In numbers: the cost of authentication

Authentication costs add up. That’s the takeaway from research Veridium conducted on how much companies spend on authentication. The costs vary based on the authentication method and number of employees a company has but one point is clear: protecting data using passwords, Windows Hello, tokens and smartcards can cost companies millions, regardless of industry. 

Some expenses are yearly, such as productivity losses due to password resets. Others were accrued after investing in hardware. For example, one company spent $1.9 million on special cameras to use Windows Hello while another spent $1.3 million on smartcards for two-factor authentication (a caveat: there’s a yearly expense for replacing lost smartcards, but that figure is nominal compared to initial outlay).

To reduce these operational expenses, increase security and improve the user experience, many companies are looking into passwordless authentication. The examples highlighted below are based on figures from real companies. They look at the cost of authenticating using passwords, Windows Hello for biometric authentication, smart cards for two-factor authentication and passwords and soft and hard tokens for two-factor authentication. The benefits of passwordless authentication are also discussed. 

Authentication method: Passwords

Cost: $1.35 million in productivity due to password resets

Each month this insurance company’s help desk fields almost 3,000 password reset calls that require IT staff to contact the employee’s manager to approve the reset. This is a security measure since the organization handles personally identifiable information. In these situations, resetting the password involves three people — the employee, the employee’s manager and someone from IT. 

The password reset process takes an average of 30 minutes, time that each of the people involved loses. Averaging the amount of money each of these employees makes an hour comes out to $25, or $12.50 for half an hour. 

Using those figures, password resets cost the company more than $100,000 each month in productivity. Here’s the math:

3,000 x $12.50 x 3 = $112,500 in lost productivity each month due to password resets

The yearly productivity cost is $1.3 million. Here’s that calculation:

$112,500 x 12 = $1.35 million in lost productivity annually due to password resets

There’s also the user experience to consider. Resetting passwords can turn into a frustrating, time-consuming experience that employees would probably prefer to avoid.

Passwordless authentication’s benefits

Eliminates password reset costs: No resets are required if passwords aren’t being used. 

Increases productivity: People spend more time working and less time resetting passwords. 

Improves the user experience: No cumbersome password resets.

Improves security: Eliminating passwords eliminates the risks posed by attacks that use passwords as an infiltration vector, such as phishing and credential stuffing. 

Authentication method: Windows Hello

Cost: $1.9 million in hardware expenses 

A major pharmaceutical company lets some employees use Windows Hello for authentication, allowing them to use biometrics instead of passwords to access Microsoft applications and hardware. But adopting this technology wasn’t free. Many of the company’s computers lacked the ability to read biometrics. To remedy this, the drug maker spent nearly $2 million and purchased 25,000 USB infrared cameras that cost $76 each so its workers could use Windows Hello.

Here’s that calculation:

25,000 x $76 = $1.9 million

This is a sunk cost, but it’s worth mentioning as more companies consider using Windows Hello. Often times, organizations assume that Windows Hello is free to use. In reality, it requires purchasing hardware, such as USB fingerprint readers, infrared cameras or computers that can read biometrics, and upgrading to Windows 10, which can bring additional software costs. 

Organizations are also realizing that Windows Hello doesn’t work in complex IT environments. It’s only compatible with Microsoft products, so people who use Macs and Chrome, for example, can’t use it. Companies that use thin clients, which are popular in call centers, also can’t use Windows Hello. Passwordless authentication accommodates different OSes, browsers and hardware so companies can take a hybrid approach to authentication. 

Passwordless authentication’s benefits

Works in complex IT environments: Allows passwordless authentication in diverse IT ecosystems with different OSes and hardware.

Reduced hardware costs: Special hardware like infrared cameras and USB fingerprint readers aren’t required. Employees just need their smartphones.

Authentication method: Smart cards

Cost: $1.3 million

A global financial services organization uses smartcards for two-factor authentication (passwords are the first). It purchased 78,000 smartcards that cost $16 each for a cost of $1.3 million. Approximately 8,000 smartcards are lost every year and replacing them costs the business around $100,000. Adding those figures together totals $1.3 million. 

Here’s the math.

78,000 x $16 = $1.2 million

  8,000 x $16 = $100,000

This is another sunk cost, but should be pointed out since other companies are considering using smartcards for two-factor authentication or spending money to upgrade existing smartcard systems.

Eliminating smartcards also offers employees a better user experience. Instead of carrying around a smartcard for two-factor authentication, passwordless authentication is more convenient by allowing them to use their biometrics and smartphone. Also worth mentioning is that this financial services company had to purchase keyboards equipped with smartcard readers, which cost between $40 and $60. The organization didn’t share how much it spent on that hardware. 

Passwordless authentication’s benefits

Reduces operational costs: Companies won’t have to replace lost smartcards or buy hardware that can read them. 

Improves the user experience: Employees use their smartphone and don’t have to carry around a card to authenticate. 

Authentication method: Passwords and soft and hard tokens for two-factor authentication

Cost: $12 million*

This global bank spends $120 per employee per year on password resets and token replacements (the company uses a combination of hard and soft token so this figure reflects includes both expenses). Of the bank’s approximately 200,000 employees, at least half require one password reset every year. That comes out to $12 million per employee per year on password resets. Here’s the math:

100,000 x $120 = $12 million*

Of course, that figure will increase based on the number of password resets, which is why there’s an asterisk next to it. Expenses could exceed $24 million per year if every employee resets one password, or if an employee resets multiple passwords several times in one year. 

Beyond the cost, there are also user experience and security issues with both authentication methods. Password management policies require bank employees to change their passwords twice a year and prohibit them from reusing previous passwords. This is a hassle for workers and usually results in them writing down their passwords or violating security policies by using a password manager tool, which are banned. Hard tokens are cumbersome for employees to carry and soft tokens require toggling between different browser tabs to enter the one-time password. And passwords are frequently used in attacks while the FBI has warned that attackers are obtaining OTPs and using them to circumvent two-factor authentication measures.

Passwordless authentication’s benefits

Eliminates password reset costs: No resets are required if passwords aren’t being used. 

Provides a better user experience: There are no passwords to create or remember, no additional hardware is required and there’s no switching between screens to enter a code.

Improves security: Eliminating passwords and OTP means they can’t be used by attackers. 

Can your organization afford to not go passwordless

Given the benefits passwordless authentication provides — substantially lower operational costs, better security and an improved user experience — organizations should consider whether continuing with their current authentication methods is practical. The technology required to go passwordless — biometric authentication — is familiar and commonly used by people while proper storage means biometrics are more secure than passwords.

As authentication evolves, passwordless is poised to become how businesses protect data and customers access services. Gartner, for example, forecasts that by 2022, 60 percent of businesses will have cut their reliance on passwords by half. And the World Economic Forum sees passwordless authentication as an essential part of digital transformation. These business benefits and cost savings makes eliminating passwords a top priority for technology and security leaders in the coming years.

Want to learn more about Veridium’s approach to passwordless authentication? Check out this video.