From check in to takeoff: Cebu Pacific secures global user accounts with improved IAM

Since its first flight in March 1996, Cebu Pacific has come a long way. It offers flights to more than 60 destinations across the globe, and pioneered the “low fare, great value” strategy adopted by other regional airlines. As the company continued to grow, it saw opportunities to improve its security and customer experience, starting with its Identity strategy.

Without a clear Identity inventory or secure logins, Cebu Pacific struggled to accurately understand who its customers were and where they were coming from, and, ultimately, differentiate legitimate logins from potential security threats.

“We wanted to improve Identity management, so we could better understand which users were logging into our applications and protect them along their journeys,” says Glenn Amper, Director of Information Security at Cebu Pacific.  “Our passenger reservation system stored account information, but it wasn’t a dedicated Identity tool, so it lacked key functionality and wasn’t able to support our security initiatives.” 

This lack of a Customer Identity and Access Management (CIAM) solution meant only a guest’s last name and booking number were required to manage a flight or make changes. This absence of credential security left the airline and its customers vulnerable to cyber attacks and exposed them to risks such as potential inventory hijacking, corporate sabotage, and stolen voucher fraud. In need of an Identity solution that would secure access to applications and customer accounts, at the same time as improving the customer experience, the airline decided to implement Okta, starting with the Customer Identity Solution (CIS). 

Improving platform user experience with Okta Customer Identity Solutions

Cebu Pacific attempted to develop new login and registration in-house, but these efforts only created more friction. “We realised that we didn’t need to reinvent the wheel, and with the support of Kollab, we leaned into our partnership with Okta and implemented its out-of-the-box features,” says Amper.

This included deploying Cebu-branded login screens from pre-production planning to live use in less than eight months. It also included reducing login friction and confusing error messages with Okta’s Universal Login widget, which ensures guests don’t have to juggle multiple credentials as they have a single username and password to access their account. The team was able to quickly carry out these enhancements due to Okta’s flexible configuration options.

To ensure that the registration process is as smooth as possible for customers, Cebu Pacific uses Progressive Profiling. The airline asks customers for limited personal information on initial registration to reduce friction and allow them to find their flights more quickly. The airline gathers more customer information incrementally during subsequent logins, providing a smooth customer experience while still enabling future personalisation.

To make the login process even easier, Cebu Pacific implemented Passwordless Authentication and Social Login. With Social Login, users can easily log in using their social media accounts of choice to securely access the Cebu Pacific website for flight booking and management. In the first three-month period after deployment, more than 1 million of the airline’s new customer accounts were created through Social Login, and today nearly 35% of accounts leverage social media credentials. Overall, the improvements to the login experience have empowered anonymous guest users to quickly and easily access Cebu Pacific's services as 1.5 million signed-up in the first three-month period. And these users keep coming back; the platform’s monthly active user (MAU) count has grown from 93k to 5.4 million.

“When we met with Cebu Pacific, we wanted to help meet their scalability challenge, especially during critical peak times like Piso Sale and other events,” says Mervin Tan, Chief Technology Officer at Kollab. “As a cloud platform designed to handle millions of users, Okta and DynamicScale were the right fit to help Cebu Pacific adapt to their growing user needs.”

Cebu Pacific continues to leverage its partnerships with Kollab and Okta to support this rapid customer growth.  “Kollab has been really helpful, and we continue to work closely with them and the Okta team. Whenever we need a quick consultation, Kollab and Okta are always available to support.” says Amper.

Boosting overall platform security with trusted Identity solutions

In addition to improving its user experience, the airline has also elevated its platform security. This has been crucial, particularly in recent years, as the airline’s customer base has expanded. “As we’ve grown, we’ve seen more bad actors trying to abuse our system,” says Amper. “Attackers would reserve entire flights, preventing legitimate customers from purchasing, and then abandon their carts which meant guests that really needed tickets would purchase from a competitor.” 

Fraudsters would also abuse Cebu’s systems to steal flight vouchers from trip cancellations. By implementing features such as multi-factor authentication (MFA) alongside new login options — such as Social Login — Cebu Pacific is able to more effectively verify users and significantly reduce overall fraud.

During registration, users are asked to verify the email address connected to their account via MFA to ensure each new account is connected to a unique login. This Identity verification process helps protect the organisation against multi-account abuse and fraud by tying account details to a specific email address to prevent cybercriminals from creating bogus accounts.  

The airline can also understand who is buying which tickets and take informed action against fraudsters and people abusing the system. “Before Okta, we didn’t have an easy way of knowing about unauthorised access issues. Our only layer of protection was the web application firewall. Now, we’ve not only been able to prevent unauthorised access but also simplify Identity management and understand who our legitimate customers are,” Amper adds. 

Beyond that, with Okta CIS, the airline has been able to roll out new security features faster. “It used to take the DevOps team about a month to roll out a new Identity feature if we built them from scratch. However, with Okta, many features we need can be delivered within a week as we simply select them out-of-the-box and implement,” explains Jackqueline Gabito, IT Security Specialist Manager at Cebu Pacific.

Partnering to offer a more secure, personalised customer journey in the future

As a result of Okta CIS’s improved Identity data management, Cebu Pacific is able to compile critical data to create a 360-degree view of every customer. As it collects clearer customer information — such as details about where, when, and why a user booked a flight — the airline can better tailor communications and promotions to users and regions in the future. This improved customer visibility is an invaluable piece of Cebu Pacific’s ongoing innovation strategy supported by Okta Identity Engine (OIE).

OIE gives the airline access to critical new Identity tools they can easily implement as part of their upcoming roadmap, such as Passkeys. These allow guests to secure their login experience with cryptographic keys stored on their device to better protect the authentication experience and reduce the risk of attacks like phishing and hacking as the company continues to grow.

Moving forward, Cebu Pacific will continue to trust Okta to manage Identity, so it can focus on new features. For example, the airline can make updates to its ‘Travel Fund’ customer rewards program. “We’ll continue looking into more of Okta’s security capabilities to elevate user actions such as profile modification. I believe, with a partner like Okta, we’re well on our way to building a better airline experience for all,” says Amper. 

About Cebu Pacific

Cebu Pacific (CEB) was launched in March 1996 and is a leading airline in the Philippines, operating flights to over 60 domestic and international destinations across 14 countries, including Australia, China, Japan, Singapore, and the United Arab Emirates. CEB pioneered the “low fare, great value” strategy and has flown over 200 passengers to date. It is among the first airlines in Asia to invest in an integrated facility and technology for social intelligence and customer engagement with its 24/7 Customer Command Center.