--- url: 'https://www.corbado.com/blog/insurance-customer-portal-passkeys' title: 'Insurance Customer Portal Passkeys Guide' description: 'Insurance customer portal passkeys: reduce ATO, cut OTP cost and modernize policyholder MFA in regulated insurers with legacy CIAM.' lang: 'en' author: 'Vincent Delitz' date: '2026-04-13T11:37:32.448Z' lastModified: '2026-05-20T13:53:51.286Z' keywords: 'passkeys insurance customer portal, insurance customer login fraud reduction, account takeover insurance portal, policyholder login security MFA, insurance customer portal MFA modernization, passkeys insurance policyholder' category: 'Passkeys Strategy' --- # Insurance Customer Portal Passkeys Guide ## Key Facts - **Account takeover losses** in insurance are accelerating: NYDFS fined eight auto insurers a combined **USD 19 million in October 2025** for failing to enforce MFA on public-facing quoting systems, enabling credential-stuffing attacks on driver data. - **SMS OTP costs** at insurer scale reach **USD 0.01-0.05 per message**; a carrier with 5 million policyholders logging in twice monthly spends **USD 1.2-6 million per year** on OTP delivery alone, before accounting for delivery failures and support calls. - **Password resets and MFA support calls** account for an estimated **20-40% of insurance call-center volume**, with each call costing **USD 5-25** depending on agent time and identity verification steps. - **Aflac's passkey deployment** achieved **500,000 enrollments** with a **96% login success rate**; Branch Insurance saw agent **support tickets drop by approximately 50%** after rollout. - **FIDO data** shows passkeys increase login conversion by **30 percentage points**; HealthEquity went further, making passkeys **mandatory for all users** in fall 2025 with no opt-out. ## 1. Introduction [Insurance](https://www.corbado.com/passkeys-for-insurance) customer portals are under pressure from multiple directions at once. Account takeover risk is rising, SMS OTP is expensive at scale, call centers absorb the fallout from password and MFA failures and regulators increasingly expect [phishing](https://www.corbado.com/glossary/phishing)-resistant MFA. That combination makes [insurance](https://www.corbado.com/passkeys-for-insurance) one of the clearest customer authentication use cases for passkeys. **This article covers:** 1. **Why insurance portals are a strong passkey use case** ATO risk, expensive OTP flows, delayed fraud detection and growing regulatory pressure. 2. **How passkeys compare to legacy authentication methods** SMS OTP, email OTP, TOTP and device trust across security, UX, compliance and cost. 3. **What makes insurer rollouts different** Legacy CIAM, multi-brand portal architecture, agent vs. policyholder flows and regional regulation. 4. **How insurers can roll out passkeys with a practical operating model** What to measure, how to use the maturity model and how to move from OTP-heavy logins to [phishing](https://www.corbado.com/glossary/phishing)-resistant MFA. 5. **How passkeys drive digital adoption and self-service migration** The strategic case for C-level and VP-level leaders: channel shift, call-center deflection and connecting [authentication observability](https://www.corbado.com/blog/authentication-observability) to business outcomes. ## 2. Why are insurance customer portals a prime target for account takeover? Insurance customer portals hold some of the most sensitive personal data out there while often relying on weak login security. That makes them a natural target for credential-based attacks. Policyholder accounts contain Social Security numbers, [banking](https://www.corbado.com/passkeys-for-banking) details, health records and claims history. All of this can be monetized through identity theft or fraudulent claims. Unlike [banking](https://www.corbado.com/passkeys-for-banking) portals where transaction monitoring catches fraud in real time, insurance fraud often takes weeks or months to surface. An attacker who gains access to a policyholder account can change beneficiaries, file fraudulent claims, or exfiltrate personal data long before the insurer detects the compromise. **The scale of the problem:** - **Credential stuffing at the front door:** NYDFS fined eight auto insurers a combined USD 19 million in October 2025 specifically because they failed to enforce MFA on public-facing quoting systems. Attackers used [credential stuffing](https://www.corbado.com/glossary/credential-stuffing) to access sensitive driver