How cosmetics retailer Lush made over its approach to authentication

Evolving approaches to IT at cosmetics retailer Lush meant the organisation’s previous approach to authentication was no longer up to scratch. Find out how it overcame this hurdle

This article can also be found in the Premium Editorial Download: Computer Weekly: How cosmetics retailer Lush authenticates with ease

When an influx of work with third-party tech suppliers raised concerns over its ability to adequately safeguard customers’ data, cosmetics retailer Lush sought out a new login and authentication partner in the shape of Okta-run Auth0’s Identity Platform, and is now reaping benefits across its business.

Lush pioneered a new approach to cosmetics retail in the 1990s, making a virtue of producing and packing its own ethically sourced, environmentally sustainable products, and setting out its stores with attractive and colourful greengrocer-style displays of soaps, its signature bath bombs, and other products that can often be smelled from down the street.

But what is less known is that behind the scenes, this core, ethical approach to doing business pervades the family-run organisation throughout, as Simon Ince, Lush’s creative technology and innovation lead, explains.

“Lush is a family-run business and there’s this family mentality – everybody pitches in with a bit of everything and you just kind of do what’s needed,” he says.

“As the business grew, we tended to do things in slightly different ways. We wanted to have full visibility into the way everything’s done, because obviously, with the ethical backbone, we want to know where everything’s coming from and how it’s done.”

Over the past 26 years, this has led Lush to develop an internal culture of self-reliance where everything that can feasibly be done in-house is done in-house, from product development and testing, even down to researching new varieties of plastics for packaging, things that other retailers would almost certainly farm out to a specialist.

Somewhat unusually, as Ince admits, this approach also extends to its IT. Hence Lush retains control over many aspects of its technology strategy that others would certainly outsource. Where it does work with IT partners, Lush tends to favour open source solutions and makes a point of enthusiastically contributing back to the open source community. It also seeks out IT partners that can demonstrate strong ethical principles – its datacentre partner, for example, uses 100% renewable energy.

Lush’s approach to ethics in tech also extends into how it handles customer data for its online business, which Ince says goes above and beyond mere GDPR (General Data Protection Regulation) compliance. “We don’t use that data for any kind of targeted marketing or anything like that, and we don’t send it onto anybody else,” he says.

“I looked around for a quicker route to applying authentication to the app and settled on Auth0”

Simon Ince, Lush

It was a concern about customer data that led Lush to reconsider its approach to authentication. The firm found it was integrating more and more into third-party platforms and, according to Ince, that was making things tricky.

“We had a service-oriented architecture with lots of microservices and so on,” he says. “All of these third parties use different authentication standards – somebody might be on OpenID, somebody else might want a JWT token, somebody else will be on OAuth.

“It’s not just that we were trying to maintain a single authentication layer, it was then trying to maintain all the different standards that all the different services needed. That just became too much work.”

Matters came to a head during the development of a new customer chat function, when Ince’s team hit a roadblock with Lush’s “home-baked” authentication system. With time not on his side, Ince started to investigate open standards as an alternative to building in-house, at which point he discovered Auth0’s platform.

“To move the project forward as quickly as possible, I looked around for a quicker route to applying authentication to the app and settled on Auth0, which was written in Python, so essentially the work required was getting the Python library and pasting an example from the documentation, and setting up some keys and a settings page,” he says. “Within half an hour or an hour, we had a login.”

Easy on the developers

Auth0 SVP Steven Rees-Pullman says the speed with which Ince was able to get a proof of concept up and running is one of the company’s major selling points.

“About 90% of our customers are live within 30 days of starting, which has been really positive for us, particularly in an environment where the way people have to go to market and the way people want to interact with their customers, partners and employees has changed, partly due to the pandemic,” he says.

“We provide the building blocks in a way that helps users balance convenience, privacy and their security needs. In a nutshell, we give people the ability to add quickly and simply but very securely, authentication authorisation to their applications across their business and have a standard across that, while at the same time having that trust and security built in as well.”

“We provide the building blocks in a way that helps users balance convenience, privacy and their security needs”

Steven Rees-Pullman, Auth0

Rees-Pullman adds: “Developers have a tough job. They’re supposed to be innovative, imaginative, able to build things really, really quickly to meet the demands of the business and to be able to provide tools that help support it.

“What we’ve always been about is freeing up the developers’ time so they can really focus on what the business, in this case Lush, is there to try and do what their core business is, so that they don’t need to be experts in authorisation or authentication.”

This was certainly the case for Ince, who says the ease of implementation piqued more interest within Lush’s IT team, particularly with regard to how it would clearly dramatically cut the time the developers needed to maintain the internally built authentication system. This, in turn, spurred conversations that went something like: if this is so easy to do, why are we not doing it everywhere?

Lush’s website was redesigned

The logical next step was to evaluate the Auth0 solution across other parts of Lush’s business, including a website redesign, and a programme to centralise its global point of sale (PoS) system with the intent of creating a more seamless, secure and personalised shopping experience. Using Auth0, just two developers were needed to add authentication to Lush’s website with no impact on the project timeline or roadmap, says Ince.

“It went into the website fairly quickly,” he adds. “We use an open source commerce platform called Saleor. But they support OpenID authentication. A nice thing about Auth0 is you have this single pane of users. You’ve got one instance of Joe Bloggs and their password, but if they want to authenticate against this system that uses OpenID and this system that uses OAuth or whatever, Auth0 will handle that authentication over that protocol or that platform.

“So even though we’ve got this real mix of different platforms and different protocols, somebody can go log into the site, and then the site might go off in the background and talk to different systems for stock, different systems for product information. and they might all have their own different ways of authenticating who the client is making that request and what bits of those systems they have access to and they might all use different protocols and keys. But all of that is handled magically by Auth0.”

Future developments

Beyond the online experience, Lush is also looking at using Auth0 to integrate staff sign-on to in-store systems, such as tills, using near field communication (NFC) enabled fobs using the FIDO Alliance authentication standard, which Auth0 can also support.

“We’re exploring the potential for staff members to be able to log into devices with a keyfob, but it signs them in through that same single sign-on layer as if they’d typed in a username and password,” says Ince.

“That’s going to really help speed things up and if we were do to that ourselves, it would be a pretty monumental project, but exploring that with Auth0, it’s essentially enabling a few libraries and clicking a few settings boxes, and we should be ready to go.”

Read more on Identity and access management products