Hyatt Hotels Leverages Passwordless To Reduce Risk & Elevate the Guest Experience
Yubico and Microsoft deliver strong identity, endpoint and access controls to Hyatt’s global operations
Hyatt Hotels Corporation is one of the world’s most well-recognized and respected hospitality brands with approximately 1,500 hotel and all-inclusive properties spanning across 70 countries. With so many properties and employees spread out across the globe, it is a daunting task to keep them all safe from an ever growing list of cyber risks, not to mention the need to have each colleague authenticate before access to Hyatt’s tools and applications.
Art Chernobrov, Director of Identity, Access, and Endpoints, and his team offifteen are responsible for managing the identities of all 200,000 colleaguesas they move around the organization, as well as over 50,000 endpoint devicesaround the globe. One of the major challenges faced by hoteliers worldwide is toprovision access in a way that satisfies both security and usability.
Hyatt has worked closely with Microsoft for the past decade, onboardingproducts such as Office 365 and Entra ID P1. Chernobrov worked closely withMicrosoft to ensure the identity platform could meet the complex needs ofHyatt, including the need for a larger trusted location list to accommodatefranchise locations and dynamic administration units to allow for decentralizedadministration of common tasks such as password resets.
“We are taking great strides in protecting the safety of our guests and colleagues by requiring phishing-resistant MFA methods for all applications that can expose both PII and cardholder data.”- Art Chernobrov, Hyatt Hotels Corporation, Director of Identity, Access, and Endpoints.
Legacy MFA falling short on security and usability expectations
While Microsoft was ticking all the boxes for provisioning access and managing identity, Hyatt’s implementation of multi-factor authentication (MFA) was a source of user friction.
“One of the challenges we hear from general managers and owners of our hotels is the amount of sign-ins they have to do. Their frustration centers around the challenges and time it takes to log into the various applications from the guest reservation system to point-of-sale systems to guest fulfillment systems.”- Art Chernobrov, Hyatt Hotels Corporation, Director of Identity, Access, and Endpoints
At the time, Hyatt was using mobile-based MFA, with one-time-passwords (OTP) sent via SMS messages to authenticate to apps or re-authenticate at random intervals. Due to the high volume of prompts, users became conditioned to start “hitting approve” for every prompt, making mobile-based MFA an easy target for phishing and man-in-the-middle (MitM) attacks. In fact, every compromise that Hyatt has ever had could be traced back to an inadvertently approved MFA request.
Modern MFA that delivers strong phishing resistance and integrates easily into a Microsoft environment
When Microsoft came to Hyatt with a solution that would address these authentication pain points, Hyatt was ready to listen. That solution? The YubiKey.
The YubiKey is a hardware security key designed to provide strong phishing-resistant multi-protocol capabilities to secure access to computers, networks and hundreds of online services. The YubiKey supports Web Auth n/FIDO2, FIDO U2F,one-time password (OTP), OpenPGP 3, and smart card authentication, a solution that bridges legacy and modern applications and provides the passwordless authentication experience that is now the recommendation for all Microsoft Entra ID clients.
“Keeping our guests’ data safe is the number one priority for our organization. We want people to know that when they come and stay at Hyatt that we take great pains and strides to keep that information as safe as possible.”- Art Chernobrov, Hyatt Hotels Corporation, Director of Identity, Access, and Endpoints
Hyatt is taking important strides to protect the safety of guests and colleagues by requiring phishing-resistant MFA methods for all applications that expose both PII and cardholder data. The YubiKey is also being used by call center and loyalty program colleagues, who either work in mobile-restricted environments or remotely on insecure networks, and for access to privileged access management (PAM) and enterprise resource planning (ERP)systems.
As Chernobrov notes, “There’s no amount of social engineering or MFA fatigue that will get past the fact that I can’t get into this system without a YubiKey in my hand.” This same logic is applied to the supply chain, with pre-registered keys sent out to vendors to provide identity assurance across the supply chain.
The YubiKey offers seamless, passwordless authentication and enhances the staff experience
The guest experience is the most important thing to Hyatt, but those same values—people and experience—are applied to all Hyatt colleagues. “The same way that we expect our front-of-house colleagues to treat our guests is the same way that we want to treat those colleagues,” notes Chernobrov. “So we look at the experience that we can provide to Hyatt colleagues to make their access as seamless and easy as possible.”