data en masse. - **SMS OTP is expensive and fragile:** At insurer scale (millions of policyholders), SMS OTP delivery costs compound quickly. A carrier sending 10 million OTPs per month at USD 0.03 per message spends USD 3.6 million annually, and that assumes 100% delivery. In practice, carrier filtering, number porting and international roaming cause 5-15% of OTPs to never arrive, each failed delivery potentially generating a support call. - **Call-center load from password resets:** Insurance call centers already handle complex claims and policy inquiries. Adding [password resets](https://www.corbado.com/faq/passkeys-reduce-password-resets-otp-costs) and MFA troubleshooting to this mix diverts agent time from revenue-generating activities. Industry estimates place authentication-related calls at 20-40% of total call-center volume for consumer [financial services](https://www.corbado.com/passkeys-for-banking). - **Regulatory pressure is tightening:** Beyond NYDFS, the [FTC Safeguards Rule](https://www.corbado.com/blog/ftc-safeguards-rule-mfa-compliance) has mandated MFA for non-bank financial institutions since June 2023, and the NAIC Insurance Data Security Model Law (adopted in 25+ states) requires risk-based MFA for all licensees. High-value data, delayed fraud detection, rising OTP costs and tightening regulation all point in the same direction: insurance portals urgently need [phishing](https://www.corbado.com/glossary/phishing)-resistant authentication. > - Insurance portals are high-value ATO targets because fraud takes weeks to surface, > unlike banking where transaction monitoring catches abuse in real time. > - NYDFS fined eight auto insurers USD 19 million in October 2025 for missing MFA on > public-facing systems; penalties scale to USD 75,000 per day. > - SMS OTP at insurer scale costs USD 1.2-6 million per year before support overhead; 5-15% > of messages never arrive. > - Aflac, Branch Insurance and HealthEquity have already deployed passkeys with measurable > results: 96% login success, \~50% fewer support tickets and mandatory enrollment with no > opt-out. ## 3. How do passkeys compare to SMS OTP, email OTP, TOTP and device trust for insurance portals? Picking the right authentication method means weighing security, user experience, recovery, rollout complexity, support burden, compliance posture and cost at scale. The table below breaks down how each option stacks up. | Method | Security | UX | Recovery | Rollout Complexity | Support Burden | Compliance | Cost at Scale | | ----------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | | **SMS OTP** | Low: vulnerable to SIM-swapping, SS7 interception and phishing relay attacks. NYDFS explicitly flags SMS as weak MFA. | Medium: familiar but slow (wait for message, switch apps, type code). 5-15% delivery failure rate at scale. | Easy: tied to phone number, but number porting creates recovery gaps. | Low: most CIAM platforms support SMS OTP out of the box. | High: delivery failures, expired codes and international roaming generate heavy call-center volume. | Minimal: satisfies basic MFA checklists but NYDFS and CISA recommend phishing-resistant alternatives. | High: USD 0.01-0.05 per message. At 10M OTPs/month: USD 1.2-6M/year before support costs. | | **Email OTP** | Low: email accounts are frequently compromised; OTP codes are phishable and replayable. | Low: slow delivery (seconds to minutes), context-switching between apps, codes expire. | Easy: tied to email, but email compromise cascades to all linked accounts. | Low: trivial to implement via SMTP. | High: spam filters, delayed delivery and expired codes drive support tickets. | Weak: does not meet phishing-resistant MFA standards under NYDFS or FTC guidance. | Low: near-zero marginal cost per message, but high indirect support cost. | | **TOTP (Authenticator App)** | Medium: eliminates SIM-swapping risk but codes remain phishable via real-time relay attacks. | Medium: requires app install, manual code entry and time synchronization. Friction for non-technical policyholders. | Hard: if device is lost without backup codes, account recovery requires manual identity proofing. | Medium: requires user education and app installation; adoption typically under 20% without mandating. | Medium: fewer delivery issues than SMS, but lost-device recovery and setup errors persist. | Moderate: meets basic MFA requirements but not phishing-resistant per NYDFS/CISA standards. | Low: no per-authentication cost, but app support and