WaFd Unites 200K Customer IDs and Prevents Attack with PingOne on AWS

WaFd Bank, established 105 years ago, uses data to create frictionless, digital experiences. When customers had login issues with the bank’s multiple vendor portals, WaFd overhauled its approach to identity management. The bank sought a new identity solution that was cloud-based, extensible, and ran on AWS. Partnering with Ping Identity, WaFd deployed PingOne. WaFd has unified roughly 200,000 customer IDs to date and onboarded three-quarters of its vendors. In 2022, the system held strong against a massive cyberattack that lasted three weeks yet resulted in zero identities compromised.

WaFd works with roughly 25 vendors to offer services such as commercial banking, mortgages, and online banking. Each vendor has a login page that asks customers to sign in, then directs them to the vendor’s platform. However, a single WaFd customer could potentially have multiple login credentials, depending on their banking needs. This was an issue when customers called to reset their passwords. It also inhibited WaFd from understanding which interactions went with which customers. When WaFd created its roadmap for modernization, it zeroed in on identity management and planned to create one, centralized system with unique customer identifiers that would unite all customer interactions—no matter how they logged in.

Pike Street Labs (now known as Archway Software), a former subsidiary of WaFd dedicated to innovation and modernizing the bank, set out to find the right identity management solution. The team had four criteria: It had to run on Amazon Web Services (AWS) because Pike Street Labs had a small team that didn’t want to support infrastructure. It needed to be built with a customer’s login experience in mind. It had to be extensible. And finally, the data needed to feed into an AWS data lake. WaFd went with PingOne from AWS Partner Ping Identity because the solution would simplify the customer experience and provide valuable data for WaFd to enhance its services. “Ping Identity not only offered the most innovative solution, but because PingOne was on AWS, we knew it would help WaFd further our goals of becoming a digital-first bank,” said Brent Beardall, chief executive officer at WaFd.

PingOne delivered much more than an identity solution—it became the center of the bank’s entire digital nervous system. PingOne communicates with vendors’ platforms via an API layer and enables single sign-on (SSO) for WaFd customers, regardless of whether they’re connecting via Plaid or a chatbot powered by Amazon Lex. “Since working with PingOne on AWS, WaFd’s Net Promoter Score has more than doubled,” said Dustin Hubbard, president of Archway Software. “We’ve reduced friction for customers, and the number of customers struggling to remember what username and password went to which login portal has dropped dramatically.”

Now that each customer’s identity is unified across various vendor portals, WaFd can trace customer interactions. Events such as logging in or phoning the call center are logged in a data lake and tagged to the customer’s unique decryptor key. On the frontend, WaFd employees have a dashboard to visualize each customer’s interactions. “The PingOne system that feeds into the AWS data lake gives WaFd a much more holistic view about how customers interact with the bank,” Hubbard said. The system was so successful that WaFd funded Pike Street Labs to become its own spin off as a digital banking venture. Other banks now will be able to benefit from WaFd’s significant investments in innovation by licensing the same Archway Software platform.

As WaFd searched for the right identity solution, finding one that ran on AWS infrastructure was key. Pike Street Labs was already using other AWS services to modernize different aspects of the bank, so the team wanted consistency with everything hosted on AWS. “AWS is the cloud platform of choice,” Hubbard said. “With PingOne on AWS it makes a lot of the interactions between systems easier because they’re all using the same cloud infrastructure.” For Ping Identity, building on AWS helps meet customers where they are. “With AWS, we have a trusted partner who can meet the scalability, resiliency, and reliability that is paramount to our customers,” said Matt Bates, director of technology alliances at Ping Identity.

While streamlining identity management was one facet, protecting customers’ identities was another capability that PingOne brought to the table. The system was put to the test on February 24, 2022. That day, the number of login attempts soared to four million per hour, compared to the usual few thousand a day. A highly sophisticated attack was underway. Working with Ping Identity, WaFd worked around the clock for three weeks to counter illegal entry attempts. “With Ping Identity detecting the attack, plus having an AWS-based system that we could scale horizontally almost infinitely, our customers were protected, and we had the AWS instances to handle the traffic,” Hubbard said. In the end, not a single identity was stolen, and customer operations continued as usual, uninterrupted and undeterred. For a bank that prides itself on customer service, it was a moment of great accomplishment.