Case Study: Hyatt Hotels leverages passwordless to reduce risk & elevate the guest experience

Phishing-resistant MFA eliminates authentication fatigue and ensures a seamless guest experience

Yubico and Microsoft deliver strong identity, endpoint and access controls to Hyatt’s global operations

Hyatt Hotels Corporation is one of the world’s most well-recognized and respected hospitality brands with approximately 1,500 hotel and all-inclusive properties spanning across 70 countries. With so many properties and employees spread out across the globe, it is a daunting task to keep them all safe from an ever growing list of cyber risks not to mention the need to have each colleague authenticate before access to Hyatt’s tools and applications.

Art Chernobrov, Director of Identity, Access, and Endpoints, and his team of fifteen are responsible for managing the identities of all 200,000 colleagues as they move around the organization, as well as over 50,000 endpoint devices around the globe. One of the major challenges faced by hoteliers worldwide is to provision access in a way that satisfies both security and usability.

Hyatt has worked closely with Microsoft for the past decade, onboarding products such as Office 365 and Azure Active Directory (AD) Premium for identity and access management. Chernobrov worked closely with Microsoft to ensure the identity platform could meet the complex needs of Hyatt, including the need for a larger trusted location list to accommodate franchise locations and dynamic administration units to allow for decentralized administration of common tasks such as password resets.

“We are taking great strides in protecting the safety of our guests and colleagues by requiring phishing-resistant MFA methods for all applications that can expose both PII and cardholder data.”

Art Chernobrov
Hyatt Hotels Corporation
Director of Identity, Access, and Endpoints
Legacy MFA falling short on security and usability expectations 

While Microsoft was ticking all the boxes for provisioning access and managing identity, Hyatt’s implementation of multi-factor authentication (MFA) was a source of user friction.

“One of the challenges we hear from general managers and owners of our hotels is the amount of sign-ins they have to do. Their frustration centers around the challenges and time it takes to log into the various applications from the guest reservation system to point-of-sale systems to guest fulfillment systems.”

At the time, Hyatt was using mobile-based MFA, with one-time-passwords (OTP) sent via SMS messages to authenticate to apps or re-authenticate at random intervals. Due to the high volume of prompts, users became conditioned to start “hitting approve” for every prompt, making mobile-based MFA an easy target for phishing and man-in-the-middle (MitM) attacks. In fact, every compromise that Hyatt has ever had could be traced back to an inadvertently approved MFA request.

Modern MFA that delivers strong phishing resistance and integrates easily into a Microsoft environment

When Microsoft came to Hyatt with a solution that would address these authentication pain points, Hyatt was ready to listen. That solution? The YubiKey. The YubiKey is a hardware security key designed to provide strong phishing-resistant multi-protocol capabilities to secure access to computers, networks and hundreds of online services. The YubiKey supports WebAuthn/FIDO2, FIDO U2F, one-time password (OTP), OpenPGP 3, and smart card authentication, a solution that bridges legacy and modern applications and provides the passwordless authentication experience that is now the recommendation for all Azure AD clients.

“Keeping our guests’ data safe is the number one priority for our organization. We want people to know that when they come and stay at Hyatt that we take great pains and strides to keep that information as safe as possible”

Hyatt is taking important strides to protect the safety of guests and colleagues by requiring phishing-resistant MFA methods for all applications that expose both PII and cardholder data. The YubiKey is also being used by call center and loyalty program colleagues, who either work in mobile-restricted environments or remotely on insecure networks, and for access to privileged access management (PAM) and enterprise resource planning (ERP) systems.

As Chernobrov notes, “There’s no amount of social engineering or MFA fatigue that will get past the fact that I can’t get into this system without a YubiKey in my hand.” This same logic is applied to the supply chain, with pre-registered keys sent out to vendors to provide identity assurance across the supply chain.

