The ID Federation is making progress in streamlining ID and password management
By Nancy Doucette
Senior Vice President, Corporate Development and Legal Affais
You know the drill when you go through security at the airport: Take off your shoes, jacket, and belt; put your computer and the one quart bag containing the limited quantities of liquids, gels and aerosols into the plastic bin; put it on the conveyor belt to be screened.
Pretty much everyone grouses about the process. Evidently, the grousing of frequent fliers was heard because the Transportation Security Administration (TSA) is implementing an expedited screening initiative known as TSA PreCheck. Frequent fliers who opt-in to the program undergo a background check and if eligible are issued a permanent ID number which they provide when booking their travel. That information is included in the barcode on their boarding pass which enables them to bypass "the drill" when they arrive at the security check point in the airport. Cool.
In the financial services sector, banks have figured out "authentication" over a worldwide network. Users of cash machines never have to think twice about completing transactions—no matter where they are. Individuals can use their PIN and cash card in any machine in the world. Cool.
Every time a CSR or producer needs to access an insurance company to answer a client's question, he or she must input a different login—for security reasons. Not cool.
Industry groups have tried for years to free independent agencies from a proliferation of passwords. Today, each of an agency's carriers has a unique password for every staff member accessing the carrier system. As if that weren't enough, agencies could very well have an identity for that carrier's personal lines system, commercial lines system, and billing system.
But how secure are those logins and passwords? With so many to keep track of, agency staff often keep a list of these logins and passwords under their keyboard for ready reference. That's only a bit better than keeping them on sticky notes and tacking them around the computer monitor.
Vice President, Partner Relations and Product Innovation
Applied Systems, Inc.
And just to keep it interesting, carrier passwords expire every 30, 60 or 90 days. So if a CSR or producer tries to access a carrier to submit a quote, for instance, the transaction gets kicked out if the password has expired. That necessitates a call to the carrier help desk to get a new password set up, and that takes time the agency representative may not have. As a result, that carrier may not get the opportunity to quote the business at all because the rep moves on to another carrier whose password hasn't expired yet.
Expiring passwords impede all real time transactions at the agency level and have the long-term effect of hampering consumer access to policy information through an agency's Web site.
Why do carriers feel the need to change passwords issued to agency staff so often? It's not like the agency folks are strangers. They're partners, aren't they? If the TSA and banks can figure out a way to simplify security, can't the insurance industry?
Well, the answer is, they're working on it. There's an initiative underway that is taking steps to simplify password management for the industry. The ID Federation Inc. (IDFI), is a nonprofit organization made up of agents, vendors, and carriers whose mission includes providing "common legal and technical standards which will remove the need for IDs and passwords while increasing security and the ease of doing business with one another." In short, a "federated identity" is portable across multiple security systems.
—Brian Bartosh, CIC, LUTCF
Top O' Michigan Insurance
An idea whose time has come
The goal is for agency management system vendors to administer one master ID and password per employee that is tied to all that individual's different IDs throughout the insurance industry. The password in the agency system will still need to be updated regularly, but that would be the only one that would need to be maintained going forward.
Compare that to the drill that many CSRs perform each morning: They open their Internet browser and log in to however many carrier Web sites they access daily—in some instances that's 15 or 20. They leave those browser sessions open all day—a potential security risk. We'll take a look at how time consuming and costly password management is for agency owners and managers shortly.
Several of IDFI's board members recently provided insights and updates relative to password management: Doug Johnston, vice president, Partner Relations and Product Innovation at Applied Systems, Inc., and John Morrow, senior vice president, Corporate Development and Legal Affairs at Vertafore, Inc., spoke on behalf of vendors. We also spoke with Brian Bartosh, CIC, LUTCF, president of Top O' Michigan Insurance, long-time technology activist and uber volunteer for the Applied Systems Client Network (ASCnet). At the time of our conversation he had been on the IDFI board for a month. Stephen Moriyama, executive vice president of Hayward Tilton & Rolapp Insurance Associates, Inc., and vice chair of the Network of Vertafore Users (NetVU)—an IDFI liaison member—also provided perspective.
Johnston and Morrow explain that vendors, carriers and larger agencies participating in IDFI send multiple representatives to share various perspectives from their respective organizations—business, legal, and technical. Small and medium-sized agencies are represented as well, both on the board and on the various IDFI committees.
Executive Vice President
Hayward Tilton & Rolapp Insurance Associates, Inc.
"Password management is a business process headache," Morrow declares. "It doesn't matter what management system your agency is on or what carriers you represent. The work of IDFI is intended to impact the industry broadly. We've worked hard to get perspective and involvement from agents and carriers at all points of the size range."
Morrow says that as of January, Vertafore began rolling out Vertafore Single Sign-On which will enable secure and streamlined access to key products—PL Rating, AMS 360, and TransactNOW. "Users are able to log in once and have access to these products," he says proudly. "It solves a key business process issue for our customers as they use our products and interact with the market. Single Sign-On helps agents work well with our products and lays a great foundation for federation."
A longer, phased rollout schedule is in place for other Vertafore products, he says.
Johnston emphasizes the need for all carriers to participate. "IDFI is an 'all or nothing' proposition—just like download or real time. Agents need a seamless framework in which to run their businesses. With respect to password management, they can't have some carrier passwords managed and some not."
Bartosh and Moriyama point out that ASCnet and NetVU "control a lot of desktops." So it is noteworthy that both organizations have joined the ID Federation as liaison members.
