EXPEDIA GROUP TECHNOLOGY — INNOVATION
Creating One Identity: Building The Framework For One Key
How the Expedia Group Identity Team created the One Identity System through passwordless authentication and account consolidation
The recent successful launch of One Key™️ across Expedia, Hotels and Vrbo was a celebrated event. This was a large effort involving hundreds of people working together, driven by the same mission to power global travel for everyone, everywhere. But let’s rewind the clock to the inception of this program and the immediate realization by the Expedia Group™️ Identity Team that this effort will involve a huge data reconciliation and synchronization challenge for almost half a billion traveler accounts. Rather than being intimidated by the challenge, the Identity Team seized the opportunity and, along with solving the challenge, achieved a 92% reduction in password-based authentication.
Data consolidation and data synchronization
There are several established options for creating a unified identity solution across different brands:
- Establishing Federated Login across different brands/domains.
2. Enhancing the authentication solution to be aware of multiple user repositories.
3. Merging existing user repositories into one new repository while maintaining forward and reverse synchronization during the transition period.
After much deliberation, the last option of merging existing repositories into one new repository was selected. This met our business and technical goals and provided a path to make legacy solutions obsolete.
Identity orchestration
Our second challenge revolved around several travelers who had accounts across multiple brands. Consequently, they might have used different passwords and usernames. To address this issue during an account merge, we needed to ensure that travelers select a single, unified password going forward. Historically, we encountered another problem with travelers who forgot they already had an account. Instead of attempting to log in directly, they would try to sign up again. Upon receiving an “account already exists” message, they would then attempt to recall their password. This led to several failed login attempts, and some travelers giving up in frustration.
Our team devised a brilliant solution to tackle this problem. We implemented a process that always prompts the user for their email address, regardless of whether they were trying to log in or create a new account. Subsequently, an email containing a One-Time PIN (OTP) was sent to their email address. The travelers had to enter this OTP to verify their possession of the email. With this verification in place, we seamlessly guided the travelers to the appropriate next step in the process. This solution streamlined the user experience and significantly reduced account-related issues.
The traveler path we created was as follows:
- Existing account with no special conditions: login successful and traveler redirected to original destination.
- Existing account with flag to obtain new go-forward password: traveler redirected to enter password screen and then to the original destination.
- No existing account: traveler redirected to enter password screen and then to original destination.
- Traveler with existing account that has forgotten the password: login with OTP successful and then traveler redirected to enter password screen.
By combining the building blocks of the “enter email”, “enter OTP”, and “enter password” functions and combining it with an intelligent Identity Orchestration layer, we were able to handle all typical Customer IAM scenarios of create an account, login, and forgot password. Travelers loved the simplicity offered through three familiar widgets and since the orchestration always guided the traveler toward a path with the fewest number of turns, it ensured a smooth ride. The success rate for authentication and account signup went through the roof.
Data quality
Let’s also consider the significant improvement in the quality of data collection that this approach offered. We all are familiar with huge “bot” problems faced by any public website. Doing email verification is considered a step that would slow down the traveler and lead to dropout, but without email verification and email ownership validation, your application becomes vulnerable to collecting junk accounts that have very little business value. Through our new simple flows, we always confirm email ownership by asking for OTP from email, and our data quality significantly improved.
Success in numbers
Based on learnings from similar efforts in the past, we were focused on monitoring and analyzing the data from this release at every step. This helped us follow a test-and-learn model to deploy changes iteratively, monitor and learn from the results, and continue to progressively build toward a final solution. Gradually incrementing the functionality and traffic offered enough runway to fine-tune capacity and performance along the way, but as a side benefit, we now have detailed numbers to share that succinctly quantify success of overall effort.
- Login success improved by 19%: due to forgotten passwords, travelers had low success rate for user ID and password-based traditional authentication. With the introduction of email OTP authentication, the successful completion of the login journey improved.
- Traveler sign-up success improved by 30%: with earlier flows, travelers quit due to “an account already exists” scenario or from not being able to recall which social service was used during signup.
- Reduction in password-based logins by 92%: the introduction of a simpler email OTP flow resulted in a 92% reduction in the use of a password-based authentication option.
This is a tremendous achievement and while we paused briefly to relish and celebrate, just like any busy Identity Team, we are already back to working on new improvements.