From the moment a colleague onboards with Hyatt, Chernobrov’s team is dedicated to making sure they have access to the applications they need and that their access moves and shifts with them if they move between properties or between office and property. With the YubiKey and Microsoft Entra ID, Hyatt is now able to provide passwordless authentication to all the apps a user needs to access for their role.
Hyatt provides front-of-house colleagues with the YubiKey 5 NFC to support portable tap-and-go authentication and provides call center colleagues and back-of-house knowledge workers with the 5C Nano, although users are provided information to support the choice in form factor. With the aid of videos demonstrating the YubiKey inaction, the rollout has been easy. In fact, the rollout has been so easy that the anticipated support calls simply “never materialized.”
“Folks that aren’t really computer savvy are able to register so quickly, so painlessly, and then begin using their YubiKey so effortlessly and instantaneously – that’s an easy win for us.”
- Art Chernobrov, Hyatt Hotels Corporation, Director of Identity, Access, and Endpoints
To use a YubiKey in any scenario, colleagues simply insert the key (something you have) in the device and either tap or PIN (something you are or know) to authenticate to Microsoft Entra ID resources. Not only is the YubiKey up to 4X faster than OTP and SMS-based authentication, Hyatt colleagues are not prompted with repeat MFA once the session has been established. Whether front-of-house or call center, this helps ensure colleagues are able to securely and quickly attend to guest needs.
“Our users have been taken aback by how seamless everything is. You touch a YubiKey to start the day and that is it. Apps launch and you don’t touch that key again until the machine is locked and restarted again. Productivity is so much better. It’s not just another thing that’s security – it’s something that is also making the end user’s life easier.”- Art Chernobrov, Hyatt Hotels Corporation, Director of Identity, Access, and Endpoints.
YubiKeys help deliver more customer-centric guest experiences
For customer-facing roles at the front desk, mobile authentication was not only an insecure method of authentication, it had the potential to alter the perception of customer experience that a colleague provides.
“One of the challenges we face as a hotel platform is the visual that’s associated with using a mobile device to complete an MFA process,” notes Chernobrov. “We also believe that having Guest Services colleagues looking down at their phone to complete an MFA response or approval does not convey the message we want to someone walking past the front desk.”
Having a mobile phone in hand sends a negative perception that a Hyatt employee is engaged in personal or social media activities, which was not the image that Hyatt wanted to portray.
“Using a YubiKey not only provides a more seamless experience for the colleague while keeping our data safe, but also allows those colleagues to keep their cellphones stored away while performing guest-facing roles.”- Art Chernobrov, Hyatt Hotels Corporation, Director of Identity, Access, and Endpoints
As a result of the passwordless experience provided by the YubiKey, Hyatt colleagues are able to seamlessly and quickly authenticate to their work environment to fulfill the guest needs, supporting greater eye contact with the guest and amore seamless guest experience. “The experience we’re trying to create for a guest as they check into the hotel is that there’s nothing that’s interrupting that guest and user interaction,” shares Chernobrov.
The future at Hyatt is passwordless
The ultimate goal for Hyatt is to be completely passwordless across the entire organization—no small feat when speaking of 200,000+ colleagues across approximately1,500 global locations. To get there, Hyatt is continuing to onboard YubiKeys as a part of every new no-touch hardware deployment and alongside new application rollouts or upgrades. That will mean deployments of 5,000 or 10,000 YubiKeys at a time as these rollouts occur.
As Hyatt moves through its application stack, requiring the YubiKey for every new application that it has single sign-on (SSO) for under Microsoft Entra ID, the inevitable result will be complete coverage. “Before you know it, we’re going to blink and we’ll be fully onboarded and we’re not going to have that initial surge of how do we deploy up to 200,000 people?”
While there is a financial commitment to a fully passwordless experience, the flip side is the value the rollout has demonstrated at the C-Level. “They know that they’re making Hyatt a safer place to visit as a guest, a safer place to work as a colleague, without creating that end user friction they’re always afraid of,” notes Chernobrov. “It’s an investment that is paying off.”
“The biggest benefit that Hyatt is going to receive from deploying YubiKeys is to be able to get rid of passwords in our environment. You can’t compromise what you don’t have. I think we’re going to have a great big party once we turn that button off and there’s no more passwords any where in the environment.”-Art Chernobrov, Hyatt Hotels Corporation, Director of Identity, Access, and Endpoints
Learn more about the Hyatt story here.