recovery overhead add indirect costs. | | **Device Trust** | Medium: reduces friction on recognized devices but provides no phishing resistance; cookie/fingerprint can be replayed. | High: invisible to users on trusted devices; seamless repeat logins. | Medium: device loss or browser changes reset trust, requiring re-verification. | Medium: requires device fingerprinting infrastructure and trust decay policies. | Low: few user-facing prompts on trusted devices, but trust resets generate confusion. | Insufficient alone: does not qualify as MFA under any major framework without a second factor. | Low: infrastructure cost only; no per-authentication fees. | | **Passkeys (FIDO2/WebAuthn)** | **High**: cryptographic, domain-bound, phishing-resistant by design. Immune to credential stuffing, SIM-swapping and relay attacks. | **High**: biometric or PIN confirmation in under 2 seconds. No code entry, no app switching. Aflac achieved 96% login success rate. | Medium: tied to platform ecosystem (iCloud Keychain, Google Password Manager). Ecosystem lockout requires identity proofing for recovery. | Medium-High: requires WebAuthn server, rpID strategy, enrollment flows, fallback logic and client-side telemetry. | **Low**: Branch Insurance saw support tickets drop \~50% after passkey deployment. | **Strong**: meets phishing-resistant MFA requirements under NYDFS Part 500, FTC Safeguards Rule and NAIC Model Law. NIST SP 800-63B recognizes synced passkeys as AAL2-compliant. | **Low**: zero per-authentication cost. ROI realized through SMS elimination, fraud reduction and call-center deflection. | **Bottom line:** Passkeys are the only option that scores highest across security, UX, support burden, compliance and cost at scale. The trade-off is rollout complexity, but that is a one-time investment that pays for itself as adoption grows. ## 4. What makes passkey rollout different for insurers? Deploying passkeys in [insurance](https://www.corbado.com/passkeys-for-insurance) is not the same as deploying them in [banking](https://www.corbado.com/passkeys-for-banking) or SaaS. Insurers deal with legacy infrastructure, multi-brand complexity, divergent user populations and layered regulatory requirements that shape every implementation decision. ### 4.1 Legacy CIAM platforms Most large insurers run their consumer identity on enterprise CIAM platforms like Ping Identity, ForgeRock or Okta. These platforms now support [FIDO2](https://www.corbado.com/glossary/fido2)/WebAuthn at the protocol level, but that support only covers the backend ceremony. The adoption layer (enrollment nudges, device-aware prompts, error handling and client-side telemetry) is either missing or requires significant custom development. This creates the same "1% trap" seen in [banking deployments](https://www.corbado.com/blog/passkey-deployment-mistakes-banks): the IdP checkbox is ticked, but adoption stagnates because no one built the product journey that moves policyholders from password to passkey. ### 4.2 Multi-brand portals and rpID strategy A typical large insurer operates auto, home, life and specialty products, often on separate subdomains or even separate domains acquired through M\&A. Passkeys are origin-bound: a credential created on `auto.insurer.com` will not work on `life.insurer.com` unless both share the same [Relying Party](https://www.corbado.com/glossary/relying-party) ID (rpID). **The fix:** - Define a single rpID anchored to the parent domain (e.g. `insurergroup.com`) before any passkey work begins. - Route all authentication through a centralized [SSO](https://www.corbado.com/blog/passkeys-single-sign-on-sso) layer (OIDC/SAML) that uses this shared rpID. - If legacy domains cannot be consolidated immediately, use [Related Origins](https://www.corbado.com/blog/webauthn-related-origins-cross-domain-passkeys) to bridge the gap without forcing re-enrollment. ### 4.3 Agent vs. policyholder flows Insurance has two very different user populations hitting the same backend systems: | Dimension | Policyholders | Agents / Brokers | | --------------- | ----------------------------------------------------------- | --------------------------------------------------------------------- | | Login frequency | Low (monthly bill pay, annual renewal, claims) | High (daily quoting, policy management, commission checks) | | Device profile | Personal smartphones and tablets; wide OS/browser diversity | Shared agency workstations, corporate laptops, often behind firewalls | | Trust level | Low initial