Aflac Wins CSO Award for Improving Security & CX with Passkeys and Transmit Security

Aflac, the brand known for its quacking duck and supplemental health insurance, is a winner of the 2024 CSO Award for its “Quackcess Granted” passkey authentication initiative using Transmit Security. Don’t be misled by the project’s lighthearted name. “Quackcess” is solving serious security problems while reducing support costs and simplifying the customer experience (CX) with a passwordless experience. 

An instant hit with Aflac customers, the passkey adoption rate shot past their initial 10% target, reaching 32% adoption within days of its release. Aflac also touts a 96% passkey login success rate, alleviating strain on customer support and reducing costs. The other 4% of users simply stop short of completing the process. To date, no Aflac customers have required technical assistance with passkeys, and no passkey logins have failed.

To achieve this, Aflac chose Mosaic by Transmit Security for its advanced passkey security layer, ease of implementation and UI customizations. Aflac’s success in combining security innovation with business efficiency won the attention of CSO Awards, which recognizes projects that demonstrate outstanding thought leadership and tangible business value in cybersecurity.

“The stakes grow higher every day for security leaders and their teams, and this year’s CSO Awards honor the very best efforts to tackle challenges from an expanding threat landscape,”
said Beth Kormanik, Content Director for the CSO Conference & Awards. “These projects are at
the forefront of innovative security thinking and represent true business value for their organizations.” 

In this article, we’ll explain how Aflac is using Mosaic, Transmit Security’s flagship platform, to strengthen passkeys — which do come with an inherent risk. If your company is ready to embrace frictionless yet highly secure authentication, Aflac offers a blueprint to follow.

How passkeys improve security & CX for Aflac 

As an extension of FIDO credentials, passkey authentication provides fast, easy and secure registrations, logins and recovery on Aflac’s website. Since passkeys are based on public key cryptography (PKI), not shared secrets, they are phishing-resistant by design. They provide strong MFA that protects against a wide range of password attacks — from credential stuffing and brute force to keylogging and SIM swaps. 

“There are only so many ways to improve the password experience or make traditional multi-factor authentication better for our customers,” says Virgil Pool, Senior Consumer Authentication Lead for Aflac Global Security. “We’ve taken a more significant step forward by partnering with Transmit Security to deliver passkeys. As a result, we’re achieving our goal of making it easier for our customers to get help in their time of need.”

Designed for ease of use, passkeys enable Aflac customers to sync their biometric credentials via the cloud, across all of their passkey-supported devices. This extends FIDO capabilities, typically bound to one device, simplifying account access and device recovery. In doing so, passkeys eliminate the need to fallback on risky passwords that customers too often forget.

How Mosaic by Transmit Security resolves passkey risks 

Although passkeys represent a significant improvement over the security of passwords and standard MFA methods, key leakage is a proven risk when syncing passkeys to a new, unregistered device.

To minimize this risk, Transmit Security has developed a dedicated passkey security layer that strengthens and protects passkeys throughout the identity lifecycle. With it, Aflac is able to ensure that passkeys only sync across devices and ecosystems when desired, enforcing a deliberate transfer of trust. 

Another top goal for Aflac is to safeguard vital customer data and ensure compliance. Tim Callahan, Aflac’s Global CISO notes, “Cybercriminals are innovative, willing to take risks and have no regard for regulations.” As shown below in the Aflac’s app, insurance providers must collect and secure healthcare, payment and deposit data plus personal info that fraudsters can monetize.

Built with cybersecurity at its core, Transmit Security’s innovative platform is designed to prevent breaches and account takeovers that would allow attackers to access sensitive customer data. Mosaic’s baked-in AI-powered security provides automated anomaly detection, trend analyses and a broad range of protections. 

Quick and easy to deploy — with a branded UI

Other factors that led Aflac to choose Mosaic centered around CX granularity, UI customizations and ease of implementation. Transmit Security’s developer-friendly SDK enabled Aflac to embed passkey authentication within their website with a few lines of code. Development from day 1 to launch, including testing, took only 2 months.

It was a high priority for Aflac to keep customers on their website as they use passkeys — to maintain a consistent brand experience, rather than being sent to a third-party service. They made full use of Mosaic’s UI customization tools, which minimized time and effort to create a branded look and feel that fits in seamlessly with their existing UI.    

With Mosaic by Transmit Security, Aflac customers who are first-time passkey users follow this simple flow: 

1. The customer enters a username that will be used for future logins.
2. A prompt, either on their device or via a QR code on a biometric-enabled device, asks the user to enter a fingerprint or face ID.
3. Behind the scenes, a public-private key pair, which acts as a second credential, is automatically registered to the device.
4. On subsequent logins with passkeys, the user enters their username and receives a prompt to log in with their fingerprint or face ID. Doing so unlocks the private key, which signs the cryptographic challenge. In one simple action, the customer presents two authentication factors: a biometric and the private key stored on their trusted device.

Achieving strong MFA is that easy. Based on FIDO standards, Passkeys remain secure using PKI cryptography. Half-measures like OTPs can reinforce password security to some degree, but Aflac wanted a more secure and low-friction alternative that their customers would be happy to use. 

Summary: Why Aflac was chosen for the CSO Award 

Aflac stood out as a clear winner for its “Quackcess Granted” passkey initiative with Transmit Security based on 4 key factors that showcased innovation and business impact:

1. Enhanced security: Aflac’s shift to passkeys greatly improved the security of their authentication system, making it phishing-resistant and reducing the vulnerabilities associated with traditional passwords. This helps prevent account takeovers (ATO), protecting customer data and internal systems. 
2. Improved CX: By eliminating the need for passwords, customers using passkeys no longer struggle with forgotten credentials. Aflac’s streamlined login process is user-friendly and efficient for customers who authenticate with a tap or glance.
3. Operational efficiency: Aflac has reduced login failures and password reset requests, achieving a 96% passkey success rate. The reduction in related support calls has allowed Aflac to allocate resources more effectively, resulting in lower operational costs and greater productivity for customer support teams.
4. Successful adoption and business impact: The passkey system saw adoption rates that exceeded expectations as 32% of Aflac’s customers opted into the new authentication method within the first week. This highlights the effectiveness and broad appeal of passkeys, contributing to the award recognition and happy customers.

The Secret Sauce: Mosaic by Transmit Security 

So far, Aflac has done all of this with no promotion. They merely added a passkey option and prompts for customers to follow. “Aflac will continue to drive adoption [of passkeys] through targeted customer communications and deeper integration based on data analytics,” says Callahan. ​Aflac remains committed to “pushing the boundaries of cybersecurity,” he states. 

Passkeys are just one aspect of Mosaic, a best-of-breed modular platform. This transformative solution eliminates identity silos, security gaps and complexity with a fusion of customer identity management, identity verification and fraud prevention. 

Mosaic is flexible by design, so, like Aflac, your company can address any fraud and identity use case while minimizing complexity and costs. With AI-driven cybersecurity at its core, Mosaic is built for resilience and scale, earning the trust of 7 ‘top 10’ US banks and Fortune 500s. 

Ready for next-level digital transformation? Share this blog with your colleagues to obtain business buy-in for your passwordless or fraud prevention initiatives. Discover more about Transmit Security or request a demo.