My opinion was sought recently on a proposal to implement two factor authentication in the form of a security token for our (a Life Insurance Company) customer portal. There are two considerations
1. Risk Exposure, and
2. Convenience and Ease of use
Risk Exposure depends on the information displayed and transactions facilitated on the portal. To a large extent these two elements determine the exposure to attacks by hackers or frauds. Of course, a hacker may attack a portal just to harm the credibility and reputation of an organization.
The whole idea behind having a customer portal is to offer convenience to the customers. Customers can operate at any time from any where as long as they are able to connect. But with security token, customers now not only have to carry additional hardware but also make sure not to loose the token. I am being forced to use such a token by an MNC bank operating in India and I am not particularly pleased about it as I have to carry the token with me wherever I go. No doubt, customers want secure transactions, but they certainly do not want onus for this to be passed on to them.
I do not think Life Insurance companies need to go for two factor authentication for customers. First, the risk exposure is not as high as banks offering online banking service. Second, active customer ratio accessing insurance portal is very low. Typically, Insurance customers access portal to pay renewal premium, to view fund details and to carry fund switch / fund redirection transactions. This information and transaction need brings life insurance customers to the portal as less as once or twice a month in case of highly active customers. So, any additional hurdle such as security token to access the portal will further dampen the active customer ratio.
What has been the experience of insurance customers in developed economies? As a service provider or as a customer of a life insurance company, have you come across a life insurers enforcing two factor authentication for their customer portals?