By now, it’s an all-too-familiar routine…
Step 1: Organization suffers an expensive and embarrassing security breach.
Step 2: Organization hastily introduces multi-factor authentication (or steps up its efforts to mandate its usage).
Oftentimes, it takes a breach to make organizations fully embrace strong authentication. But why? We know that usernames and passwords alone cannot provide sufficient security, and we know that SMS two-factor authentication (2FA) has been deprecated time and time again. Yet, many companies continue to rely on these less-than-secure methods anyway.
Considering the cost of implementing multi-factor authentication
One theory is the perceived cost and complexity of implementing widespread strong, multi-factor authentication (MFA). Security is usually seen as a cost center and CISOs are accustomed to the careful balancing act between the strength of a security posture and its cost. But, as breach impact and frequency change, so too must the calculations CISOs make when determining their authentication strategy.
There are three factors — and their associated cost implications — that must be calculated when deploying strong MFA enterprise-wide: security, usability, and scalability.
Security: Misguided MFA could be an $8 million mistake
The first consideration must be the cost and probability of your organization suffering a security breach. The average cost of a data breach in 2020 is $8.64 million in the US ($3.86 million globally). And that’s not counting the cost in lost revenue of a reputational hit.
Forrester estimates that most organizations have a 30% likelihood of facing a cyber attack. These odds have only increased through 2020 with a surge in phishing attacks as hackers capitalize on the shift to remote working and accelerated adoption of the cloud. Not to mention, the potent cocktail of circumstances caused by a pandemic, election, recession, and social unrest have bred fear, uncertainty, and doubt — prime territory for hackers. For some organizations, such as political groups, government agencies, media, and healthcare providers, the risk is even greater. If the cost of a potential breach isn’t incentive enough, failing to reduce your breach risk exposure can also impact your cyber insurance premiums.
With a 30 percent chance (on a good day) of suffering a $8+ million security breach, the cost of implementing MFA as an investment seems incontrovertible. But which type of authentication will be strong ‘enough’?
A study by Google and NYU compared the standard baseline of password authentication with 2FA methods including FIDO security keys, smartphone-based one-time password (OTP) generators, and SMS. Google found that hardware-based security keys, like the YubiKey, provide the strongest security — the only method to protect against phishing attacks 100% of the time — while also offering the best mix of usability and deployability. Strong, hardware-based multi-factor authentication, can give enterprises peace of mind by eliminating the threat of phishing attacks and account takeovers, which contribute to roughly 80% of all security breaches.
Usability: Poor user experience can drive support costs upwards of $12M a month
The next consideration in the cost of implementing multi-factor authentication for CISOs is often usability. If strong, hardware-based MFA is the most secure option, what will the user experience be? To answer this, we need to examine the alternative forms of authentication from a user’s perspective, specifically simple usernames and passwords or mobile-based 2FA.
Let’s face it, it’s frustrating to have to enter passwords or one-time passcodes all the time. And, as we all know, employees frustrated by a poor experience will not only be less productive and engaged, but also more likely to churn or circumvent the process — all of which are expensive outcomes. This either puts an organization back to square one — at risk of a data breach due to failed user adoption of security solutions — or creates disruptive workflows that take a toll on productivity. Gone are the days when users put up with hard-to-use tools at work, even if those tools are there for their own protection. Usability is no longer a nice-to-have and most CISOs know it.
For starters, let’s take a look at the IT support costs required to control and sustain password-based authentication across an organization. It’s well known that password resets alone are a top cause of support calls and emails. According to statistics from Gartner, 20-50% of all IT helpdesk calls are password resets and Forrester estimates that the average cost of a password reset is $70. In fact, password resets cost Microsoft over $12M per month according to a presentation given by Alex Simons at Microsoft Ignite 2017. That support burden is magnified when you introduce mobile-based 2FA, giving employees additional apps to manage, and giving IT additional licenses and software to provision.
According to a Google case study, the company was able to reduce its password reset costs by 92% after deploying YubiKeys worldwide. Additionally, employees saw a significant reduction — by nearly 50 percent — of the time to authenticate using a YubiKey compared with using a one-time password (OTP) via SMS. Logins were nearly four times faster when comparing the YubiKey to Google Authenticator.
Scalability: Access for all employees saves on cost & time
The third and most complex consideration in a CISO’s calculation is scalability. This is where misperceptions and assumptions abound. How can hardware-based multi-factor authentication solutions, like the YubiKey — clearly the most secure and usable option — also be scalable across thousands of employees and hundreds of enterprise systems? Shouldn’t it be reserved for a few privileged users?
Well, no. All users are susceptible to security breaches. In fact, hackers are savvy and will always take the path of least resistance, meaning that your privileged users may not always be their first target. And all users need an experience that doesn’t hinder productivity. The truth of the matter is, YubiKeys can be rolled out to all users without breaking the bank or creating an administrative sinkhole. In fact, they offer substantial cost and time savings.
When considering a company-wide deployment for an authentication solution, it’s important to consider how interoperable it is in various environments and across multiple technology stacks. For example, your organization may have “office-based” workers to secure like IT admins, HR teams, and more, but you may also need to secure employees “in the field” who are operating in mobile-restricted environments or with shared workstations like in retail or healthcare. It’s also likely that, over time, your organization will transition from legacy systems to more modern cloud-based technologies — all of which will support varying degrees of authentication. If you select a standards-based MFA solution that works with multiple back-end systems, independently of mobile connectivity, and with a premier “tap-and-go” user experience, you can eliminate the costs and complexities associated with managing several authentication mechanisms within your organization.
YubiKeys, for example, work out of the box with every major web browser and hundreds of enterprise cloud services, no custom development needed. So no matter which new services and applications you introduce, or which business use cases you need to solve, you won’t need to roll out new authentication devices or workflows for users to get familiar with. One device can be used company-wide.
It’s also worth noting that 2FA via a mobile authenticator app or SMS is not a hardware-free option. Users need a mobile phone and many companies will either provide employees with a work-issued device or reimburse them for a portion of their monthly personal phone bill. According to a study by Oxford Economics, 89% of organizations provide a full or partial stipend to compensate employees for their mobile phone expenses. This averages $36.13 per month, and amounts to about $430 per year for each employee.
Then there’s the cost of emailing or texting authentication codes to users. It may seem trivial, but to give an example, a mid-sized bank was able to reduce its SMS fees by 10%, saving $2.9m, after moving away from SMS-based 2FA.
Conversely, a YubiKey requires just the low-cost key itself, ranging from $20-$70. In fact, the combined security, usability, and workflow efficiencies of the YubiKey, allowed Google to give each employee multiple YubiKeys and still realize overall cost reductions. Now, with YubiEnterprise Delivery, enterprises can distribute YubiKeys to thousands of users in 34 countries — all while experiencing predictable spending with YubiEnterprise Subscription.
The Total Cost of Hardware-Based Strong Authentication
All things considered, the equation for calculating the cost of implementing multi-factor authentication has changed.
Traditionally, CISOs may have felt they couldn’t afford to introduce strong MFA universally. But, given the current cost of security breaches, and the advancements made in scalability and interoperability of hardware-based authentication, can they afford not to? CISOs are recognizing that strong hardware-based authentication for all is no longer going to put them at war with the CFO and, in fact, makes financial sense. It is possible to achieve affordable security, usability, and scalability after all.
To learn how your organization can cost-effectively deploy YubiKeys enterprise-wide, watch our webinar, “YubiEnterprise Subscription: Hardware Authenticators as a Service,” or contact our sales team.