trust; must be built through enrollment | Higher baseline trust; often pre-vetted through agency onboarding | | Sensitivity | Full PII access (SSN, banking, health records) | Broad PII access across multiple policyholders | | Fallback needs | Must never be locked out of claims or payments | Must never be locked out of quoting or policy binding | Branch Insurance showed how this works in practice: they started with agents (higher frequency, more controlled environment) and hit 25% initial adoption before expanding to policyholders. Going agents-first built internal confidence and surfaced device-specific issues early on. ### 4.4 Regional compliance landscape Insurance authentication is not just a US regulatory issue. The exact rules differ by market, but the direction is consistent: stronger identity controls, broader MFA coverage and more scrutiny of customer-facing digital channels. - **US:** [NYDFS Part 500](https://www.corbado.com/blog/nydfs-part-500-mfa-requirements-2025) mandates universal MFA by November 2025 for covered entities, including insurers licensed in New York. NYDFS explicitly flags SMS OTPs as weak and recommends phishing-resistant alternatives. The NAIC Insurance Data Security Model Law pushes risk-based MFA across 25+ states, while the [FTC Safeguards Rule](https://www.corbado.com/blog/ftc-safeguards-rule-mfa-compliance) requires MFA for certain non-bank financial institutions and intermediaries. - **EU:** [DORA](https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en) entered into application on 17 January 2025 and applies to insurance companies across the EU. DORA is broader than an MFA rule, but it raises the bar on ICT risk management, incident reporting, resilience testing and third-party oversight for customer-facing systems. - **Australia:** [APRA CPS 234](https://handbook.apra.gov.au/standard/cps-234) requires information security controls commensurate with risk across insurers and other APRA-regulated entities. APRA's 2023 [MFA guidance](https://www.apra.gov.au/use-of-multi-factor-authentication-mfa) specifically calls out strengthened authentication for privileged access, remote access and high-risk activities, and notes that material MFA gaps affecting policyholders can amount to a reportable security weakness. - **Canada:** [OSFI Guideline B-13](https://www.osfi-bsif.gc.ca/en/guidance/guidance-library/technology-cyber-risk-management) applies to federally regulated financial institutions, including insurers. OSFI says firms should implement risk-based identity and access controls, including MFA across external-facing channels and privileged accounts. For multi-region insurers, the practical implication is simple: design customer authentication to satisfy the strictest applicable regime. The common direction is toward risk-based and increasingly phishing-resistant MFA, not continued dependence on SMS OTP. ## 5. What should insurers measure before and after launching passkeys? Launching passkeys without client-side telemetry is like writing an insurance policy without underwriting data. You will not know what is failing, where or for whom until your call center is overwhelmed. The ["blind rollout" mistake](https://www.corbado.com/blog/passkey-deployment-mistakes-banks#33-mistake-3-blind-rollout-no-client-side-telemetry) from banking deployments applies just as much here, especially given the diverse policyholder demographics insurers deal with. At a minimum, insurers should measure three business-facing outcomes: - **Login success rate:** Are policyholders and agents completing sign-in more reliably after passkeys launch? - **Enrollment rate:** Are users actually creating passkeys, or is adoption stalling after the first prompt? - **Fallback and support volume:** Are users dropping back to SMS or [password recovery](https://www.corbado.com/blog/password-reset-increase-customer-retention), and are authentication-related support tickets going down? If those three numbers move in the right direction, the rollout is working. If they do not, you need to adjust prompt timing, fallback design, device coverage or user education before scaling further. ### 5.1 Claims and account-change journeys matter more than generic logins Insurance portals are not just "log in and check balance" experiences. The highest-risk moments often happen when a policyholder files a claim, changes payout details, updates an address, adds a driver, changes a beneficiary or accesses sensitive documents. Those journeys should not be