Insurance carriers sit on some of the most sensitive data in existence — Social Security numbers, medical histories, financial records, government-issued IDs. And the people accessing that data aren’t just internal employees. They’re independent agents, brokers, third-party administrators, and claims processors, logging in from personal devices, home offices, and shared workspaces across the country.
That access model is a security problem hiding in plain sight. And attackers have noticed.
The Agent Portal Is a High-Value Target
In June 2025, Aflac confirmed that 22.65 million individuals had their personal and health information stolen in a breach carried out through social engineering — no ransomware, no sophisticated exploit. Attackers bypassed security controls by targeting employees directly, exploiting the human layer that passwords depend on. The breach is now among the largest in insurance industry history.
It’s not an isolated case. According to a study cited by Huntress, 28% of insurance companies have experienced a breach, and 59% of those breaches involved third-party attack vectors. The agent portal — the external-facing access point that connects carriers to their distribution networks — is exactly the kind of third-party-adjacent surface that attackers exploit.
The core problem is credential-based authentication. Passwords can be phished. Credentials can be stolen, reused, or socially engineered out of someone on a phone call. Traditional MFA adds friction but doesn’t solve the underlying issue: a password is a shared secret that exists on both ends of the authentication, which means it can be intercepted at either.
Why Carriers Are Rethinking Authentication
The shift toward passwordless authentication isn’t a trend — it’s a structural response to a structural problem.
Certificate-based authentication replaces the shared-secret model with cryptographic keys tied to a specific device and identity. There’s no password to phish because there’s no password in the transaction. An agent’s credentials don’t exist as a string of characters that can be harvested from a phishing page or purchased on a dark web marketplace. The credential is the device itself, verified through a certificate issued and managed by the carrier.
For insurance carriers operating distributed agent networks, this matters for several reasons:
Agents work across unmanaged environments. Independent agents and brokers often use personal devices or shared machines. Traditional password policies are nearly impossible to enforce consistently across this population. Certificate-based authentication shifts the control to the carrier — the certificate is issued to the device, and only that device can authenticate. If a device isn’t enrolled, it doesn’t get access. Full stop.
Phishing resistance can’t be optional. The Aflac breach succeeded because attackers targeted people, not systems. When authentication depends on something a person knows (a password), social engineering is a viable attack path. When authentication depends on something cryptographically bound to a device, the human layer is largely removed from the equation.
Regulatory pressure is building. State insurance regulators, particularly under frameworks like the NYDFS Cybersecurity Regulation, are raising expectations around identity and access management for carriers operating in their jurisdictions. Moving to phishing-resistant authentication isn’t just a security improvement — it’s increasingly a compliance requirement.
The Access Surface Is Bigger Than It Looks
The agent portal isn’t the only exposure point. Claims systems, underwriting tools, policy administration platforms, and partner integrations all represent access vectors that use some form of credential-based authentication. Each one is a potential entry point.
What makes this particularly complex for carriers is the diversity of the access population. Full-time employees, independent agents, managing general agents, third-party administrators, reinsurance partners — each group has different access needs, different device postures, and different levels of IT oversight. A blanket VPN policy doesn’t work across that population. Neither does a single MFA solution that assumes everyone is on a managed corporate device.
What does work is an access control layer that ties authentication to device certificates and enforces policy at the point of connection — regardless of who the user is or what network they’re coming from. That’s the architecture that gives carriers visibility and control across their entire access population without adding friction for agents who are trying to do their jobs.
What Moving to Passwordless Actually Looks Like
The practical shift isn’t as disruptive as it sounds. Cloud-native NAC platforms can issue and manage device certificates at scale, enroll agent devices without requiring on-site IT involvement, and enforce access policy continuously — not just at login. When an agent’s device falls out of compliance, or a certificate is revoked, access is cut off automatically.
For carriers, the result is a distribution network that’s actually secure — not just password-protected. For agents, it’s a faster, simpler login experience with no password to remember, reset, or accidentally hand to an attacker.
That’s the trade insurance carriers are increasingly willing to make: less attack surface, less friction, and a meaningfully smaller chance of joining the list that Aflac is now on.