One of the great things about two-factor authentication is that it is one of the rare solutions that can make a claim to increase security while reducing cost.
It may seem unfeasible that implementing a technology such as two-factor authentication can actually lead to a reduction in cost, but evidence exists that indicates that substantiates the claim.
Surveys regularly identify cost as being a primary obstacle to the deployment of security technologies such as two-factor authentication. In their 2012 SMB strong authentication survey, Celestix found that almost half of SMB organisations did not employ any form of two-factor authentication. When asked why, 30% of respondents cited cost as the reason.
The response is interesting. At first, it is hard to look beyond the large number of organisations that still rely on static passwords for identifying users. However, we should also note that 30% of organisations see value in implementing security controls dependent on cost. As an IT security professional, this gives me hope and presents me with a challenge. How do we ensure all organisations secure themselves from password misuse, while driving down operating costs?
Cost comes in many guises, but I want to address the core costs associated to the provisioning and management of passwords.
First let’s look at provisioning and management. When deploying a two-factor authentication solution it is necessary to apply business processes and discipline. The good news is that once this is in place the use of a two-factor solution should be more efficient than managing an estate of static passwords. Research such as that carried out by Aberdeen Group in its 2011 paper, ‘Stronger Authentication for Small and Mid-Sized Business’, suggests that organisations using two-factor authentication can recognise up to 25% greater efficiency than those using static passwords.
The total cost of managing identities and authentication, including people, process, technology, services and support, was $12.60 for organisations using a two-factor authentication solution. This is compared to $13.60 per user for those organisations using static passwords. That is an 8% saving from the use of two-factor authentication.
The use of complex static passwords that must be changed regularly is seen by some as an acceptable protection against unauthorised access, but such complexity increases the cost associated with management. Two-factor authentication introduces efficiencies and reduces cost, because it lowers the demands placed on the helpdesk for tasks such as password reset, password changes, de-provisioning and revocation.
We must also consider the cost of a breach. The cost of remediation only applies in the event of a breach, but it is important not to overlook the need for compliance against regulations for appropriate data handling. The cost of remediation varies wildly, based on factors such as size and nature of company, but even if we assume a conservative estimate for the cost of dealing with a security breach in a small or medium sized business of $50,000, this would still represent a serious impact.
Two-factor authentication then is a solution that adds an essential level of protection for organisations but also delivers tangible cost reduction through simplifying management and avoiding the need to manage the password reset process.
“The implementation of a technology that can reduce cost, and yet increase efficiency and security, may not be as unrealistic as it first seems.”