Three password management terms insurers should know
Better password management can smooth out insurance agency business processes and enhance security.
Growing profitably is Job One for any insurance business professional.
Efficiency is what makes growth possible. Independent insurance agencies and brokerage firms of all sizes have opportunities to be more efficient. One such opportunity, which might seem small but can save thousands of hours of time and make an agency more secure, is better password management.
I would like to introduce three concepts that are worth learning for any insurance agency leader. In fact, there is such a large opportunity within any agency (and across the entire independent agency system) that learning and spreading the word about these three password management concepts is a small price to pay.
Combined, these concepts make up a tool-set for improving the situation we are stuck with regarding passwords. These tools can make establishing someone’s identity both easier and more secure.
The concepts are:
- Single Sign On (SSO)
- Multi-Factor Authentication (MFA)
- Federated Identity Management (FIM)
Passwords are inherently weak and increasingly insecure. In an agency with, say, 30 carrier relationships and 20 producers or employees, that weakness and insecurity is multiplied.
ID Federation, an industry nonprofit organization, has created a way for carriers and their business partners to “federate” identity management.
This means that a user can sign on once to a secure system and gain access to all of his or her carrier partners’ websites and applications.
Single Sign On (SSO)
SSO is an authentication process that allows a person to use just one set of credentials — that is, an ID and a way to “authenticate” (i.e., prove the identity of the person) — in many places within one system. SSO greatly reduces password risk. It also reduces the amount of time to sign on to do business.
Note: SSO is not the same as simply using one password everywhere. Doing that is a very bad practice, but the bad actors of the world know that up to 60% of users do it anyway. Hackers employ software that takes your user-name-and-password combination from a breached site and then uses it to attempt login on hundreds, even thousands of websites and services.
Multi-Factor Authentication (MFA)
A good SSO strategy will allow you to use one set of credentials but without additional risk. How? By employing additional methods to establish more completely that the person attempting to log in is really you and not an imposter. These methods of multi-factor authentication include a one-time code sent to your phone or email, or a digital certificate stored securely on your PC. The bad actor may have your username and password, but they don’t have your phone or your PC.
Google, Facebook, probably your bank, as well as many other sites, make multi-factor authentication available to you today. When you have the opportunity, you should use it to make your online presence more secure.
Federated Identity Management (FIM)
Federated identity management applies an additional level of security to multiple sites or business platforms. FIM provides a way to connect many identity management systems. It is a pre-configured trust agreement between entities that your securely established authentication (using some form of MFA) can be accepted without going through an authentication process for each website or application.
FIM speeds access to a broad array of resources, but it requires all participating companies to comply with a neutral standard or framework set managed by a third party.
Essentially, Business A “proves” it is really you by requiring you to take an additional step in authentication (MFA). Then, when you navigate to Business B, a “token” is passed from Business A that states you are a securely authenticated user. Business B trusts that token and allows access based on the previously arranged trust relationship with Business A.
This trust arrangement between organizations requires both technical and non-technical agreements. Each organization accepts accountability for standard protocols and behaviors that make the system work.
FIM differs from SSO, but they’re often used together. While federated identity management can make use of SSO, single sign on does not include FIM.
The benefits of Federated Identity Management
The upfront effort to join in a trust agreement relationship and implement federated identity management takes effort and funding from business leaders, information technology staff, and technology security personnel with carriers and agency management system providers.
But the return on this investment — for carriers and service providers — is faster and smoother business processes, dramatically fewer help desk calls to reset passwords, and enhanced security for their own websites and applications.
From an agency perspective, there is no upfront investment or implementation. The vendor and carrier must do the internal setup work required to make this possible. But the agencies reap the bounty, too: It is much more efficient to “sign on once” than to sign on 30 times per day.
But agencies, as users, must play a role to make federated identity management a reality in the insurance industry. It’s up to agencies to politely and persistently invite their business partners to take the necessary initial steps to gain the efficiency and security of a better password management system.
Here’s why you should push for better password management.
Think of how you use agency management systems that connect to multiple carriers and how you jump across multiple identity domains repeatedly. This dynamic relationship between agents, carriers, aggregators and other business assistance platforms would be significantly easier if you could use the same credential — just one credential per user — across all of them in a secure fashion.
The concepts discussed here are what ID Federation’s SignOn Once, a trust agreement that allows federated identity management as well as single sign on, can deliver. ID Federation is the managing organization for this trust agreement for the independent agency channel. It was created and developed by volunteers within the industry for the direct purpose of making the IA channel more efficient.
One more reason to take action
As an agent, you are falling under increasing regulatory scrutiny, which means you will want the best security you can obtain from every platform you use. SignOn Once can provide that, while also saving precious keystrokes and minutes each workday.
So it’s time for action: Let your carrier partners know about these concepts. You can share this article and also invite your contacts to learn more at IDFederation.org. You can even send an automated email telling them that your agency wants the power of SignOn Once for productivity and profit.
Kevin Baker (kbaker@areteadvisorsinc.com) is InsuraShield and post-incident response program lead with Arete Advisors, which provides accelerated incident response to complex cyber threats.
These opinions are the author’s own.
See also: