Multi-factor Authentication (MFA)
Insurance use cases for multi-factor authentication (MFA) include distributor access, external user access (e.g., claims vendors, financial advisers), internal user access and policyholder access.
Legislation and regulators are increasingly mandating MFA to ensure greater security as well as to reduce identity theft and other forms of fraud. Examples include the New York State cybersecurity regulation and the NAIC Insurance Data Security Model Law. Insurers have traditionally balanced security against expense and inconvenience to their users, especially if their coverages are marketed to older demographics (e.g., final expense policies). Regulatory mandates combined with growing digital adoption and criminals turning their eyes to life and annuities account takeover means the calculus has changed.
Despite these regulatory mandates, 80 percent of insurers say that risk management, rather than regulatory compliance, is driving their adoption of MFA.
There is minimal variation between size and sector of company when it comes to deployment rates, with the exception of large life/annuity/benefits insurers, which are much more likely to use MFA for policyholders than is any other class of insurer. A low deployment rate of MFA for policyholders among smaller property/casualty insurers reflects the fact that few small P/C insurers offer direct policyholder access at all.
Midsize P/C insurers lag behind other sizes and sectors in deployment of MFA for both distributors and policyholders but are ahead of large life/annuity/benefits insurers in deployment for other external parties. Midsize P/C insurers are also ahead of midsize life/annuity/benefits insurers in deployment internally.
How MFA Helps
As many knowledge workers moved from the office to home during the pandemic, securing infrastructure became another key driver. Hybrid work models that blend office and home working environments are gaining traction, and the need for MFA becomes more crucial to validate that users are actually employees.
In addition to security needs, carriers are obtaining policyholder emails and cellphone numbers as part of the MFA process. These bits of data, which are often difficult to obtain, can provide insurers with the opportunity to digitally connect with customers in their preferred channel.
There is no mandated number of identification methods for MFA, but the consensus is to have two at a minimum. Insurers are starting to use multi-factor or its equivalent for any interaction where an external network is accessing information behind a firewall. Some are taking this a step further to include role-based authentication for internal access as well.
The best defense is a layered approach, combining multiple authentication methods with secure and documented business processes and other security solutions. Some insurers are offering security audit services to agents they work with, while others are working with their distribution executives to change distribution agreements to mandate MFA and other security measures.
Insurers should ensure that MFA processes are documented and that solutions generate auditable logs. Some wholesale brokers require attestations from insurers they work with.Some insurers are offering security audit services to agents they work with, while others are working with their distribution executives to change distribution agreements to mandate MFA and other security measures.
For consumer-facing use cases, depending on the age of policyholders, insurers may wish to opt for MFA methods that are more straightforward (e.g., less complex knowledge-based authentication, voice print). Final expense and Medicare supplement are two lines of business where voice signatures are well established. Many solutions support establishing different access policies based on risk assessment, such as requiring MFA for new devices, or conversely accepting password-free authentication for low-risk access requests.
Types of Authentication
MFA relies on several of the following authentication methods:
- Physical objects (e.g., laptops, mobile devices, security tokens) in possession of users.
- Knowledge-based authentication (e.g., answers to questions, passwords or PIN codes, randomly generated authentication codes from authenticator apps).
- Location (e.g., GPS or IP address).
- User characteristics (behavioral or biometrics-based).
Some authentication methods are more secure than others. For example, sending codes or passwords via email or SMS runs the risk of interception by man-in-the-middle attacks. With many employees working from home, phishing and other identity theft methods are on the rise. Several solutions support adaptive authentication, with less risky access requests requiring fewer authentication methods than riskier ones, as determined by system-generated risk scoring and predefined security policies.20 percent of CIOs surveyed by Novarica said they are planning to require MFA for distributors and policyholders within six months, adding to 30 percent that already do so.
Novarica recently conducted a survey of insurer CIOs to understand their deployment of MFA, including business drivers, authentication methods and use cases. It is important to keep in mind that solution providers typically offer a range of authentication methods.
Only 30 percent of participants currently require MFA for distributors or policyholders, but another 20 percent are planning to require MFA within six months. Roughly 80 percent of participants require MFA for most or all internal systems users.
The most common authentication methods deployed are mobile authenticator apps, used by 80 percent of participants. More than half of participants use SMS. Email and security keys are used by roughly 40 percent and 33 percent of participants, respectively. Behavioral authentication, voice-based authentication, IP location and knowledge-based authentication are used by fewer than a third of insurers.
Note that only 16 percent of insurers report using just one method; overall, insurers said they use an average of 2.8 different authentication methods.Sending codes or passwords via email or SMS runs the risk of interception by man-in-the-middle attacks.
The security threat landscape continues to grow in number and impact. Although many carriers are not currently considering MFA, regulatory scrutiny and enforcement of IT security will only increase. The ability of most solutions to offer different levels of authentication for different access use cases means there is less of a tradeoff between customer experience and security. Many solution providers offer MFA as part of a broader portfolio of identity and access management and IT security solutions.
Insurers should consider MFA approaches as part of a broader IT security strategy.
Steven Kaye is Vice President of Research at Novarica and lead editor of the firm’s Business and Technology Trends in Insurance series. He has managed a wide range of research projects since joining the firm in 2008. Previously, Kaye worked for Accenture as an insurance researcher focused on the U.S. life and property/casualty markets. He also served in both knowledge management and research roles at Gemini Consulting (now part of Capgemini) for several of the firm’s industry practices. Kaye holds MILS and BA degrees from the University of Michigan at Ann Arbor. Reach him directly at email@example.com.