lumped into one generic login KPI. Insurers should therefore track passkey performance separately for high-risk account events. If login success looks strong overall but claim-related or payout-related journeys still fall back to SMS or manual recovery, the rollout is not actually reducing operational risk where it matters most. This is one of the biggest differences between insurance and more frequently used consumer apps. ### 5.2 Low-frequency logins change the adoption playbook Many policyholders log in only a few times per year: at renewal, after a billing issue or when filing a claim. That makes [passkey adoption](https://www.corbado.com/blog/passkey-adoption-business-case) in insurance fundamentally different from daily-use products. You have fewer opportunities to prompt, educate and recover from a bad first experience. That is why insurers should measure enrollment by journey, not just in aggregate. A prompt shown after a successful [payment](https://www.corbado.com/passkeys-for-payment) or claim-status check may convert far better than a cold prompt on the first login screen months after the last session. In insurance, the best adoption moments are usually tied to trust and task completion, not login frequency. ## 6. What is the Insurance Authentication Maturity Model? This four-level framework gives insurers a way to benchmark where they stand today on authentication, set target milestones and communicate progress to boards, regulators and auditors. Each level builds on the previous one. | Level | Name | Auth Method | Phishing Resistance | Compliance Posture | Support Burden | Cost Profile | Visibility | | ----- | -------------------------------------- | -------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | | **1** | **SMS-Only** | Password + SMS OTP as sole second factor | None: SMS is interceptable via SIM-swap, SS7 and phishing relay | Fails NYDFS phishing-resistant guidance; minimal FTC compliance; NAIC risk-based gap | High: OTP delivery failures, expired codes and password resets drive 20-40% of call-center volume | High: USD 0.01-0.05 per OTP at scale plus support costs | Minimal: server-side HTTP logs only; no client-side ceremony data | | **2** | **MFA-Enabled** | Password + SMS/TOTP/push as second factor | Low: TOTP and push are phishable via real-time relay; push is vulnerable to fatigue attacks | Meets basic MFA checkbox for FTC and NAIC; does not meet NYDFS phishing-resistant recommendation | Medium: fewer SMS delivery issues but TOTP setup errors and push fatigue add new ticket categories | Medium: TOTP eliminates per-message cost but app support overhead persists | Limited: may track MFA method selection but lacks ceremony-level telemetry | | **3** | **Phishing-Resistant** | Passkeys deployed as primary method; password/OTP as fallback for incompatible devices | High: FIDO2/WebAuthn credentials are domain-bound and cryptographic; immune to phishing, stuffing and SIM-swap | Meets or exceeds NYDFS, FTC and NAIC requirements; NIST SP 800-63B AAL2-compliant | Low: Branch Insurance saw \~50% ticket reduction; Aflac achieved 96% login success | Low: zero per-authentication cost; ROI from SMS elimination and fraud reduction | Moderate: enrollment and auth funnels instrumented; basic error classification in place | | **4** | **Phishing-Resistant + Observability** | Passkeys as default; device trust scoring; risk-based step-up for anomalies; smart fallbacks | Highest: cryptographic auth + continuous device trust assessment + behavioral signals | Audit-ready: full telemetry supports CEO/CISO attestation, NYDFS examination and regulatory reporting | Lowest: proactive anomaly detection prevents issues before they reach the call center | Lowest: optimized fallback routing minimizes residual SMS spend; fraud losses reduced | Full: real-time dashboards covering adoption curves, error rates by device/OS, trust decay and SCA factor coverage | The following diagram visualizes the four maturity levels as a progression from SMS-only to full observability. **How to use this model:** 1. **Assess:** Identify your current level by auditing auth methods, telemetry coverage and compliance gaps across all customer-facing portals. 2. **Target:** Set a 12-18 month roadmap to reach at least Level 3. Insurers under NYDFS oversight should target Level 4 to support the dual CEO/[CISO](https://www.corbado.com/glossary/ciso) certification requirement. 