When you set up an account on any secure website, you’ve probably seen instructions on how to create a password, similar to these:
- Your password must be alphanumeric.
- It must be more than/not less than X number of characters.
- It must include/must not include special characters (with a list or examples).
- It must include at least one number and one capital letter.
- It cannot be any of your last five passwords.
The rules by which passwords are created have grown so much more complex that many companies have emerged whose main product is password management, generating supposedly unbreakable ones with differing combinations of letters, numbers and special characters. Of course, they are locked away in a master vault behind yet another password.
The obvious weaknesses of protecting a vault of passwords with a password should go without saying, which is one reason why many companies, including Apple, have moved into the biometric arena. Fingerprints or retina scans are next on the list of security barriers to our ever-growing data needs. Yet hackers continue to successfully traverse erven the tightest security measures.
Consider one of the recent, more public, hacks that happened last November when Sony Pictures was breached and confidential personal data belonging to Sony Pictures Entertainment employees and their families—among others—were disclosed in an attempt to force the company to cancel the planned release of the film, The Interview. The attack, allegedly by North Korea, was a huge affront to our freedom of speech, but happened because Sony, and almost everyone else, continues to rely on birth dates and pet’s names to protect this valuable information.
ID Federation to the Rescue
For the insurance industry, however, an evolution in data security is taking place, thanks to the ID Federation, a nonprofit industry coalition formed in 2011 to take the sticky notes out of password management. In fact, its purpose is to “remove the need for IDs and passwords [entirely] while improving security and ease of doing business,” according to the ID Federation’s website.
As every carrier and agency professional knows, handling passwords is an enormous, time-consuming task, not just for IT but also for the individual agents, customer service representatives (CSRs) and others who need to create and remember them. In addition, when someone leaves the agency, the task of closing out the employee’s usernames and passwords is even more time consuming. In fact, according to the ID Federation, there can be, on average, from 40 to 50 different usernames and passwords per person.
When you add in the fact that as many as 75% of help-desk calls are from employees who forgot or need to reset a password, you’re talking about a huge cost of up to $150 per incident in labor, according to the ID Federation.
How many times have you clicked on the “Forgot my password” link just below the login screen on a website? Sure, a computer program handles that, and most of the time it’s done pretty easily, but that’s part of the reason hackers target online retail chains. Their password criteria is generally lax—which is partly our fault for reusing the same simple one on multiple sites, and partly the company’s fault for not demanding more stringent character strings in the first place.
We are getting closer to saying goodbye to passwords and other manual security measures, however. The coalition, composed of carriers, solution providers, industry associations and agencies, has developed a solution that establishes and leverages a trust framework of rules that govern business, legal and technology use to provide secure access to multiple carrier platforms via the agency management system.
Identity Authentication Framework
As the oft-cited number one pain point for agencies and carriers, the password management process was based on the premise that the passwords in use were secure. How would carriers know whether a particular agency person decorated the computer monitor with sticky notes? They couldn’t.
But with SignOn Once, it’s not up to an individual; it’s up to the coalition members, each of which trusts the other with identity authentication because the framework is in place based on agreed standards backed by a certifying authority.
When carriers and solution providers (and the agents that use their systems) become members of the ID Federation and sign the Participation Agreement, agreeing to the solution and standards set via the SignOn Once technology, they fall into one of two member roles: an Identity Provider (IDP) or a Relying Party (RP).
An IDP would be the management system vendor that creates, maintains and manages the identity of the agent according to the Trust Framework. On the other side of the electronic handshake is the carrier that “trusts” the identity information, which is passed through the system via the IDP. Because everyone is party to the same SignOn Once solution and Trust Framework, it is 100% reliable and secure. The best part is that for agents the access process is invisible and easy.
Widespread Implementation Needed
As with any type of standard, however, its success only comes with widespread implementation. You can find the current roster of members on the ID Federation website, and it represents some of the largest carriers—but not enough in my opinion. When you consider that the average independent agency represents 10 or more carriers, it becomes clear that if SignOn Once is going to truly succeed, it’s going to be up to the agencies to demand it.
From the beginning, independent agents and the IIABA (Independent Insurance Agents & Brokers of America, Inc.) have been at the forefront of password management, working with ACORD (Association for Cooperative Operations Research and Development), AUGIE (ACORD User Groups Information Change), the agency management system vendors and many others. It has always been agents that suffered with the issue and will benefit from the solution. Agents are acutely aware of the challenges and, although most are not intimately involved in the inner workings of the ID Federation, the ease with which a CSR flows from one system to another with SignOn Once makes it well worth the conversation with all carriers.
SignOn Once also has drafted an email or letter template that you can send to your carriers encouraging them to participate. It couldn’t be easier to promote this and use it.
I don’t know whether a similar system might be created for consumers, but if it does you can bet I’ll be at the head of the line.