Since the creation of private websites, passwords have been the standard method of authentication. Almost 25 years ago when I was working for a carrier, we created an agent portal to share monthly production statistics with our agents. A username and password secured the site and limited access to just the authorized users at each agency. Today the website is still operating, with much greater capability and updated features, but a username and password combination is still the only security measure in place.
Twenty-five years is an eternity in technology. Nefarious actors have been hacking simple usernames and passwords since the 1960s. Microsoft’s Digital Defense Report states that 70% of cybercrime consists of social engineering attacks — phishing — designed to trick victims into disclosing their usernames and passwords. Armed with this information, the criminals can log onto the victim’s website and access the information and functionality provided. In addition to social engineering attacks, hackers have built toolkits to obtain passwords.
The recent breach at MGM Resorts shows how easily a $13 billion firm’s cybersecurity can be defeated, by a 10-minute conversation, if you are still depending on ID and password security.
Each of us logs into websites — both professional and personal — many times a day. Unfortunately, that also means we are likely to reuse passwords, making it easier for a single password breach to compromise multiple sites. Do you use a different password for every online location you visit? Very few people can say “yes” to that question.
NordPass, a cyber security company, released a list of most commonly used passwords: No. 1 on the list was “password,” used almost 5 million times. Even a complex, eight-character password composed of numbers, symbols, and upper and lowercase characters can be broken by a computer in minutes or hours. Pure Cloud Solutions reports that such a password would take about 39 minutes to break.
The good news is multifactor authentication (MFA), developed in 1986, provides a simple and elegant solution to improve your authentication security. MFA uses two pieces of information — something you know and something you have — to provide authentication. Since the second factor is either something unique (fingerprint or face scan) or something that changes (one-time passcode), breaching security is significantly more difficult.
You may have noticed almost all financial institutions, brokerages and even utility companies have moved to using MFA for authentication. With large entities securing their systems, small businesses, not using MFA, are now a more tempting target for cybercriminals. The average U.S. business experiences 42 cyberattacks each year, according to the “2022 US Cybersecurity Census Report” from Keeper. When it comes to cybercrime, it’s more likely than not that your agency will be targeted. MFA creates an additional layer of security that can’t be easily compromised.
Microsoft supports one of the largest cloud networks and reports that it receives over 300 million fraudulent sign-in attempts to its cloud services every day. Microsoft says, “MFA can block over 99.9% of account compromise attacks.” Are you using MFA to protect your agency from cybercrime exposure and protect its reputational risk?
In the independent agent channel, each agency connects to an average of 10 to 12 carrier partners. Using a different MFA process for each connection is operationally inefficient.
ID Federation is a nonprofit organization created by peers in the insurance industry to help agents both be cyber secure and improve their operational efficiency. ID Federation has created a Trust Framework and process — SignOn OnceTM — that supports MFA yet is efficient. A user can share credentials through your agency management system just once each day with all carrier partners — requiring no re-entry of information and no hassle with multiple MFAs.
Encourage your carriers to participate in ID Federation
Working together with agents, carriers and technology providers, ID Federation’s goal is to maintain the highest level of cybersecurity and operational efficiency.
SignOn Once by ID Federation is in production today with the two primary management system providers — Applied Systems and Vertafore — and with carrier partners like The Hartford and Nationwide. If your preferred carriers do not yet participate, petition them with our automated request letter here. Together, we can help make the industry more secure with operational efficiency for independent agents.
Alvito Vaz is executive director of ID Federation. He is a long-time participant in AUGIE and has held business and technology leadership roles at Progressive and Travelers. He can be reached at alvito@idfederation.com.
