As one of the administrators of the Ping Identity platform at eBay, I am thrilled to share our story with the community at the upcoming IDENTIFY conference in San Francisco. I hope that our experience and plans for the future can help guide others toward more secure and improved user experiences for their own employees, partners and customers. Before diving into a preview [join me at IDENTIFY for the whole story!] of our plans for “MFA Everywhere,” I thought it could be helpful to share some our history with Ping.
Ebay’s relationship with Ping Identity began in 2011 and has been on the upswing ever since. For close to a decade, Ping has been helping us improve productivity and reduce integration efforts by connecting of our workforce and partner users to a diverse set of internally developed (homegrown) and commercial applications. And as cloud deployment and SaaS options have matured, we’ve been able to leverage our investments to continue to offer seamless access no matter where resources are deployed and hosted.
Balancing Security and Convenience at eBay Security is always top of mind at eBay. We are diligent about implementing identity and security solutions according to best practices, and we’ve taken advantage of the broad open standards support within the Ping platform. But as security can often come with a productivity cost, we’ve been careful not to become too heavy handed in our efforts to protect our variety of resources and user populations. Which is why the new wave of modern, user friendly MFA methods that take advantage contextual factors and broad smartphone adoption was appealing when we first began reviewing these solutions in 2015. And as you can probably guess, by the end of 2015 we were sold on the value proposition of Ping Identity’s MFA solution, PingID.
In order to achieve quick wins for security, we began by offering these new methods to user populations who would immediately see the value. Of course, i’m referring to those already burdened with secure, but less than optimal user experiences from our legacy MFA providers. Historically, these users were asked to use a hard token with a rotating pin when they needed to access resources from outside the office. Most commonly this access took place via SSH applications or through a VPN. The resulting productivity impacts of increased security in this case were not small. For example:
Lockouts due to a single possession factor as the only MFA option were common
Forgotten pins, tokens and passcodes increased the burden on our helpdesk
Significant labor costs were required to maintain, patch and upgrade business-critical MFA infrastructure
Collectively, these amounted to a solid business case for modernizing MFA at eBay. And an assortment of stakeholders were quite pleased with the change! Business leaders were delighted to hear that their end users would experience fewer interruptions and be able to use a possession factor they were almost certain to have, their phone. IT budget owners were happy to turn long standing capital expenditures into an operational expense. Help desk staff were pleased with the reduced call and case volume. And the identity and security teams were excited about the prospect of deploying MFA to new use cases given the minimized impact of doing so.
Broadening MFA Deployment, and Plans for the Future With adaptive policies and a range of convenient authentication methods available, we’ve rolled out MFA to the majority of our resources and 14,100 or so workforce employees. To ease the adoption burden, we’ve developed a custom enrollment process that leverages the PingID APIs to give users a 100% eBay experience. And by enabling business units to select from a range of convenient authentication methods, including Yubikeys and in some cases legacy hardware tokens, we’ve been able to achieve buy in across the organization.
We’re looking forward to digging deeper into new use cases and supporting more authentication methods to further balance security and convenience, especially as we consider offering MFA to our partner and customer user populations. And as FIDO and other protocols and specifications begin to reach maturity, we’ll be evaluating those as well.
Want to learn more? To learn more about our plans to deploy MFA Everywhere, stop by my session at IDENTIFY San Francisco: MFA Everywhere: Why Where and How to Extend Multi-factor Authentication. I’ll be on stage presenting with Ping Identity’s Senior Product Manager of PingID, Dana Weinbaum, who will be sharing the top reasons to deploy MFA everywhere and requirements you should consider for this type of deployment.