3. **Communicate:** Use the model in board presentations and regulatory submissions to demonstrate structured progress rather than ad hoc improvements. ## 7. How passkeys drive digital adoption and self-service migration Most insurance executives treat authentication as an IT concern. That is a mistake. For C-level and VP-level leaders whose strategic agenda includes shifting policyholders from call centers and branches to digital self-service, authentication is the single biggest friction point standing in the way. ### 7.1 Authentication is the front door to every digital initiative Every digital insurance initiative - self-service claims, online policy changes, digital [payments](https://www.corbado.com/passkeys-for-payment), e-signature workflows - starts with a login. If policyholders cannot get past that front door reliably, none of the downstream investment delivers ROI. The data is clear: - **43% of consumers** say managing logins [impacts their willingness to use online services](https://beyondencryption.com/research/customer-portals-logins-preferences) at all. - **64% have abandoned a purchase** because they had to [create an account or could not log in](https://beyondencryption.com/research/customer-portals-logins-preferences). - **60% of consumers** find [insurance, pension and mortgage portals difficult to navigate](https://beyondencryption.com/research/customer-portals-logins-preferences), with login being the first and most common failure point. - **Only 20% of insurance customers** say digital channels are their preferred way of interacting with their insurer, largely because the experience - starting with authentication - is [worse than what they get from banking and retail apps](https://insurancenewsnet.com/innarticle/why-insurers-are-losing-customers-at-the-login-screen). The following diagram illustrates how these four data points combine into a single adoption-blocking pattern. For insurers spending millions on portal redesigns, chatbots and digital claims workflows, a password-and-SMS-OTP login experience undermines the entire investment. Policyholders who fail to log in or give up in frustration default to calling the contact center or visiting a branch - exactly the high-cost channels the digital strategy was supposed to replace. ### 7.2 Quantifying the self-service shift Moving policyholders from human-assisted channels to digital self-service is one of the highest-leverage cost reduction strategies in insurance: - **Phone interactions cost [USD 8-15 per contact](https://hyperleap.ai/blog/insurance-customer-service-automation-statistics-2026)** versus under USD 1 for self-service. At insurer scale, even a 10% channel shift from phone to digital saves millions annually. - **Portal users are 12% less likely to cancel** their policies compared to non-portal users. Multi-channel users show a [25% higher retention rate](https://content.insured.io/resources/insured.io-study-of-250000-insurance-consumers-reveals-that-omnichannel-carrier-portals-can-increase-retained-premium-by-25-percent). - **Insurers deploying digital self-service** report [15-25% service cost reductions and 30% lower claims processing costs](https://www.cxpilots.com/epiphanies/the-state-of-digital-cx-in-insurance-2026-benchmark-report). - **82% of insurance customers want to resolve issues without calling**, but only [56% report adequate self-service tools](https://www.rediansoftware.com/top-10-insurance-digital-transformation-2026/) - a gap that [authentication friction](https://www.corbado.com/blog/login-friction-kills-conversion) widens further. The chart below shows how these economics compare across channels. Passkeys directly address the gap between customer intent and actual portal usage. When login takes under 2 seconds with a biometric confirmation instead of a password-plus-OTP flow that fails 5-15% of the time, more policyholders complete the digital journey instead of picking up the phone. ### 7.3 What Corbado's observability uniquely reveals about digital adoption Most insurers know their digital adoption rate is lower than they want. What they cannot answer is **why**. Is it device incompatibility? Enrollment flow friction? A specific OS or browser where [passkeys fail](https://www.corbado.com/blog/why-passkey-implementations-fail) silently? A demographic segment that never gets prompted? This is where Corbado's [authentication observability](https://www.corbado.com/blog/authentication-observability) provides something no other tool on the market offers: the ability to connect [authentication telemetry](https://www.corbado.com/blog/digital-identity-gap) directly