Why Switching to Passkeys Can Save Your Business Money

Have you ever tried using passkeys for your Google account? If not, you should consider giving it a try, as it offers a user-friendly experience compared to the traditional login method of using a user ID-password and multi-factor authentication (MFA). But the benefits of passkeys extend beyond the improved user experience; they can also result in significant cost savings for companies that implement them in their websites and apps. This article will discuss two areas where passkeys have a clear cost advantage.

1. Passkeys eliminates Inherent Costs Associated with Passwords

There are several costs related to passwords:

1.1 Password Storage: Passwords are critical to any account, and safeguarding them is a top priority for every company. This necessity makes the storage of passwords at the server end complex and costly. Passwords are encrypted and stored on cloud servers or company servers. Key management, the process of securely creating, storing, and handling the keys used in the encryption and decryption process, can be complex. If you opt to use a managed service to handle this, such as AWS Key Management Service, there will be associated costs.

AWS charges for the use of its Key Management Service. The pricing depends on two main factors:

1. The number of Customer Master Keys (CMKs): These are the cryptographic keys generated and stored in the KMS, which are used to encrypt/decrypt data. Typically the cost is $1.00 per CMK per month.
2. The number of cryptographic operations: These are API requests to the KMS service for encryption, decryption, and other management tasks. Typically the cost is $0.03 per 10,000 cryptographic operations.

1.2 Password Reset Costs:

The cost of password resets is another significant consideration. A study from Forrester Research found that large companies spend between $15 to $70 per password reset due to lost productivity and help desk costs. With millions of users, these costs can accumulate rapidly. The security risk associated with the password reset process itself is another cost, as attackers often exploit these processes to gain unauthorized access, potentially leading to data breaches.

1.3 Costs Related to Password Data Breaches:

‍ Perhaps the most significant cost of passwords is related to data breaches. IBM Security's 2020 Cost of a Data Breach Report estimates the average total cost of a data breach to be $3.86 million. This figure includes direct costs such as detection and escalation, notification, post-breach response, and regulatory fines, along with indirect costs like lost business due to reputational damage and the loss of customer trust.

Data breaches due to password vulnerabilities are quite common. For instance, weak or stolen passwords are responsible for 81% of hacking-related breaches, according to the Verizon 2020 Data Breach Investigations Report. The monetary impact of such breaches can be catastrophic for businesses, particularly small to medium-sized enterprises, which may lack the resources to recover from such an incident.

Passkeys could be a cost-saving measure in all the three scenarios discussed above:

1. Passkeys are based on FIDO standards, which offer the advantage of 'privacy by design'. In passkey-based authentication, a private and public key pair is always associated with an account. The private key never leaves the individual's device, and only the public key is stored on the server. Given today's computing standards, it's impossible to derive a private key from a public key, minimizing server-side costs with basic encryption and minimal security measures.

2. Password resets occur because people forget or lose their passwords, or they may expire due to company policy. With passkeys, no passwords are generated, so there's nothing to remember or store anywhere. Passkeys are tied to biometric verification, significantly reducing the cost associated with password resets.

3. Furthermore, passkeys can significantly reduce the risk of phishing and server-side data breaches. Since hackers can only access non-critical information about users, they cannot gain unauthorized access to accounts. Passkeys are immune to credential phishing since there is nothing for a user to enter into a malicious site or provide to a phisher trying to trick them into providing their credentials (for instance, in a phone call pretending to come from an admin). In addition, passkeys have two-factor authentication built into the flow.

2. The Unwanted cost Challenges of SMS OTP-Based Authentication

Implementing SMS OTP-based authentication involves not only direct costs but also the potential for considerable expenses associated with fraudulent activities such as SMS Traffic Pumping. This type of fraud, also known as Artificially Inflated Traffic, happens when malicious actors exploit a phone number input field used for receiving a one-time passcode (OTP), an app download link, or any other SMS-based communication. Without proper safeguards, these fraudsters can inflate SMS traffic and exploit your app.

In such scenarios, the fraudsters send mass SMS messages to numbers controlled by a specific mobile network operator (MNO), receiving a share of the generated revenue. This can happen in one of two ways:

1. The MNO is complicit in the scheme and has a revenue-sharing agreement with the fraudsters.
2. The MNO is unknowingly exploited by the fraudsters.

If adequate preventive measures aren't in place, unexpected SMS expenses can skyrocket into the thousands of dollars.

Passkey-based login can help prevent SMS Traffic Pumping fraud by eliminating the need for OTPs sent via SMS for authentication purposes. FIDO standards utilize local authentication methods, such as biometrics, to authenticate users. Hence, when a user attempts to log in, instead of receiving an OTP via SMS, they would use their fingerprint or facial recognition to verify their identity.

By eliminating the SMS OTP factor, passkeys effectively neutralize the potential for attackers to engage in SMS Traffic Pumping. Without the need for SMS OTPs, attackers can't exploit phone number input fields to inflate SMS traffic, significantly reducing the potential for this type of fraud.

In conclusion, Opting for passkeys instead of traditional passwords and SMS OTP authentication offers various economic and security benefits. Not only do passkeys simplify the user experience, but they also eliminate multiple hidden costs associated with passwords and SMS OTPs. Transitioning to passkeys based login from traditional password and SMS OTP-based systems can yield substantial cost savings while enhancing user experience and security.

‍