When you set up an account on any secure website, you'veprobably seen instructions on how to create a password, similar tothese:

• Your password must be alphanumeric.
• It must be more than/not less than X number of characters.
• It must include/must not include special characters (with alist or examples).
• It must include at least one number and one capitalletter.
• It cannot be any of your last five passwords.

The rules by which passwords are created have grown so much morecomplex that many companies have emerged whose main product ispassword management, generating supposedly unbreakable ones withdiffering combinations of letters, numbers and special characters.Of course, they are locked away in a master vault behind yetanother password.

The obvious weaknesses of protecting a vault of passwords with apassword should go without saying, which is one reason why manycompanies, including Apple, have moved into the biometric arena.Fingerprints or retina scans are next on the list of securitybarriers to our ever-growing data needs. Yet hackers continue tosuccessfully traverse erven the tightest security measures.

Consider one of the recent, more public, hacks that happenedlast November when Sony Pictures was breached and confidentialpersonal data belonging to Sony Pictures Entertainment employeesand their families—among others—were disclosed in an attempt toforce the company to cancel the planned release of the film,The Interview. The attack, allegedly by North Korea, was ahuge affront to our freedom of speech, but happened because Sony,and almost everyone else, continues to rely on birth dates andpet's names to protect this valuable information.

ID Federation to the Rescue

For the insurance industry, however, an evolution in datasecurity is taking place, thanks to the ID Federation, a nonprofitindustry coalition formed in 2011 to take the sticky notes out ofpassword management. In fact, its purpose is to "remove the needfor IDs and passwords [entirely] while improving security and easeof doing business," according to the ID Federation'swebsite.

As every carrier and agency professional knows, handlingpasswords is an enormous, time-consuming task, not just for IT butalso for the individual agents, customer service representatives(CSRs) and others who need to create and remember them. Inaddition, when someone leaves the agency, the task of closing outthe employee's usernames and passwords is even more time consuming.In fact, according to the ID Federation, there can be, on average,from 40 to 50 different usernames and passwords per person.

When you add in the fact that as many as 75% of help-desk callsare from employees who forgot or need to reset a password, you'retalking about a huge cost of up to $150 per incident in labor,according to the ID Federation.

How many times have you clicked on the "Forgot my password" linkjust below the login screen on a website? Sure, a computer programhandles that, and most of the time it's done pretty easily, butthat's part of the reason hackers target online retail chains.Their password criteria is generally lax—which is partly our faultfor reusing the same simple one on multiple sites, and partly thecompany's fault for not demanding more stringent character stringsin the first place.

We are getting closer to saying goodbye to passwords and othermanual security measures, however. The coalition, composed ofcarriers, solution providers, industry associations and agencies,has developed a solution that establishes and leverages a trustframework of rules that govern business, legal and technology useto provide secure access to multiple carrier platforms via theagency management system.

Identity Authentication Framework

As the oft-cited number one pain point for agencies andcarriers, the password management process was based on the premisethat the passwords in use were secure. How would carriers knowwhether a particular agency person decorated the computer monitorwith sticky notes? They couldn't.

But with SignOn Once, it's not up to an individual; it's up tothe coalition members, each of which trusts the other with identityauthentication because the framework is in place based on agreedstandards backed by a certifying authority.

When carriers and solution providers (and the agents that usetheir systems) become members of the ID Federation and sign theParticipation Agreement, agreeing to the solution and standards setvia the SignOn Once technology, they fall into one of two memberroles: an Identity Provider (IDP) or a Relying Party (RP).

An IDP would be the management system vendor that creates,maintains and manages the identity of the agent according to theTrust Framework. On the other side of the electronic handshake isthe carrier that "trusts" the identity information, which is passedthrough the system via the IDP. Because everyone is party to thesame SignOn Once solution and Trust Framework, it is 100% reliableand secure. The best part is that for agents the access process isinvisible and easy.

Widespread Implementation Needed

As with any type of standard, however, its success only comeswith widespread implementation. You can find the current roster ofmembers on the ID Federation website, and it represents some of thelargest carriers—but not enough in my opinion. When you considerthat the average independent agency represents 10 or more carriers,it becomes clear that if SignOn Once is going to truly succeed,it's going to be up to the agencies to demand it.

From the beginning, independent agents and the IIABA(Independent Insurance Agents & Brokers of America, Inc.) havebeen at the forefront of password management, working with ACORD(Association for Cooperative Operations Research and Development),AUGIE (ACORD User Groups Information Change), the agency managementsystem vendors and many others. It has always been agents thatsuffered with the issue and will benefit from the solution. Agentsare acutely aware of the challenges and, although most are notintimately involved in the inner workings of the ID Federation, theease with which a CSR flows from one system to another with SignOnOnce makes it well worth the conversation with all carriers.

SignOn Once also has drafted an email or letter template thatyou can send to your carriers encouraging them to participate. Itcouldn't be easier to promote this and use it.

I don't know whether a similar system might be created forconsumers, but if it does you can bet I'll be at the head of theline.