilise more than 7,000 pre-built app integrations to support the majority of productivity tools used today. When Cazoo adds new apps to its roster, the provisioning and deprovisioning of these apps will similarly be automated. 

Prior to Okta, Cazoo’s office workers had an app based one-time-password MFA in place that took roughly 45 seconds to complete per prompt. With Okta’s MFA this is accomplished in 1 or 2 seconds and Cazoo is able to tailor its approach to identity authentication to suit the needs of the various segments of its workforce. Staff working in garages and repair shops have access to very different kinds of data compared with their office-based counterparts, for example. With MFA, frontline workers can use simple SMS authentication factors, while those in corporate roles with access to more sensitive information use Okta Verify, web authentication, hardware keys, and biometric verification, increasing security and saving thousands of hours of office staff productivity a year. That means Cazoo can rest assured that access to its apps, systems, and information is provided securely, to the right people and in the right way. The impact on individual members of staff is minimal, with most workers needing to verify their identity just once per shift. But Richard says that there has been a noticeable impact on the wider team.

“The impact of moving to Okta has been huge, and people within the technology team have been particularly vocal,” he adds. “One of our engineers even told me: ‘Okta has changed my life.’ He runs onboarding sessions for new starters and would often find he spent half the session trying to get them access to the apps they needed for the training. Now, he says, it just works.” 

Working with Okta to further streamline processes 

Cazoo has already seen big changes since moving to Okta, and says it plans to continue leveraging the products and services available to the company through its work with Okta. One particular area Cazoo is keen to explore is the potential for further automation around creating distinct workforce personas, to more effectively utilise role-based access control. Automation may also help in further streamlining its user access reviews for regulatory compliance purposes.  

Richard adds: “We know we’ve made big steps towards the goals we had in mind when we began working with Okta. But, as a cloud-first company, we know that technology always has more to offer and that progress is an iterative process. We will always be making improvements and progress doesn’t just stop when we hit our next target. We always want to be at the forefront, and we know that our partnership with Okta puts us in a good place to achieve that ambition.”