The regulatory and security requirements around Multi-Factor Authentication – or 'MFA' – are beginning to impact all of us in one form or another. ACT is receiving input from agents and other stakeholders that in response to cyber regulations from bodies like Gramm-Leach-Bliley, NY DFS and the NAIC Model Security Law, businesses are instituting MFA in various ways. One MFA example is as agents try to access their agency's carrier portal. Vendors such as management systems are also instituting MFA in various forms. Agencies themselves are implementing MFA login confirmation.
We're clearly at a critical inflection point with MFA in our distribution channel.
To that end, our goal is to gain insights separately from our carrier, agency, and vendor stakeholders on the current state of MFA implementations.
Of the myriad issues and actions needed to address cyber risks and implement a solid cybersecurity program, Multi-Factor Authentication (MFA) is quickly gaining focus as a requirement.
Let's be clear – MFA is not the only regulation to be addressed, nor is it the 'silver bullet' that prevents all potential incursions. But thanks to regulations now in place across the country from NY DFS/NAIC Model Law adoptions/Gramm-Leach-Bliley, pressure is being put on insurance companies and therefore agents to implement and use MFA.
We're seeing MFA in place in many areas of our personal business interactions, and our industry is working to provide additional security layers using MFA.
Because of this, ACT fielded a survey of our IA distribution carriers, agents, and vendors between late January through February to gain insights on:
- Implementing/using MFA,
- Specific MFA solutions in place,
- Adoption rates & Consistency of use,
- Mobile strategies,
- Integration with agent & company systems, and
- Ongoing strategies.
We will use the results of this survey within our ACT Security Issues work group to discuss & determine industry actions & attempt to drive consistency around MFA. We'll also be sharing more in-depth analysis from the work group, hold an 'MFA Town Hall' at our upcoming April 19-20
ACT Tech Summit (schedule & registration
HERE), and discussing in more detail throughout forums across our IA distribution channel.
For a full graphical report of survey responses, click HERE. Here are some mid-level insights from the MFA Survey: Total Respondents across Carriers, Agencies, and Tech Providers:
305 ---------------------------------------------------------------------
Agents:
Of the 271 agency representatives responding:
48% Indicate their carrier partners are requiring use of MFA to some extent.
Of those:
- 38% indicate that only 1-2 of their carriers are requiring MFA
- 44% indicate that 3-5 of their carriers are requiring MFA
- 17% indicate that most of their carriers are requiring MFA
- 1% indicate that none of their carriers are requiring MFA but they are receiving comms about future implementation
43% indicate their carrier partners are using similar MFA implementations
31% see the value in MFA
12% do
not see value in industry implementation of MFA (8% unsure)
When it comes to the specific type of MFA preferred by agencies:
24% Prefer SMS (text to agency mobile number)
18% Adaptive (recognizes previously-used devices/'Save My Device'
14% Link sent to Agency email address
9% Microsoft Authenticator
7% DUO Authenticator app
5% Google Authenticator
37% Other types (Okta Authenticator, ID Federation, physical hardware key)
When required to use MFA, agencies:
50% (85 total) must use MFA at every login
43% (72 total) can use 'Save my Device' for future logins, up to 60 days
4% (7 responses) are using ID Federation/sign-on once for participating agency & carrier systems.
When asked how much time their carrier partners are giving agencies before MFA becomes mandatory:
34% 2 months or longer
35% 1 month
14% 2-3 weeks
20% 1 week or less
Most agency respondents are indicating they are seeing minimal-to-no agency workflow impact from implementation of MFA.
Less than 3% indicate they see MFA as another step for staff, or lengthened workflow process/time, or some frustration from CSRs/front line staff.
When asked about agency policies on personal cell phones
73% indicate they do not restrict the use during work hours.
19% restrict use during business hours, but do allow for authentication
5% of agencies fully restrict the use of personal cell phones during business hours.
Agency MFA wish-list input for their carrier partners:
- Make it simple & effective
- Adopt one method across the industry with multiple ways to authenticate (app, text, voice)
- Sign On Once
---------------------------------------------------------------------
Carriers:60% indicate they are implementing MFA for IA interactions (agent/carrier portals, etc.)
For the 40%
not currently implementing MFA, plans for immediate future:
22% Plans within 6 months
22% Currently researching
20% Use guidance from NY DFS/NAIC/GLBA to determine timeframe for implementation
17% Using guidance from tech provider partners to determine methods/timeframe
17% Plan to implement within 1-2 years
Methods of deploying MFA validation by type:
21% Via SMS (text to mobile number)
16% Adaptive (recognizes previously-used devices/'Save My Device'
16% Link sent to Agency email address
5% DUO Authenticator app
5% Google Authenticator
37% Other types (Okta Authenticator, ID Federation, physical hardware key/YubiKey)
75% indicate they will also be using MFA when bridging quotes from a comp rater, and 25% indicate they are already using MFA within a comparative rater process.
Note that 71% indicated they are using the same MFA solution across their platforms and for password resets. 50% of carriers are making use of MFA mandatory for their independent agency partners
Only one responding carrier indicated they will allow agents to Opt In/Out of use of their MFA solution.
Agency feedback on their implementations indicates that for the most part, agents have been understanding and receptive. Understandably, agents don't like passwords and resets, but MFA and Single Sign-ON (SSO) is anticipated to make agency experience easier.
Carriers are not reporting any measurable impact to quoting/sales/service volumes.
We also asked our carrier partner about their position on issuing and enforcing use of agency credentials (IDs/password) for their systems:
76% indicated they want each individual agency user to use their own ID/password (no sharing)
Only
1 responding carrier issues a single ID/password for use by the entire agency (shared)
Finally, a bit of insight on current global stance by our carrier partners:
47% are determining and blocking foreign countries from use of ID/password access. (Russia, China, Europe, Asia)
---------------------------------------------------------------------
Technology Providers: Do any of your IA platforms use MFA?
88% Yes
12% No, not yet.
For those not yet implemented, evenly split between implementing within 6 months, and relying on guidance from NY DFS/NAIC/GLBA to determine timeframe for implementation.
Methods of deploying MFA validation by type:
17% DUO Authenticator app
15% Google Authenticator
13% Microsoft Authenticator
11% Via SMS (text to mobile number)
6% Adaptive (recognizes previously-used devices/'Save My Device'
38% Other types (ID Federation, Okta Authenticator, physical hardware key/YubiKey)
Responses on plans for supporting SSO (Single Sign-On) into carrier portals and systems:
47% Yes – In place
29% Not yet
18% In planning/development
6% Unsure
Tech Provider plans on MFA for their mobile apps:
47% Do not current offer a mobile app
20% Have developed/implemented MFA for mobile apps
7% In development of MFA solutions for their mobile app(s)
7% Intend to implement MFA at a future point (TBD)
7% Unsure/In discussion
Tech Provider security considerations in discussion:
- Muti-system interoperability
- Integration with carrier systems
- Focused on adoption of Microsoft365 as a common future platform for businesses
- Adoption and promotion of ID Federation/SignOn Once – and for those carriers to trust ID
Federation as the single identity provider. - Concerns with then need to use MFA every time the tech provider needs access to carrier systems – s/b able to recognize trusted tech provider IP access.
- The ongoing challenges with technology implementations actually complicating overall workflow processes