Have you ever tried using passkeys for your Google account? If not, you should consider giving it a try, as it offers a user-friendly experience compared to the traditional login method of using a user ID-password and multi-factor authentication (MFA). But the benefits of passkeys extend beyond the improved user experience; they can also result in significant cost savings for companies that implement them in their websites and apps. This article will discuss two areas where passkeys have a clear cost advantage.
1.1 Password Storage: Passwords are critical to any account, and safeguarding them is a top priority for every company. This necessity makes the storage of passwords at the server end complex and costly. Passwords are encrypted and stored on cloud servers or company servers. Key management, the process of securely creating, storing, and handling the keys used in the encryption and decryption process, can be complex. If you opt to use a managed service to handle this, such as AWS Key Management Service, there will be associated costs.
AWS charges for the use of its Key Management Service. The pricing depends on two main factors:
The cost of password resets is another significant consideration. A study from Forrester Research found that large companies spend between $15 to $70 per password reset due to lost productivity and help desk costs. With millions of users, these costs can accumulate rapidly. The security risk associated with the password reset process itself is another cost, as attackers often exploit these processes to gain unauthorized access, potentially leading to data breaches.
Perhaps the most significant cost of passwords is related to data breaches. IBM Security's 2020 Cost of a Data Breach Report estimates the average total cost of a data breach to be $3.86 million. This figure includes direct costs such as detection and escalation, notification, post-breach response, and regulatory fines, along with indirect costs like lost business due to reputational damage and the loss of customer trust.
Data breaches due to password vulnerabilities are quite common. For instance, weak or stolen passwords are responsible for 81% of hacking-related breaches, according to the Verizon 2020 Data Breach Investigations Report. The monetary impact of such breaches can be catastrophic for businesses, particularly small to medium-sized enterprises, which may lack the resources to recover from such an incident.
Implementing SMS OTP-based authentication involves not only direct costs but also the potential for considerable expenses associated with fraudulent activities such as SMS Traffic Pumping. This type of fraud, also known as Artificially Inflated Traffic, happens when malicious actors exploit a phone number input field used for receiving a one-time passcode (OTP), an app download link, or any other SMS-based communication. Without proper safeguards, these fraudsters can inflate SMS traffic and exploit your app.
In such scenarios, the fraudsters send mass SMS messages to numbers controlled by a specific mobile network operator (MNO), receiving a share of the generated revenue. This can happen in one of two ways:
If adequate preventive measures aren't in place, unexpected SMS expenses can skyrocket into the thousands of dollars.
Passkey-based login can help prevent SMS Traffic Pumping fraud by eliminating the need for OTPs sent via SMS for authentication purposes. FIDO standards utilize local authentication methods, such as biometrics, to authenticate users. Hence, when a user attempts to log in, instead of receiving an OTP via SMS, they would use their fingerprint or facial recognition to verify their identity.
By eliminating the SMS OTP factor, passkeys effectively neutralize the potential for attackers to engage in SMS Traffic Pumping. Without the need for SMS OTPs, attackers can't exploit phone number input fields to inflate SMS traffic, significantly reducing the potential for this type of fraud.
In conclusion, Opting for passkeys instead of traditional passwords and SMS OTP authentication offers various economic and security benefits. Not only do passkeys simplify the user experience, but they also eliminate multiple hidden costs associated with passwords and SMS OTPs. Transitioning to passkeys based login from traditional password and SMS OTP-based systems can yield substantial cost savings while enhancing user experience and security.