TL;DR: Insurance prospect and customer behaviour, preferred contact and purchase methods, portal access, and satisfaction factors shape provider perception, according to Comarch’s research report. The identity lesson is broader than insurance: digital touchpoints, consent handling, and access design now influence trust across customer IAM and governed lifecycle programmes.
At a glance
What this is: This is a Comarch research report on insurance customer behaviour, trust, portal access, and purchase preferences.
Why it matters: It matters because customer-facing IAM, consent, and digital access patterns increasingly shape trust and conversion across regulated identity programmes.
👉 Read Comarch's research on insurance customer behaviour and provider trust
Context
Insurance customer journeys are shaped by a small number of high-impact interactions, so the quality of each digital and human touchpoint matters. In practice, that makes customer identity design, consent handling, and portal access part of the trust model, not just front-end plumbing.
The report focuses on what prospects and customers think, how they prefer to engage, and which factors influence satisfaction and policy purchase. For IAM teams, the relevance is less about insurance as a sector and more about how digital experience, access, and lifecycle controls affect user confidence in any customer identity programme.
Key questions
Q: How should organisations design customer IAM for low-friction digital journeys?
A: Start with the customer journeys that matter most, then align registration, authentication, consent, and recovery so they work consistently across channels. The objective is not maximum friction, it is predictable assurance that supports service access without forcing repeated verification. When those controls drift apart, customer trust and completion rates fall together.
Q: Why do online portals matter so much in customer identity programmes?
A: Portals are where customers experience whether identity design actually works. If access, recovery, and session handling are clumsy, users often read that as a lack of reliability or control. Strong portal design improves service confidence because it gives customers a clear, repeatable way to view and manage their own data.
Q: What do security and IAM teams get wrong about customer consent data?
A: They often treat consent as a legal checkbox instead of a lifecycle state that must stay aligned with account access and channel preference. When consent records drift, organisations lose audit clarity and risk confusing service communications with authorised engagement. Governance works best when consent, identity, and contact records are managed together.
Q: How can teams tell whether customer identity controls are actually working?
A: Look at completion rates, recovery success, portal adoption, and the frequency of support interventions after account access problems. If customers can move through key journeys without repeated resets or manual intervention, the control design is probably sound. If service friction concentrates around identity steps, the programme needs redesign.
Technical breakdown
Why customer touchpoints become identity trust events
In insurance, a limited number of interactions carry disproportionate weight because they shape whether customers feel recognised, informed, and in control. That makes account access, consent capture, and policy servicing part of the identity experience. When those steps are fragmented, customers may interpret the problem as poor service rather than poor architecture. The practical question is how identity and access design supports predictable, low-friction engagement across every channel.
Practical implication: map the highest-friction customer journeys and treat them as identity controls, not just service journeys.
Preferred contact and purchase methods in customer identity flows
Preferred contact channels and purchase methods matter because they determine where authentication, consent, and data collection actually happen. If customers switch between branch, phone, portal, and email, the identity layer has to preserve continuity without over-collecting data or forcing repetitive verification. That is a governance issue as much as a UX issue, especially where regulated disclosures and consent records must remain consistent across channels.
Practical implication: align authentication, consent, and disclosure records across every customer channel before expanding digital acquisition paths.
Portal access and satisfaction as governance signals
Access to online portals is not only a convenience metric. It is a signal of whether customers can reach, review, and act on their own policy data without unnecessary support friction. In identity terms, portal access depends on enrolment design, recovery flows, session assurance, and lifecycle accuracy. If those controls are weak, satisfaction falls even when the underlying insurance product is sound.
Practical implication: review portal onboarding, recovery, and session controls together, because service satisfaction often reflects identity design quality.
NHI Mgmt Group analysis
Customer identity is a trust surface, not a back-office function. This report reinforces that a small number of interactions can shape the entire customer perception of an insurer. That pattern is visible across regulated sectors, where access to accounts, policy data, and purchase flows often determines whether users stay engaged. The practitioner conclusion is that customer IAM should be measured as a trust and conversion control, not just an authentication layer.