to business metrics like digital adoption rate, self-service completion rate and channel migration. Corbado surfaces: - **Where policyholders drop out of the authentication funnel** - not just "login failed" but which ceremony stage, on which device, for which user segment. - **Which cohorts are stuck on legacy methods** - e.g. policyholders over 60 on [Android](https://www.corbado.com/blog/how-to-enable-passkeys-android) who never see a passkey prompt because their device is incompatible, silently routing them to SMS and then to the call center. - **The direct link between authentication success and digital engagement** - if [login success rate](https://www.corbado.com/blog/authentication-observability) increases by 10 percentage points, how much does portal self-service usage increase? How many fewer calls hit the contact center? For a CIO or SVP of Digital presenting to the board, this turns "we launched passkeys" into "passkeys increased digital self-service adoption by X%, reduced call-center volume by Y% and saved USD Z per quarter." That is the strategic narrative that justifies the investment and accelerates the broader digital transformation roadmap. ## 8. How Corbado helps insurers deploy passkeys Most insurers already have a CIAM platform (Ping, ForgeRock, Okta) that can handle the WebAuthn ceremony. What they lack is the adoption layer that turns "we support passkeys" into "50% of our policyholders use passkeys." Corbado provides that layer. ### 8.1 Adoption engine Corbado's pre-built UI components and decision logic handle the enrollment journey that CIAM platforms leave to custom development: - **Contextual enrollment prompts** surface at high-trust moments (immediately after a successful MFA check) rather than buried in account settings. - **Progressive urgency** moves from "Optional" nudges to "Recommended" to "Mandatory" over a configurable timeline, matching the 12-18 month adoption curve most insurers need. - **A/B testing** for enrollment messaging, timing and placement to optimize conversion rates across different policyholder segments and product lines. ### 8.2 Device intelligence Corbado maintains a continuously updated matrix of device-level passkey compatibility: - If a specific [Samsung](https://www.corbado.com/blog/samsung-passkeys) model has a broken passkey implementation, Corbado suppresses the prompt automatically, routing the user to a fallback without frustration. - [Passkey Intelligence](https://docs.corbado.com/corbado-connect/features/passkey-intelligence) detects device capabilities before prompting, preventing the "Operation Interrupted" errors that cause support spikes. - Insurance-specific device diversity (older tablets used by retirees, shared agency workstations, corporate-managed laptops) is handled through configurable trust policies. ### 8.3 Smart fallbacks Corbado prevents permanent lockouts by intelligently routing users to alternatives when their device or environment is not passkey-ready: - Policyholders on incompatible devices see a smooth transition to the next-best method rather than an error screen. - Recovery flows using [identity proofing](https://www.corbado.com/blog/digital-identity-guide) (eKYC, ID scan + liveness) allow re-enrollment without call-center intervention. - Agent-specific fallback policies accommodate shared workstations and corporate proxy environments that block hybrid (QR code) flows. ### 8.4 Forensic telemetry Corbado provides the "X-Ray vision" that server-side CIAM logs cannot: - **Device Trust dashboard** surfaces success rates by passkey type, device classification and SCA factor coverage. - **Real-time anomaly detection** flags unusual patterns (shared device spikes, enrollment from suspicious environments) before they become security incidents. - **Audit-ready reporting** gives [CISOs](https://www.corbado.com/glossary/ciso) the data needed for NYDFS annual certification, NAIC examinations and internal board reporting. Corbado does not replace your existing CIAM stack. It sits in front of it, handling the real-world complexity of device fragmentation, user education and operational visibility that determines whether your passkey investment delivers ROI or stalls at under 1% adoption. ## 9. Conclusion Insurance customer portals are under pressure from multiple directions at once: rising ATO attacks, costly SMS OTP infrastructure, call-center overload from [password resets](https://www.corbado.com/faq/passkeys-reduce-password-resets-otp-costs), tightening