"IDFI gives agents structure so we can use a central user code and password that will give us access to our partners that participate in the ID Federation," says Bartosh. "It's critical that all companies participate in IDFI along with vendors."
Password management can't come soon enough, Bartosh adds. Following the friendly departure of an agency employee, Bartosh had to revoke 37 passwords, one at a time. Once federated digital identities are in place, Bartosh would be able to prevent a former employee from accessing carriers or third-party providers by revoking just one user code and password from the agency's network.
Moriyama says Hayward Tilton & Rolapp has some 100 direct appointments with carriers. The agency has multiple agency codes with many of the carriers. Setting up new hires so they can access the myriad internal and external programs is an arduous task, he notes. It generally takes one of the IT folks a day to test all the logins. Should an employee leave, passwords need to be revoked and users deprovisioned, which is equally time consuming.
States Bartosh: "If the insurance industry is truly concerned about access and security, then we should be concerned about the difficulties of reversing these access points, because we're more vulnerable to retaliation from an employee who's left on bad terms than we are from a hacker!"
For its part, NetVU has made identity management a must-have and includes it in its Playbook which details the group's strategic industry position on various issues impacting the insurance industry. (See netvu.org/playbook.) Moriyama says NetVU's members prioritized their pain points and this information was used as the foundation of the Playbook. "Passwords are crippling independent agents," he notes. "Each individual in an agency might have between 20 and 40 different IDs for carriers and third parties, and they expire at different times."
NetVU's Industry Relations committee relies on the Playbook for talking points when visiting with carriers. Early on, some of the carriers the committee visited took a wait-and-see attitude with respect to password management, Moriyama says. That's starting to change; they're coming to the IDFI meetings and bringing members of their technical teams. "It's neat to see how they've embraced it," he says. "But it took us going in front of their executive teams and managers and explaining the importance of making password management more efficient." He says carriers responded well to the message that federated identities would improve security, enhance ease of doing business, reduce their expenses, improve retention and new business opportunities.
As Applied's Johnston stated earlier all carriers need to participate. "We want to make sure everyone has a voice at the table," he says. "Carriers need to agree that the technology and the requirements set forth by IDFI satisfy their security needs.
"Additionally," he continues, "we all need to legally agree that we will indemnify one another. We don't anticipate that things are going to go wrong, but you have to imagine that at some point someone isn't going to be happy with something. So we will agree that this is a good technology, the authentication is solid, that we will participate openly, and indemnify one another."
Vertafore's Morrow says carriers can improve their bottom line by streamlining password management. "A high percentage of carrier support calls are password change issues," he points out. "Password failure rates go anywhere from five percent to twenty percent. That impacts quoting transactions. If an agency is unable to complete a quote request because of a timed-out password, the carrier may lose out on that opportunity. This is a big business issue for them." And with fewer passwords for carriers to manage, those help desk folks can be reassigned to positions that improve the bottom line.
The Independent Insurance Agents & Brokers of America's Agents Council for Technology (ACT) and the ACORD-User Group Information Exchange (AUGIE) recently concluded their joint planning sessions during which they identified four important industry priorities for 2013. Support of the ID Federation and movement toward digital identities to replace passwords is one of the four. According to a press release, ACT and AUGIE will be working together to "encourage proof of concepts . . . develop timelines to set industry expectations . . .and achieve actual implementations in 2013."
Johnston says vendors need to "start aligning the ID Federation into our software development roadmapping process so we can move it forward."
He says CSR24 will be included in upcoming implementation projects. "We want to make certain the identities that CSR24 is providing consumers coordinate with the ID Federation's standard for what is an ID and a valid password. We want to be able to 'federate' a consumer to an insurance company on behalf of the agency. A lot of the infrastructure to do this is already built, but as yet we don't recognize the identity of a consumer in the larger framework of the industry."
Bartosh encourages agency principals to look at the workflows that are in place in their agencies and streamline them. A good first step is to start using Transformation Station or TransactNOW to facilitate real time transactions. However, he notes, "half the overhead in a real time transaction is managing passwords. So if you think about the ID Federation eliminating that, we can focus on true data exchange—the transactions become smoother and work more efficiently.
"I continue to speak to agency principals about understanding their cost of doing business," he adds. "Most understand their revenues are shrinking on a per-account basis and their expenses continue to rise. They need to understand what each transaction actually costs them."
As for creating more interest on the part of carriers in the ID Federation, Bartosh says, "It's going to entail more than an e-mail invitation. Agents are going to have to make in-person visits or call our reps on the phone. We need to talk with them so they understand the whole picture."
Morrow and Johnston summarize:
"The ID Federation is an important but fairly simple concept. It replaces endless user names and passwords for each carrier-specific system with logging in to a vendor system (Vertafore, Applied Systems or other), getting a user set up once with a carrier and then managing that one ID and password," says Morrow.
"It doesn't mean that IDs and passwords will go away," notes Johnston. "They will be aligned in a much more efficient and effective manner. Every 60 days for instance an individual might need to update his or her password in the agency system. That function will satisfy the needs of all their insurance companies and other software products that also participate."
Morrow says, "The simple message is if we can get rid of user names and passwords in favor of setting up a producer or CSR once until the agency needs to deprovision them, things across the independent channel become much easier."
For more information:
ID Federation Inc.
Web site: idfederation.org