Aflac’s shift to passkeys brings big business benefits
At supplemental insurance provider Aflac, safeguarding information collected on behalf of employees and the customers and businesses they serve is a key tenet of the company’s culture, says Tim Callahan, global CISO.
“Cybercriminals are innovative, willing to take risks, and have no regard for regulations,” Callahan says. “Criminals see the supplier channels as a softer target, which have experienced an increase of attacks. We have a robust third-party security program, but we can’t control [its] environment.”
In addition, given the state of geopolitics, companies could become a corollary or ancillary target, Callahan says.
“While Aflac may not register as a company that nation states would directly target, we can still suffer the consequences of widespread attacks,” he says. “Similarly, supplier channels are being impacted by software supply chain issues, which could also have a collateral effect on our company.”
‘Quackcess Granted’: Ditching the password for passkeys
To harden its defenses and safeguard vital data, Aflac launched a multi-year path of maturation for its cybersecurity program, Callahan says, adding that partnerships have been key to the strategy.
“We have strengthened our strategic relationships with providers like Zscaler and CrowdStrike, enabling us to build a deeper connection in our relationship,” he says. “We have also created partnerships with companies like WWT that can serve our global needs in both the US and Japan.”
One of the most prominent efforts has been “Quackcess Granted,” an ongoing development of Aflac’s Consumer Identity and Access Management (CIAM) framework.
Initially, CIAM created a single, simple, secure authentication framework for customers, Callahan says. Aflac partnered with Transmit Security, a provider of identity and access management solutions, to deploy advanced authentication options. In that way it is able to address the core challenge of customers engaging with Aflac primarily around life events.
“When customers reach out to Aflac for help in their time of need, they don’t always remember their credentials and tend to get diverted into solving a password problem,” Callahan says.
In response, Aflac provided a solution, called Passkey, which provides customers with a standard passwordless login experience on their devices, using a secure capability based on open standards. Passwords are still in place for users who are not ready to move to passkey, or as an alternate path if needed.
“Aflac is one of the first major insurance companies to bring this capability to market,” Callahan says. “Passkey is being adopted by leading companies such as Amazon, PayPal, Home Depot,” and others.
Passkeys purportedly offer the means for a more secure, user-friendly authentication process, being strong, phishing-resistant, and device-bound, as well as eliminating the need for passwords.
Since launching in a limited release in November 2023, and a full release in May 2024, Aflac has seen tangible business results. For example, Passkey’s adoption rate has surpassed initial targets, at 32% compared with an estimate 10%. To date, about 26,500 Aflac policyholders have opted to enroll in Passkey, highlighting the value and appeal of the technology to Aflac customers, the company notes.
For its work on Passkey, Aflac has earned a 2024 CSO Award, honoring security projects that demonstrate outstanding thought leadership and business value.
With Passkey, Aflac has seen a notable reduction in support calls related to password resets and login issues — one of the primary objectives of the project. This not only alleviates strain on customer support resources, but also signifies improved user proficiency and satisfaction, as there have been no reports of customers requiring technical assistance with Passkey.
There’s also been an improvement in login success rates for Aflac policyholders. By eliminating passwords, Passkey has streamlined the login process, reducing login failures caused by forgotten passwords. As a result of Passkey, Aflac has seen an 11% reduction in errors at login.
Furthermore, Passkey has contributed to increased operational efficiency within Aflac’s digital ecosystem. With fewer support calls and login errors, customer support teams can focus on higher-value activities, improving overall productivity and efficiency across the organization.
Passkey’s implementation has also helped bolster cybersecurity at Aflac, mitigating the risks of data breaches, password-related vulnerabilities, and unauthorized access.
“Aflac will continue to drive adoption [of Passkey] through targeted customer communications and deeper integration based on data analytics,” Callahan says. “We also anticipate high customer adoption as the solution becomes more ubiquitous in the industry.”
Quackcess Granted and Passkey have received widespread support, as Aflac strives to make authorization and authentication more secure and easier for customers.
“There are only so many ways to improve the password experience or make traditional multifactor authentication better for our customers,” says Virgil Pool, senior consumer authentication lead for Aflac Global Security. “We’ve taken a more significant step forward by partnering with Transmit Security to deliver Passkey. As a result, we’re achieving our goal of making it easier for our customers to get help in their time of need.”
Cybersecurity culture pays off
As part of its security strategy, Aflac prioritizes its relationships with technology and business partners and has been “very intentional” about
explaining the need for security to partners, employees, and customers.
“Our employees and partners are cyber-mindful and have been supportive of our objectives, due to our laser-focus approach in communicating not only the technical change, but the reason behind the change,” Callahan says.
The company has a large and complex technology footprint, and is vigilant
about its deployment of IT and security tools, working to ensure there is plenty of time for testing and implementing in smaller, incremental steps, he says.
“For instance, when we implemented zero trust, we started small; [we] tackled a customized approach, one department at a time, building by building,” Callahan says. “As we implemented, we reviewed any adjustments before we went further. This methodology has helped us avoid mistakes and pitfalls that could impact our business.”
The increasing speed and sophistication of threats requires higher levels of security resiliency to maintain the company’s enterprise risk tolerance, Callahan says. Aflac remains committed to “pushing the boundaries of cybersecurity,” he says. It does this by placing great importance on information security to protect against threats both external and internal.
“Our approach is deeply rooted in our culture,” Callahan says. “From the boardroom to the break room, we have a longstanding commitment of doing things the right way.”
The key to obtaining business buy-in for any cybersecurity initiatives is to include business partners and leaders in the decision-making process, Callahan says. “They, in turn, will understand the need and be able to provide feedback and support on how to go about it.”
Aflac includes senior business partners in its governance committee, called the Security Oversight Committee. Through this forum, executives can inform the security team about the business impact of policies, standards, and decisions. “We live in a world of no surprises, because they are included in the process,” Callahan says.
“Aflac’s goal is to improve security posture and reduce impact of a cyberattack, while providing a seamless user experience,” Callahan says. “The success of Passkey has proven to be a better user experience while providing better security.”