True Cost of Password Based Authentication
Just because you don’t have to pay anything extra to buy this common form of authentication, it doesn’t mean that passwords are free.
Far from it, quite often passwords end up costing enterprises much more than what they have bargained for. Although the cost of passwords rarely comes up in management meetings, authenticating identity using passwords is a significant expense for organizations that has a direct impact on the bottom line. Don’t believe me? Have a look at the data below.
Direct Costs of Passwords
Users are human. And when they forget their passwords, what do they do? They call other humans who can help them reset, recover, or change their passwords.
Help desks and support centers are flooded with password-related inbound calls. Analyst reports estimate that password-related inquiries eat up a significant portion of help desk time. Gartner estimates that password reset inquiries comprise anywhere between 20% to 50% of all help desk calls.
And according to Forrester, 25% to 40% of all help desk calls are due to password problems or resets.
This ends up to be an extremely costly problem, as the organizations end up paying twice – for the lost productivity time of the forgetful employee, as well as for the time of the support desk staff.
“In a single month in 2017, Microsoft had to reset 686,000 passwords for employees, resulting in support expenses of over $12 million.” Verizon Data Breach report 2019
Password Management Tools
Combine the ever-expanding amount of applications with the rapidly evolving threat landscape, and see how both the amount and the complexity of passwords in an enterprise environment skyrockets.
Source: Ponemon Institute 2019 Authentication research
These changes mean that the enterprise IT teams are adding password management tools into their security tool kits at unprecedented rates.
However, even the top-of-the-line enterprise password management tools like LastPass and Keeper have their fair share of security vulnerabilities. Just recently, Project Zero has recently disclosed that a security vulnerability left some of LastPass 16 million users exposed to the risk of credential compromise.
Besides, these tools have a relatively high cost per user, adding another overhead to the TOC of passwords as an authentication method.
Indirect costs of passwords
Even when users have access to an automated password-resetting process, the costs of resetting passwords may be modest, but they are still there. The lost productivity and time of the forgetful employees quickly add up for an organization with thousands of users.
For example, by a conservative estimate, the time of someone earning $80,000 a year who waits for their password to be reset might be costing his or her employer around $1/minute.
Employees unable to login due to forgotten passwords are unable to perform their tasks. More importantly, they are also unable to provide services to clients, which results in missed revenue opportunities that are difficult to estimate.
Password fatigue leads to Password reuse and simple passwords
Most CIOs think their organizations only use around 30 or 40 cloud apps. But the average number of apps adopted by enterprises is nearly a 1000.
Let it sink for a second.
At this point we can’t really blame the users for password reuse, can we? Human memory and cognitive capacity are limited. It is not reasonable to expect a user to remember passwords for the increasingly versatile enterprise application stack.
The use of multiple passwords and the need to memorize them causes users to reuse passwords or use easy to remember passwords. This opens the floodgates of credential stuffing and password spraying attacks that become both increasingly common and effective.
Stolen passwords can be leveraged by unknown actors
The security industry has a severe problem – stolen credentials.
Billions of user records are for sale on the dark web on every given day. Chances are – at least some of your enterprise users’ credentials are among those leaked records. And it doesn’t matter that the services that they use for work haven’t been hacked; it is enough that their private email, social media, or dating profile has been pawned.
Why? I have one word for you – password reuse.
Once a password is stolen from the services that are completely unrelated to your organization, it can be leveraged to assume your users’ identity to steal, modify, or sell confidential information.
Going Passwordless with Secret Double Octopus: Reducing cost while improving user experience and security
Improving the efficiency of your support desk, deploying automated password reset processes, and paying for password management tools is one way to go. However, at best, these strategies can only somewhat improve the situation when it comes to password-related overhead.
You have a choice – you can either manage the costs of passwords, or you can forgo them altogether.
What would happen if you completely removed passwords from your enterprise? The TOC of passwords would drop zero – an unattainable dream for the organizations still stuck in the password era.