Independent agents want their carriers to implement a measured, consistent rollout of enhanced security in multi-factor authentication (MFA) to their agents.
MFA is an electronic authentication method wherein a user is granted access to a website or application after presenting two or more pieces of evidence to an authentication mechanism. MFA is an additional component beyond an ID and password for a more secure connection.
We’ve seen some insurance carrier security teams implementing their version or interpretation of MFA while not fully understanding the impact on their agents, especially if every carrier has a different solution.
New regulatory requirements and security protocols around MFA are starting to impact all of us in one form or another. As agency employees are trying to access carrier portals, they are meeting with more MFA requests. In response to cyber regulations from federal and state authorities, as well as insurance regulators, we see carriers instituting MFA in various ways.
Indeed, MFA implementation is a top issue for carriers and their partner independent agencies. We’ve seen some insurance carrier security teams implementing their version or interpretation of MFA while not fully understanding the impact on their agents, especially if every carrier has a different solution.
The IIABA’s Agents Council for Technology (ACT) conducted a recent survey of 300 agents, carriers and technology providers. Nearly half of agent respondents said their carrier partners are requiring use of MFA to some extent. Of those, 38% said only one or two of their carriers are requiring MFA; another 44% said three to five are requiring MFA. ACT leadership urges carriers and agents to work together on a uniform MFA solution. Check out details on the ACT survey here.
ID Federation is working towards an ideal state for the industry — where the SignOn Once implementation streamlines the process to incorporate MFA. The agency administrator adds a new user to their agency management system, and they check the MFA box. Then, a flag is sent during the logon process if the carrier is participating in SignOn Once. This indicates the user went through MFA as they logged into their management system. Also, and this is key: Users only need to remember login credentials for their management system, not for all their participating carrier partners.
This is a huge benefit. If an agency management system user connects to 10 carriers and all have implemented SignOn Once, those users only need to manage MFA at the beginning, one time, when they log into the system, not for every participating carrier. The time saving is enormous.
Agents who frequent certain carriers likely will get past the impact of MFA. But what about the more-casual user who tries to conduct business with expired credentials? The quoting process probably stops right there. If the agent has to jump through extra hoops to get a quote, the agent will be much less likely to send that carrier business.
This is a hand-to-hand combat with the carriers. We need more carriers in the ID Federation space. In short, I really don’t want to use your unique MFA process.
To provide some clarity, ID Federation has published recommendations for carriers and agency leadership on implementing MFA. I urge you to check them out. And, of course, learn more about SignOn Once as well!
