Skip to main content

Cost of Passwords

It has been observed that many companies’ support teams are overloaded with password reset calls. According to research from Forrester, the average cost for a single password reset is about $70. Another report by Gartner estimates that 20% to 50% of all help desk calls are for password resets.

On top of all this, according to a report from IBM, 20% of all breaches came from compromised credentials.

Global average total cost of a data breach is $4.24m, but in the United States that average cost more than doubles to $9.05m. I highly recommend reading that report. It has tons more information about the cost of data breaches.

Needless to say, passwords are expensive.

So, what do we do about it?

There are several new technologies that attempt to mitigate the costs and risks of passwords. These include:

  • FIDO - FIDO is a standard that allows users to authenticate without a password. It uses private/public key cryptography to authenticate users.
  • WebAuthn - WebAuthn is a standard that allows users to authenticate without a password on webpages. Also, it is built on top of FIDO.
  • MFA - Multi-factor Authentication incorporates several technologies (including some on this list) and techniques such as time-based tokens or biometrics.
  • OTP - OTP is a standard that sends users a one time use code through a known channel such as email or on a mobile app. See this blog post on why SMS is not a secure channel for OTP.
  • TOTP - TOTP is a standard where an authenticator app stores a shared seed/secret that will generate codes based on the time. The service provider can compare the code sent by the user to verify they had access to the authenticator app.
  • Biometrics - Biometrics is a standard that allows users to authenticate by using a biometric device such as a fingerprint or iris.
  • Hardware - Hardware security is a standard that allows users to authenticate by using a hardware device such as a smart card or a smartphone. Some FIDO implementations use hardware security to unlock the crypto keys.

All of these technologies seem promising, but there are still a few things to consider. First, the cost of these technologies is not as low as it could be. Implementing each one of these technologies requires having at least one domain expert to build and maintain it. Alternatively, you could use one of the large identity providers on the market, but they also cost an arm and a leg, and integrating with them is just as complex as some of these technologies. Second, if your user experience is not well planned out, it can be unclear to a user how to manage their own authentication mechanisms. When friction is added to authentication systems, people tend to avoid using those systems. For example, 58% in the U.S. have abandoned purchases due to the difficulty of managing passwords. In the coming months I will be adding posts about implementing each of these technologies and the considerations for each.

Seeing as you are on the SpartanAuth blog, I might as well put a plug here for that project. SpartanAuth is an open source application that aims to make using all the technologies listed above easier to integrate into your web and mobile applications. It is a microservice that allows users to manage their authentication mechanisms. It is built with Golang, and it is available on our website SpartanAuth.com.

Learn about keeping auth simple.