The journey to passwordless at Zurich Insurance

Insurer is using adaptive multifactor authentication with the eventual aim of ditching passwords altogether

Security, usability and identity are three interconnecting pieces of the digital transformation puzzle that no organisation can afford to ignore. The requirement for system security needs no further explanation, but even the most secure system will be undermined if it puts cumbersome barriers in the way of its users. People will always find a way to sidestep clunky or inconvenient gatekeepers, risky behaviour being rewarded by quicker access.

Simplicity is another watchword. It is easy to see how controlling access to certain resources in a large organisation could become unworkably complicated, with more and more layers being added over time. It's a balancing act that exercises the mind of Mark Cameron, lead IT architect at Zurich UK, part of the global Zurich Insurance Group.

Like many large organisations, Zurich is responding to disruptive pressures by undergoing a digital transformation, streamlining and automating business processes, ditching paper in favour of computerised records, and looking for new and innovative ways to appeal to the ‘customer', be that a buyer of insurance, a broker or an internal employee.

"It's customer-centricity, simplicity and innovation," Cameron explained. "But we're a 150-year old Swiss financial services organisation, so innovation always from a safety-first point of view. No-one is more risk-averse than us."

To bridge this gap, Zurich increasingly partners with fintech startups and other suppliers specialised in their particular digital niches.

Computing's Cloud Excellence Awards return on the 19th September 2019, recognising the very best of cloud computing in the UK across end users, suppliers and products. Who is the Cloud Architect of the Year? What is the Best Cloud Development Platform? And who is the Cloud Entrepreneur of the Year. Entry is FREE - the deadline is Friday 28th June.

An older demographic

Zurich is a federated organisation, but overall business strategy, and the IT strategy that supports it are formulated on a company-wide basis. So, what's required is a universal selection of applications and portals that is nevertheless flexible enough to meet the individual needs of the various types of customer wherever in the world they happen to be. The task is complicated by the typical demographic of insurance buyers who are generally older, less tech-savvy and unlikely to welcome what they might see as ‘change for change's sake'.

"We've got customers in their 60s, 70s and 80s and they've got products that have run for many years on old legacy systems. We've decided we don't necessarily want to change them, we don't want to trouble the customer," Cameron said.

So rather than go all-out for a unified 360 customer view with flashy apps, which would doubtless alientate many loyal customers, existing portals for various types of insurance have been left in place, with a single sign-on dashboard acting as an entry point to the different sites. But now one set of login credentials provides access to them all, rather than the customer having to remember a separate one for each. Zurich has adopted Okta's identity and access management (I&AM) tools to manage access to the various portals, white-labelled and branded with Zurich's colours and logo.

"The idea is that Okta forms a window on that. So we keep those portals there, but we put an Okta presence on top of it. So, you actually have one place to go, you have an opt-in dashboard," Cameron explained.

Brokers and IFAS

Independent financial advisers (IFAs) and brokers are another core customer group. Unlike retail customers, they log in to Zurich sites frequently. They tend to use single sign-on (SSO) services such as Origo Unipass which allow them access to multiple insurers' sites with a single set of credentials, and so it's vital that Zurich's gateway supports a wide range of authentication protocols.

"Some of them are using OpenID, some use SAML and there are various others. [The IFAs] are driving those protocols so it's important we have the ability and the flexibility to support them," Cameron said. Again, the insurer uses Okta to form a gateway between Zurich's sites and the systems used by advisers and brokers.

Currently, there is a multiphase authentication system in place for the SSO, although Cameron's team plans to introduce adaptive multifactor authentication (adaptive MFA) sometime soon. With MFA, users must provide at least two ‘factors' to gain access to a system. Commonly, MFA will require something you know (e.g. a PIN or password), something you have (such as a smartphone with an authenticator app) and something you are (fingerprint, voice, retina scan). Adaptive MFA takes away the UX hurdles by only prompting for additional credentials if it detects something out of the ordinary.

Employees

Then there are Zurich's 50,000 employees. For these customers, MFA is already in place.

"If you're on the Zurich network, with your allocated IP address on your Zurich allocated machine, it knows who you are, it's got that factor, it knows it safe for trust. As soon as you go outside of the Zurich domain, not just on the Zurich machine but also on your own device, you're able to manage your expenses or go on to our benefit system to sign up to the cycle to work scheme on a Sunday morning over your cup of coffee. You can do it from your mobile at home. And we roll out the Okta Verify application to everybody."

Verify works by authenticating the machine using its MAC address and other unique hardware features, as well as checking the IP address at the time of an attempted login. If all is well it sends a one-time password by email to allow employees to login to corporate services.

Asked about possible privacy concerns, Cameron insisted that MAC addresses are not tracked.

"Clearly we wouldn't do that," he said. "We geolocate the device by IP address, but that's public anyway."

Ultimately the aim is to become completely password-free. Passwords are notorious as the weakest link in the security chain and particularly vulnerable as organisations go mobile and digital. Adaptive MFA is a step towards this goal, Cameron said.

"It's a move towards passwordless," he said. "Things like the Verify app negate the need for you to remember a password".