SignOn Once: The Solution to Password Security
A lot has been written about multi-factor authentication, especially in light of new cybersecurity requirements from the New York Department of Financial Services, NAIC and the federal government. A multi-factor login requires a second or third verifying credential in addition to a password — a one-time PIN texted to your smartphone or the answer to a security question. While multi-factor may be more secure than just a single password, it’s costing businesses in lost productivity.
I’ve estimated that in my agency alone, the cost of implementing multi-factor across all of my offices would be in excess of $300,000. Mostly, it’s the time involved in creating new credentials for each account and the time lost when an employee has to wait to receive a PIN. You might say, “What’s 15 minutes here or there?” Multiply that by the number of employees in your operation, and you’ll see it can add up to the equivalent of several full-time positions during the course of a year.
Multi-factor also brings its own headaches for management. How do you control the provisioning process for PINs? Do you really want a PIN texted to an employee’s personal smartphone? Or to a personal email account? It creates its own security risk in that employees can access sensitive information or carrier portals without your knowledge or control. And they could take their credentials with them if they leave.
A survey by the global IT security firm IS Decisions found that organizations are concerned about the way technology is impeding end users, with nearly half (47 percent) agreeing that security measures in their organization negatively impact productivity. U.S. employees lose about 22 minutes every week because of complex IT security procedures, IS Decisions found.
Multi-factor isn’t a solution. It’s a Band-Aid. The solution lies in streamlining the login process so there are fewer credentials to begin with.
Biometrics is one example, and most of us have now experienced the ease of logging into an app with the touch of a finger. It’s that ease of use and concern for security that spurred industry leaders to create ID Federation and the single sign-on technology called SignOn Once.
The beauty of SignOn Once is that it requires agency employees to sign on just once to their agency management system. Once logged in, the user can easily and securely access other federated partners.
SignOn Once won’t eliminate the additional layer of authentication required by new cybersecurity rules, but it will reduce the number of times you and your staff have to log into systems each day. With SignOn Once, there’s just one login.
ID Federation has developed a trust framework (downloadable at IDFederation.org) to protect the security of its federated partners. By using individual credentials and tokens, and certifying identity providers (vendors such as Vertafore and Applied Systems), SignOn Once ensures logins are safe and eliminates many of the issues associated with poor password protection.
At a time when management experts keep telling us we need to move towards a “frictionless” customer experience, it’s time we also looked at the end user’s experience. SignOn Once allows carriers and agencies to do what they do best: sell insurance and service clients. With a seamless, secure connection, users can spend more time collaborating and less time worrying about passwords. In short, agency owners can direct more staff time toward customer-facing actions.
Over time, the companies that are federated partners and accept SignOn Once credentials will have the competitive edge. Incidentally, carriers can also save money by adopting SignOn Once because it eliminates the need for password resets.
If every agency reached out to at least their largest carrier and urged them to join ID Federation, we’d be one step closer to a world with fewer passwords and more secure systems.
We’d also have more time for what we do best — interacting with customers.