The YubiKey offers seamless, passwordless authentication and enhances the staff experience

The guest experience is the most important thing to Hyatt, but those same values—people and experience—are applied to all Hyatt colleagues. “The same way that we expect our front-of-house colleagues to treat our guests is the same way that we want to treat those colleagues,” notes Chernobrov. “So we look at the experience that we can provide to Hyatt colleagues to make their access as seamless and easy as possible.”

From the moment a colleague onboards with Hyatt, Chernobrov’s team is dedicated to making sure they have access to the applications they need and that their access moves and shifts with them if they move between properties or between office and property. With the YubiKey and Azure AD, Hyatt is now able to provide passwordless authentication to all the apps a user needs to access for their role.

Hyatt provides front-of-house colleagues with the YubiKey 5 NFC to support portable tap-and-go authentication and provides call center colleagues and back-of-house knowledge workers with the 5C Nano, although users are provided information to support the choice in form factor. With the aid of videos demonstrating the YubiKey in action, the rollout has been easy. In fact, the rollout has been so easy that the anticipated support calls simply “never materialized.”

“Folks that aren’t really computer savvy are able to register so quickly, so painlessly, and then begin using their YubiKey so effortlessly and instantaneously—that’s an easy win for us.”

To use a YubiKey in any scenario, colleagues simply insert the key (something you have) in the device and either tap or PIN (something you are or know) to authenticate to Azure AD resources. Not only is the YubiKey up to 4X faster than OTP and SMSbased authentication, Hyatt colleagues are not prompted with repeat MFA once the session has been established. Whether front-of-house or call center, this helps ensure colleagues are able to securely and quickly attend to guest needs.

“Our users have been taken aback by how seamless everything is. You touch a YubiKey to start the day and that is it. Apps launch and you don’t touch that key again until the machine is locked and restarted again. Productivity is so much better. It’s not just another thing that’s security—it’s something that is also making the end user’s life easier.”

YubiKeys help deliver more customer-centric guest experiences 

For customer-facing roles at the front desk, mobile authentication was not only an insecure method of authentication, it had the potential to alter the perception of customer experience that a colleague provides.

“One of the challenges we face as a hotel platform is the visual that’s associated with using a mobile device to complete an MFA process,” notes Chernobrov. “We also believe that having Guest Services colleagues looking down at their phone to complete an MFA response or approval does not convey the message we want to someone walking past the front desk.”

Having a mobile phone in hand sends a negative perception that a Hyatt employee is engaged in personal or social media activities, which was not the image that Hyatt wanted to portray.

“Using a YubiKey not only provides a more seamless experience for the colleague while keeping our data safe, but also allows those colleagues to keep their cell phones stored away while performing guest-facing roles.”

As a result of the passwordless experience provided by the YubiKey, Hyatt colleagues are able to seamlessly and quickly authenticate to their work environment to fulfill the guest needs, supporting greater eye contact with the guest and a more seamless guest experience. “The experience we’re trying to create for a guest as they check into the hotel is that there’s nothing that’s interrupting that guest and user interaction,” shares Chernobrov.

The future at Hyatt is passwordless

The ultimate goal for Hyatt is to be completely passwordless across the entire organization—no small feat when speaking of 200,000 colleagues across approximately 1,500 global locations. To get there, Hyatt is continuing to onboard YubiKeys as a part of every new no-touch hardware deployment and alongside new application rollouts or upgrades. That will mean deployments of 5,000 or 10,000 YubiKeys at a time as these rollouts occur.

As Hyatt moves through its application stack, requiring the YubiKey for every new application that it has single sign-on (SSO) for under Azure AD, the inevitable result will be complete coverage. “Before you know it, we’re going to blink and we’ll be fully onboarded and we’re not going to have that initial surge of how do we deploy up to 200,000 people?”

While there is a financial commitment to a fully passwordless experience, the flip side is the value the rollout has demonstrated at the C-Level. “They know that they’re making Hyatt a safer place to visit as a guest, a safer place to work as a colleague, without creating that end user friction they’re always afraid of,” notes Chernobrov. “It’s an investement that is paying off.”