Branch Insurance, a cloud-native home and auto insurance provider, was looking to move to stronger, phishing-resistant MFA without changing their current primary auth provider or user store. Learn how Descope helped Branch augment their existing auth systems with passkeys, reducing support ticket volumes by half in the process.

About Branch

Branch a cloud-native home and auto insurance company founded in 2020. Operating on a serverless architecture, Branch’s mission is to simplify the insurance purchasing experience for  consumers and independent insurance agents. 

"One of our key superpowers is making the insurance buying experience as easy as possible," explained Arkadiy Goykhberg, Chief Information Security Officer at Branch.

Authentication challenges

Due to the sensitive nature of their market and the variety of stakeholders they served, Branch faced multiple authentication challenges:

• Legacy two-factor authentication. Branch has been relying on SMS-based two-factor authentication, which has multiple issues. Telco issues would prevent users from logging in. It's also not phishing resistant and subject to risk associated with SIM swapping attacks.

• Customer support volume. There was a high volume of support tickets related to password resets and login issues.

• User-friendly approach. Branch needed a more secure and user-friendly authentication process to serve their 12,000+ independent insurance agents.

• Compliance. Another core challenge was the need to meet strict compliance requirements in the highly regulated insurance industry.

Identifying passkeys as the solution

Branch identified passkeys as the solution to their authentication problems for several reasons.

Enhanced security: Passkeys are inherently phishing-resistant, addressing the vulnerabilities associated with SMS-based authentication.

Improved user experience: Passkeys eliminate the need for passwords, reducing friction during login and preventing issues related to forgotten passwords or typing errors.

Reduced support burden: By implementing passkeys, Branch saw a significant reduction in support tickets. John MaGee, Software Product Manager at Branch, noted:

"We did see our support ticket volume drop by about half, which was the key business goal, outside of some of the user experience and security goals of the project."

Regulatory compliance: Passkeys provided a strong foundation for meeting current and future regulatory requirements in the insurance industry.

Compatibility with existing infrastructure: Passkeys integrated well with Branch’s cloud-native architecture, allowing for a smoother implementation process.

Passkey implementation double-click

Branch adopted a phased approach to implementing passkeys.

The first phase involved internal testing. Branch first implemented passkeys for internal use, which helped build confidence and user acceptance. Branch then went through a vendor selection and development phase, contracting with Descope. Branch decided that it was a more efficient approach to engage with a service provider to help with passkey implementation. 

The project roadmap included a two month vendor selection process, followed by a three-month development phase and a six-week end-user migration phase. 

The final step was a phased user migration. Branch rolled out passkeys to its agents in waves, starting with a small group and gradually scaling up. The onboarding process involved multiple communication campaigns to prepare users for the new authentication experience. The user journey included prompting users to set up passkeys and providing a fallback option of email and OTP. The goal was to ensure a seamless transition and reduce support ticket volume by eliminating password resets. This approach allowed the company to refine the process based on feedback and minimize risks.

The results of the passkey implementation were impressive:

• 25% passkey adoption rate across the organization, exceeding internal goals.

• 50% reduction in support ticket volume related to authentication issues.

• Maintained steady login failure rates at 5%, despite the transition.

• Improved user experience, with fewer frustrations related to authentication.

One surprising benefit was the high compatibility of passkeys with existing hardware and software. Goykhberg said that he had initially expected that only approximately 60% of systems would support passkeys.

"That hypothesis was wrong. To my suprise, only a few devices across thousands of logins could not support passkeys."

Passkey success + what lies ahead

Branch's successful implementation of passkeys has not only addressed their current authentication challenges but also laid the groundwork for future improvements and expansions. 

Goykhberg said:

“Descope’s flexible workflow made implementing passkeys and taking care of edge cases relatively straightforward. With conditional steps, we routed users to passkeys when their hardware or software were compatible, and routed them to fallback MFA options when passkeys couldn’t be supported. Visualizing the user journey as a workflow helps us audit and modify the registration and authentication journey without making significant code changes, which sets us up well for the future.”

The company's successful phased rollout approach, starting with internal adoption and then gradually expanding to their agent base, highlights the importance of incremental implementation and learning. This strategy will continue to inform their future authentication initiatives. Building on the initial success of 25% passkey adoption, Branch aims to increase this number through targeted experimentation and user education. 

Branch’s successful implementation of passkeys demonstrates how this modern authentication method can significantly improve both security and user experience in the insurance industry. By addressing the vulnerabilities of traditional authentication methods, reducing support burden and providing a seamless user experience, passkeys have proven to be a valuable solution for Branch’s authentication needs.