11:13 AM
Connect Directly

For Better Security, Keep Password Policies Simple

Password proliferation leads to bad data security habits. Here's how insurers are stemming the tide.

Agent-Focused SSO Effort

Another recent high-profile implementation of federated single sign-on in the insurance industry is SignOn Once, a joint effort of insurers, vendors, and agents through ACORD, ACT (Agents Council for Technology, a component of the Independent Insurance Agents & Brokers of America), and the Real Time/Download Campaign. Designed for independent insurance agents, the tool was developed over the past two years through an ID Federation working group so that agents who represent multiple carriers don't have to deal with dozens of passwords for the many portals they use.

"Today, from a carrier perspective, they prefer each agent has one ID and one password, but because of the pain of maintaining the passwords, some agencies will use one for the whole agency," says Jim Rogers, assistant VP of distribution technology strategy for The Hartford (Hartford, Conn.; $564 million in first-quarter 2014 earnings) and a founding member of the ID Federation. "Some very large agencies have the equivalent of a full-time person managing them."

More common were situations where agency employees shared passwords among one another on an ad hoc basis or kept insecure paper files with their many passwords in plain view on their desks. Each carrier and agency had different rules regarding suitable passwords, expiration dates, and deprovisioning of ineligible personas. It was clear, Rogers says, that something had to change. But it didn't happen overnight: Getting carriers to agree to federate IDs required lots of legal legwork. After a Trust Framework was drawn up, SignOn Once was introduced at the 2014 ACORD LOMA Insurance Systems Forum trade show.

When agents use SignOn Once, a token is created indicating that the particular ID is in use by a specific individual and passed along to the insurer. For insurers and agents alike, this goes a long way toward ensuring that the correct agency and agent are identified as making a policy sale and are appropriately compensated.

"Now you can't go to the agency next door and just sign into the carrier using your old agency credentials," Rogers says.

That's the overall goal of SignOn Once, according to Rogers: to return the user name-and-password model to its original goal of identifying who is accessing sensitive data at an insurance carrier.

"Our industry deals with a lot of sensitive information. Anything we can do to increase cyber-security and make it easier to do business is welcomed," he says. "When someone uses this, you know they're active agency employees. You can look at their security certificates. It's definitive, not separate people using the same user name and password."

Nathan Golia is senior editor of Insurance & Technology. He joined the publication in 2010 as associate editor and covers all aspects of the nexus between insurance and information technology, including mobility, distribution, core systems, customer interaction, and risk ... View Full Bio

2 of 2
Register for Insurance & Technology Newsletters