Two-factor authentication mandatory
From August 2015 National Health Insurers UM09 is mandatory for logging in at client portals of insurance companies. This measure should secure personal data clients have stored at online insurance websites and Internet applications.
Turien & Co., founded in 1921, is one the oldest and largest insurance brokers in the Netherlands. Turien & Co. offers a wide variety of insurances for healthcare, damages and income to privates. The company from Alkmaar has long lasting relationships with renowed insurance companies like Zurich, Hiscox, Europeesche, DAS, Avéro Achmea, VGZ , de Goudse and since recent Nationale Nederlanden. Turien & Co. has 456 employees.
Six months prior to activating measure UM09, Turien & Co. started a project team to efficiently implement the guidelines of measure UM09. It demands a stronger security of Internet applications with for example two-factor authentication. The stronger authentication takes place before entering the private data in the application.
Build it ourselves?
“The first issue we wanted to tackle was if we were going to build this ourselves or outsource it”, explains Nanno de Groot, e-commerce project leader at Turien & Co. “Furthermore we wanted to answer the question which authentication method we could use best: hard or soft tokens. Personal data privacy is most important, but we wanted to look at the expenses as well.”
No more random readers
The team decided building the verification solution themselves after which they plotted the lay out of their security solution. “Logging in with Digid from the government is pretty complex operation for small or medium sized companies, like ours”, says De Groot. “The technique behind it though is rather interesting. It is based on SMS verification.” De Groot decided Turien & Co. would provide their portal with that very same verification method. “A single SMS costs just a few cents. Compared to buying random readers for every clients or customer, SMS authentication is much more efficient.”
API call prompts SMS password
Jochum Pasteuning, marketing/e-commerce team leader, knew mobile services provider CM from another earlier project. “Their SMS Services met our demands very well”, he says. CM and Turien & Co. together developed a verification solution that prompts an SMS one time password when a client logs in with its conventional credentials. The SMS password is can only be used once and for a limited time. After the credentials the application at Turien & Co. does an API call after which CM sends an SMS or Voice password in just seconds.
Trial by fire
“CM’s Global priority Gateway delivers the passwords within seconds on the devices”, De Groot states. “The system works remarkably well and fast. The real trial by fire takes place in November, when people can make their yearly change insurance companies.”