Consent handling and identity lifecycle are tightly coupled in customer programmes. The report’s emphasis on contact methods and data consent shows that identity governance does not stop at sign-up. Consent changes, channel preference updates, and account access all need lifecycle coherence or the customer record becomes unreliable. That matters for any programme that must prove lawful, traceable engagement across channels. Practitioners should treat consent state and account state as linked governance objects.
Portal access quality is often the clearest signal of identity programme maturity. If customers struggle to access online services, the issue usually sits in enrolment, recovery, or session assurance rather than product design. That is why portal access metrics deserve the same attention as service availability metrics. The practitioner takeaway is to align identity controls with the service journey customers actually use.
Insurance research like this is useful because it exposes where digital experience and governance intersect. The industry lesson extends beyond insurance: when customer touchpoints are few, each one must carry stronger identity assurance and cleaner lifecycle data. That makes this a useful reference point for teams modernising customer IAM, consent, and self-service account management. The practitioner conclusion is to design for fewer, higher-quality identity interactions.
From our research:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
- For a broader identity governance baseline, Ultimate Guide to NHIs , Key Research and Survey Results helps place lifecycle and access control decisions in context.
What this signals
Customer IAM programmes will be judged more on service outcomes than on authentication completeness. When a small number of touchpoints carries most of the trust load, teams need to measure portal success, recovery success, and consent accuracy alongside access policy coverage. The operational signal is whether customers can complete high-value journeys without manual intervention or record drift.
Insurance-style research points to a broader pattern in regulated identity: the experience of access is part of governance, not separate from it. Teams that treat consent, recovery, and channel continuity as one lifecycle problem will be better positioned to scale customer-facing identity services without eroding trust.
For practitioners
- Map the highest-impact customer touchpoints Identify the small set of interactions that shape trust, then review authentication, consent, and service recovery across each one. The goal is to remove friction where it breaks engagement and add assurance where it protects policy data.
- Align consent state with account state Make sure preference changes, marketing permissions, and account access are updated through one governed lifecycle so records do not drift across channels. This reduces disputes and improves auditability.
- Test portal recovery paths as a governance control Review enrolment, password recovery, and self-service reset flows together, because failures there usually reveal weak identity proofing or inconsistent session policy. Customers experience those failures as service breakdowns.
Key takeaways
- Customer trust is shaped by a small number of identity-controlled touchpoints, so IAM design directly affects service perception.
- Portal access, consent handling, and recovery flows are governance signals as much as operational features, especially in regulated customer journeys.
- Teams should manage customer identity, consent, and lifecycle state together or they will create avoidable friction and audit drift.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-01 | Customer access and recovery flows depend on identity assurance and account lifecycle handling. |
| NIST SP 800-63 | Digital identity assurance applies to customer enrolment, recovery, and account access flows. | |
| NIST Zero Trust (SP 800-207) | AC-4 | Continuous access decisions matter for customer portals and sensitive policy data. |
Review customer authentication and recovery journeys against PR.AA-01 to reduce friction without weakening assurance.
Key terms
- Customer Identity: Customer identity is the set of controls and records used to recognise, authenticate, and serve an external user. It includes enrolment data, recovery methods, consent state, and channel preferences, all of which affect whether the customer can access services safely and without unnecessary friction.
- Consent Lifecycle: Consent lifecycle is the governed state of permissions a customer has granted for contact, processing, and service interaction. It must be tracked as a changeable identity attribute, not a one-time checkbox, because account access, marketing communications, and audit evidence all depend on it.
- Portal Recovery: Portal recovery is the set of identity and support flows that restore a customer’s ability to access an online account. It covers password reset, recovery verification, and self-service access repair, and it often reveals whether the underlying identity design is consistent enough to support reliable service.
What's in the full report
Comarch's full research report covers the operational detail this post intentionally leaves for the source:
- Behavioural trend breakdowns by customer segment and insurer touchpoint.
- Reported preferences for contact methods and policy purchase methods across respondents.
- Detailed satisfaction factors and the specific issues customers say insurers should improve.
- Access-to-portal findings that can inform service design and customer journey remediation.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-03-04.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org