It’s Time for the Industry to Get on the Same Page About MFA
Carriers, technology vendors and agencies across the industry have ramped up multi-factor authentication (MFA) over the last several years, either for compliance reasons or to enhance their overall cyber security measures beyond passwords and user IDs.
MFA authenticates system or website users through additional ID verification, such as by text message or email.
For agents, sorting through the various carrier and vendor MFA methods and requirements has been like navigating the Wild, Wild West. MFA has created many business challenges for agencies, including extra time, stress, and workflow delays and interruptions, according to a survey of agencies, carriers and insurance technology vendors performed by the Agent Council of Technology (ACT) earlier this year.
Part of the issue for agents has been the industry’s inconsistent rollout of MFA, with some companies and vendors requiring it and others planning to at some point. Nearly half of the agents responding to the ACT survey said their carrier partners required MFA to access agency-carrier portals, while 41% said their carriers did not. Eleven percent of respondents said they weren’t sure if MFA was required by their carriers.
There are huge inconsistencies across the industry on what MFA methods are being used on various platforms. Fewer than half of agent respondents to the survey said their carrier partners are using similar MFA implementations.
Despite its challenges, what is clear is that MFA is not going away. Of the carriers that responded to the ACT survey, 60% said MFA is now part of all independent agent interactions. More than 20% of carriers that haven’t implemented MFA yet said they planned to do so this year.
Agents can play an important role in pushing the industry to improve MFA implementation and employ a more streamlined process. Here’s how:
Educate. The goal of MFA is to strengthen cybersecurity to better protect company and client data. Not only are breaches or ransomware attacks increasing in frequency and severity, but state regulators are enacting and enforcing stricter data security requirements of financial services companies, including insurance companies and agencies.
MFA alone isn’t enough to stop cyberattacks from happening. But it is one of the most universally effective tools currently available. If applied correctly, the extra layer of security MFA provides can block more than 99.9% of account compromise attacks, according to Microsoft.
Agencies should ensure they are educated on the benefits of MFA and how to manage it effectively. This includes understanding how MFA will affect the agency’s onboarding and termination process for employees with access to carrier or vendor portals.
Communicate. One of the biggest frustrations agents have when it comes to carrier implementation of MFA is the lack of communication about timing and what method will be used. Some carriers are mindful of how MFA can disrupt business and provide plenty of notice, while others do not. Nearly 20% of agents who responded to the ACT MFA survey said they were given one week or less by their carriers to prepare for MFA implementation.
Carriers need to know this is a huge disservice to agents, and it is up to agents to tell them. Agents must also talk with their carriers about MFA pain points, including timing and if particular systems or requirements affect the agent’s ability to do business with them.
Advocate. Agents should be aware of how the MFA process can be made easier, including federated ID management systems, and they should advocate for industry adoption.
A consistent identity management framework, like SignOn Once by ID Federation, enables participants to connect with less friction in the process. Agents access a single identity management solution, probably through their agency management system, and then have trusted access to every participating carrier or vendor through one login. This eliminates the need for multiple sign-on IDs and passwords and even multiple MFA processes.
Every Identity Provider is thoroughly vetted before being added to the system.
The industry needs to adopt common standards for federated identity management to solve current credential management challenges. It is time we put our heads together and work collaboratively to solve these cybersecurity challenges.