regulatory expectations across the US, EU, Australia and Canada - and a strategic mandate to shift policyholders from high-cost human channels to digital self-service. Passkeys address all five by eliminating phishable credentials, removing per-authentication costs, reducing support burden, aligning with the shift toward stronger MFA and removing the [login friction](https://www.corbado.com/blog/login-friction-kills-conversion) that blocks digital adoption. Aflac (500,000 enrollments, 96% success rate), Branch Insurance (50% ticket reduction) and HealthEquity (mandatory rollout with no opt-out) have already proven that adoption at scale works. The key is treating passkeys as a product journey rather than an infrastructure checkbox: invest in enrollment flows, instrument the client, plan fallbacks and build the telemetry that connects authentication performance to the business metrics your board actually cares about - digital adoption rate, call-center deflection and self-service completion. Use the [Insurance Authentication Maturity Model](#6-what-is-the-insurance-authentication-maturity-model) to benchmark your current posture, set a 12-18 month target and communicate structured progress to your board and regulators. ## Frequently Asked Questions ### How do passkeys reduce account takeover risk for insurance customer portals? Passkeys use public-private key cryptography bound to the insurer's domain, making them immune to phishing, credential stuffing and SIM-swapping attacks that plague password and SMS OTP flows. Aflac reported a 96% login success rate after deploying passkeys, and Branch Insurance saw support tickets drop by roughly 50%. Because no shared secret is transmitted during authentication, attackers cannot harvest reusable credentials even if they control the network. ### What compliance frameworks shape authentication requirements for insurance customer portals and how do passkeys help? In the US, NYDFS Part 500, the FTC Safeguards Rule and the NAIC Insurance Data Security Model Law all push insurers toward stronger MFA. Outside the US, EU insurers fall under DORA, Australian insurers under APRA CPS 234 and Canadian insurers under OSFI Guideline B-13, all of which raise expectations around authentication controls for customer-facing systems. Passkeys help because they provide phishing-resistant MFA using FIDO2/WebAuthn cryptographic credentials while reducing dependence on weaker SMS OTP flows. ### How do passkeys compare to SMS OTP, TOTP and device trust for insurance portal authentication? SMS OTP costs USD 0.01-0.05 per message at scale, is vulnerable to SIM-swapping and phishing and generates high call-center load from delivery failures. TOTP apps eliminate per-message cost but remain phishable and require manual code entry. Device trust reduces friction on known devices but offers no phishing resistance. Passkeys combine phishing-resistant security with zero per-authentication cost and sub-2-second login times, making them the only method that scores highest across security, UX, cost and compliance dimensions. ### What makes passkey rollout different for insurers compared to banks or SaaS companies? Insurers face multi-brand portal complexity where auto, home and life products may run on separate subdomains requiring a unified rpID strategy. Legacy CIAM platforms like Ping, ForgeRock or Okta handle backend WebAuthn but offer limited adoption tooling. Agent versus policyholder flows require different trust levels and device profiles. Regulatory pressure also spans multiple jurisdictions: US insurers face NYDFS Part 500, NAIC Model Law and FTC Safeguards Rule, EU insurers fall under DORA, Australian insurers answer to APRA CPS 234 and Canadian insurers to OSFI Guideline B-13. That requires a rollout plan that satisfies the strictest applicable standard. ### What is the Insurance Authentication Maturity Model and how can insurers use it to benchmark their progress? The Insurance Authentication Maturity Model defines four levels: Level 1 (SMS-only) with single-factor OTP and no phishing resistance; Level 2 (MFA-enabled) with password plus SMS or TOTP meeting basic compliance; Level 3 (phishing-resistant) with passkeys deployed, enrollment secured and smart fallbacks; Level 4 (phishing-resistant + observability) with full telemetry, device trust and continuous monitoring. Insurers can use the model to identify their current level, set target milestones and communicate progress to boards and regulators.