Key Performance Indicators Guide MFA Implementation

Multifactor authentication (MFA) is going to happen in the insurance industry. The question is if it will be easy or painful for carriers and their agency partners. The good news is, with a little planning and measuring, carriers can avoid pitfalls and iron out potholes, making the journey to better security quite smooth.

Key performance indicators are central to MFA implementation success. Before The Hartford rolled out MFA, we developed success criteria, such as the ideal number of logins done with MFA and the acceptable number of help desk calls. Our first step, which is absolutely crucial for all carriers, was to create a change management board with a lead who owned the enterprise-wide project.

The board had representatives from every department across our organization, and those reps were responsible for two primary things: filtering information up to the board from underwriters and others who were interfacing most directly with agents and CSRs, etc., and flowing information down to those same people about the progress of implementing MFA. The latter consisted partly of metrics—our key performance indicators—which were provided via a slide each week that showed how we were doing.

A typical slide would depict graphically (and digestibly) how many users we brought on that week, how many help desk calls were received about MFA, how many devices were logging in, how many “forgot ID/password” requests came in, and if logins by sector/business line were stable or outside the expected window either up or down, to name a few of the metrics we applied.

KPIs That Measure MFA Success

Measure weekly change from baseline and prior week for each key performance indicator over the course of the entire rollout.

Baseline weekly login success rate by business line, account size, type of producer (MGA, retail, payroll company), etc. You don’t want this to decrease.

Baseline use of downstream apps or online quoting. It probably makes sense these wouldn’t change much.

Baseline weekly help desk requests. This shouldn’t increase dramatically, and you will want to measure if those who receive help keep having to come back or if there is a pocket of trouble (maybe a single agency or a grouping of similar agencies).

Baseline weekly “forgot ID/password” requests. Forgetting IDs and passwords shouldn’t see a sudden uptick.

How many prompts vs. provisioned users? This won’t have a baseline, since this is the initiative you are introducing. But you want to see that your prompts (issuances of access codes through MFA) are an acceptable percentage of users you have brought online with the MFA program. You must determine what an “acceptable” percentage is.

Baseline new-business production. Of course, the goal is to always be on a manageable incline. If a decline or surprising flattening occurs with MFA rollout, it will be important to see if other factors, such as pricing or the economy, are at fault so MFA doesn’t get blamed when some other issue is the cause (and needs a solution).

With these key performance indicators, our change management team was able to identify if there were any pockets of problems that could affect agency access to our systems and to reach out and immediately offer aid.

Note that getting that baseline measurement is important. That doesn’t happen over a two-week period. You have to take these metrics seriously and establish norms over a period of months since there are holidays and other cyclical issues that can affect each metric.

Patience and preparation pay off

At The Hartford, we took a phased approach to ease into MFA implementation with our agency partners. We started by letting them know this was coming, working with them to get rid of shared IDs (which can’t be used with MFA) and sending alerts to system users each time they signed in letting them know the countdown to their day of going live. We also sent out targeted emails with the rollout schedule, so users were well aware of their specific implementation date.

Agency principals and system users appreciated our phased approach. It allowed agencies to make adjustments as needed, to talk to their favorite people at our organization about any concerns and generally to get in the mindset of a different process. Our agency partners were well prepared when the rollout occurred, and our KPIs revealed that implementation was very smooth. In fact, most hiccups were handled in the prep phase, and when rollout arrived, all occurred without issue.

We additionally introduced a phased rollout of MFA across our user base. We needed to bring about 90,000 users into the process, but we didn’t think it was manageable to do them all at once. We opted instead to bring them on in smaller bundles over 10 weeks, based on a number of factors that were specific to our needs and theirs. This phased approach will be different for every carrier, but phasing implementation is my recommendation. When we brought on the initial set of users, we monitored how it went, then continued adding more, while keeping our eyes on those KPIs.

We determined what variances in each of our metrics would be acceptable as we brought on bulkier groups. If there is some big uptick, a quick halt and review of the problem would be called for.

Optimally, MFA will be done by the agency’s identity provider through their agency management system. ID Federation is working with agency management system providers to make this happen. This would standardize things across carriers and agencies: one ID, one password, one MFA when agencies go into their systems. That makes it streamlined and seamless.

This is what makes a SignOn Once solution so attractive. It’s in the works, so let’s see if we can get there—soon.