Multifactor Authentication: It Is the 21st Century, After All

Cyber security is a top-of-mind risk for anyone who runs an insurance agency or brokerage. Mobile technology, bring your own device, work from home—we’re all looking for ways to keep access to proprietary systems restricted while broadening the available ways to work. Multifactor authentication (MFA) offers the insurance industry that ability.

At this point in our technological evolution, MFA—the provision of an identity authenticator beyond user ID and password—is cyber security 101. MFA can be used to access email, agency management systems, carrier portals and a variety of other networks that need to be secured. Most people are already accustomed to it because their bank or some internet service provider requires it. Our parent company, Acrisure, instituted an authenticator app for internal use, and other brokerages have done similar things. So it’s not a foreign concept to agency staff.

As the workforce becomes more mobile and as more personal devices are in use to access agency and carrier systems, cyber-security concerns about non-authorized use via open internet (think Starbucks or a hotel conference) or through a lost laptop, tablet or phone are growing. Add to that the persistence of bots at overcoming user IDs and passwords, and it only makes sense to add a layer of protection to ensure the person (or thing) trying to enter your system is an authorized user. Think of how many times you’ve had to prove you’re not a robot by clicking on all the squares that contain a bus.

The Basics of MFA

Multifactor authentication is, as aptly defined by CrowdStrike, a “multi-layered system that grants users access to a network, system or application after confirming their identity with more than one credential or authentication factor.” That means user ID/password plus a code or one-time password, a secure token generated by an authenticator app, or some kind of biometric recognition, like your iris, face or voice.

I have heard people, especially agents and CSRs but others as well, predict that MFA will add another layer of effort and inefficiency to accessing carrier portals, policy documents, and other crucial business systems. That hasn’t been my experience. Three years ago, I might have said it was or would be, but MFA is part of our world now.

When it’s done right, a carrier will give options: would you like a text to ***-***-1234 or an email to *****@yourdomain.com? True, you may have to get a code for each carrier, and true, some agencies don’t let you mingle business operations with your personal devices or email accounts, so there are some process issues to overcome. But those can be dealt with, and agencies that want to operate in the modern world are going to overcome those. For example, MFA isn’t available for a multi-user account on an agency management system. Everyone has to have their own user ID and password. OK, that’s not Mount Olympus. You can do that.

Your carrier will work with you to prepare both your agency systems and your personnel for the transition. We did this with The Hartford, and I can tell you it was very smooth. The company gave us many months notice, told us the schedule for rollout, gave us a good idea of the mechanics. It was painless.

As I understand it, on the carrier side, it’s a complex but pretty standard change management exercise. You give ample notice and information to agency partners, and you use key performance indicators to make sure both you and the agencies are implementing MFA smoothly. Your metrics would include things like the number of sign-ons that failed, the change in the number of help-desk calls, any change (especially a drop-off) in underwriting requests, etc. It’s a whole-of-business effort, but a competent change management team should be able to handle it.

Let’s Make It Easy

One thing that would really make multifactor authentication easy would be single sign-on, similar to ID Federation’s SignOn Once initiative for user IDs and passwords. (ID Federation is a nonprofit coalition of carriers, agencies and insurance technology vendors who work together to develop collaborative solutions that reduce redundancies in agency workforce operations.)

Single sign-on for MFA would mean a producer or CSR—any authorized user—would log in to whatever program or portal was needed through the agency management system and receive, at initial sign-on, the MFA code or token. Users wouldn’t have to receive a new code from each carrier or rater or network. The single sign-on would work via an application programming interface (API) to gain approved entry to every carrier available through the agency management system—every vendor and software program too.

That would really improve efficiency and reduce headaches, but it requires cooperation between carriers and agency management system vendors. ID Federation is gearing up to help that process, so hopefully the industry will take advantage of that opportunity.

Having single sign-on would also make deprovisioning easier. Unlike user IDs and passwords that departed employees still have in their device caches (or their wallets), MFA access can be changed instantly at the agency level. An agency doesn’t have to go to every carrier and say, “Hey, I just fired this person, so please find their user ID and eliminate it from your system.” An agency administrator can simply deprovision the person from receiving MFA at the agency management system level. Even if they still have an active user ID and password—imagine the employee who quits in a huff at 5 p.m. on Friday—they can be locked out by excluding them from MFA. The deprovisioning process with the carriers then can take place without a hair-on-fire scenario.

It’s 2022. We should be making it easier and more secure for our trading partners to do business with us. MFA is an essential part of that.

Steve Aronson is principal at Aronson Insurance, an Acrisure Partner Agency, and a board member at ID Federation.