Insurers have traditionally balanced security against expense and inconvenience to their users, especially if they market coverages to older demographics (e.g., final expense policies). Regulatory mandates, growing digital adoption, and criminals turning to life and annuities account takeover have changed the calculus. Insurers are considering multi-factor authentication (MFA) as part of a broader IT security strategy.
Regulation, Risk Management, and Remote Work
In the digital era, legislation and regulators are increasingly mandating MFA to ensure greater security and reduce identity theft and other forms of fraud. Examples include the New York State cybersecurity regulation and the NAIC Insurance Data Security Model Law.
Despite these regulatory mandates, 80 percent of insurers say that risk management, rather than regulatory compliance, drives MFA adoption. Insurance use cases for MFA include distributor access, external user access (e.g., claims vendors, financial advisers), internal user access, and policyholder access.
Many knowledge workers moved from the office to home during the pandemic; securing infrastructure became another key driver for MFA adoption as a result. Hybrid work models, which blend office and home working environments, are gaining traction. MFA becomes more crucial in these environments to validate that users are actually employees.
Insurers are obtaining policyholder emails and cellphone numbers as part of the MFA process. This data, which can be difficult to obtain, can provide insurers with the opportunity to connect with customers in their preferred digital channels.
MFA in Theory
MFA relies on several of the following authentication methods:
- Physical objects (e.g., laptops, mobile devices, security tokens) in possession of users
- Knowledge-based authentication (e.g., answers to questions, passwords, PIN codes, randomly generated authentication codes from authenticator apps)
- Location (e.g., GPS, IP address)
- User characteristics (behavioral or biometric-based)
Some authentication methods are more secure than others. Sending codes or passwords via email or SMS runs the risk of interception by man-in-the-middle attacks. Phishing and other identity theft methods are on the rise in the work-from-home era. Several solutions support adaptive authentication, with less risky access requests requiring fewer authentication methods than riskier ones, as determined by system-generated risk scoring and predefined security policies.
MFA in Practice
Novarica recently surveyed insurer CIOs to understand their deployment of MFA, including business drivers, authentication methods, and use cases. Thirty percent of participants currently require MFA for distributors or policyholders. Another 20% plan to require MFA within six months. Roughly 80% of participants require MFA for most or all internal systems users.
The most common authentication methods deployed are mobile authenticator apps, which 80% of participants use. More than half of the participants reported using SMS. Roughly 40% and 33% of participants use email and security keys, respectively. Fewer than a third of insurers use behavioral authentication, voice-based authentication, IP location, and knowledge-based authentication.
The security threat landscape continues to grow in number and impact. Many insurers are not currently considering MFA, but regulatory scrutiny and IT security enforcement will only increase. The ability of most solutions to offer different levels of authentication for different access use cases means there is less of a tradeoff between customer experience and security.
This post is adapted from a larger article at Carrier Management. For more information, see the full report, Multi-Factor Authentication: Overview and Prominent Providers.
Add new comment