How to Evaluate the True Costs of Multi-Factor Authentication
Not all multi-factor authentication (MFA) solutions are equal. There are some extra features on some and hidden costs in others. The total cost of ownership includes all direct and indirect costs of owning a product. For a two-factor authentication solution, that may include hidden costs, such as upfront, capital, licensing, support, maintenance, and operating costs. Don’t forget the many other unforeseen expenses like professional services and ongoing operation and administration costs that accumulate over time.
“With Duo, we were able to bring consistent security controls across all of our apps by streamlining to one MFA and SSO solution at a much lower total cost of ownership…. Our clients are able to easily self-enroll, deploy 2FA and SSO against their own applications, regardless of where they’re hosted, and Duo nearly halved our 2FA-related support workload.” —John Bryant, Chief Technology Officer, Options Technology Ltd.
How can you be sure you’re getting the best security return on your investment?
See if your vendor’s purchasing model requires that you pay per device, user or integration – this is important if your company plans to scale and add new applications or services in the future. Many hosted services provide a per-user license model, with a flat monthly or annual cost for each enrolled user. When investigating licensing costs, make sure to confirm whether licenses are named (locked to a single user ID) or transferable, whether there are add-on charges for additional devices or integrations configured, or delivery charges for different factor methods. Estimate and plan for how much it will cost to deploy multi-factor authentication to all of your apps and users.
Administrative Software/Hardware Requirements
Are these included in the software license? Additional management software is often required for some companies – without this, customers can’t deploy MFA. Does the service require the purchase and configuration of hardware within your environment? Confirm the initial and recurring costs for this equipment, and research the typical time and labor commitment necessary to set up these tools. For administrative access with tiered permissions based on license version, confirm all functionality you depend on is available or collect a complete list of necessary upcharges.
Will you need to purchase hardware authentication devices? Physical tokens add inventory, management, and shipping costs to consider. For mobile authenticators, confirm if there is any per-device cost for soft tokens, or if an unlimited number of enrolled devices is permitted for each user license.
“You just feel like you’re constantly being nickeled and dimed with RSA. There’s the extra cost of re-upping the tokens on a three year interval, as well as add-ons and extra features. If you need to replace any of the broken tokens, you’re talking about another added cost. The whole program gets very, very expensive. We just weren’t comfortable with that at all.” —Security Analyst, Enterprise Retail Company
While network environments with a traditional perimeter defense model rely on a handful of key services to maintain visibility and enforce security standards, the growth of SaaS adoption has resulted in many piecemeal solutions to cover the expanded needs of securing cloud-based data and assets. Consider the hidden costs of complex integrations. A multi-functional MFA platform/portfolio player like Duo-Cisco helps you avoid these costs.
Secure access includes strong authentication through MFA to validate users, and may also include:
Endpoint management or mobile device management tools for defending against device compromise threats
Single sign-on portals to centralize and simplify login workflows for users
Log analysis tools to identify and escalate potential security threats
Multiple dashboards to manage disparate services and cover unsupported applications, and more
Along with the redundant costs that can accrue from these overlapping services, each added tool increases complexity and the chances of human error or oversight. Finding a solution with comprehensive utility for secure access can reduce both initial and ongoing management labor costs.
Data Center Costs
Do you have to purchase servers? Server hosting costs can add up: power, HVAC (heating, cooling and air conditioning), physical security, personnel, etc. A cloud-based solution will typically build these costs into the licensing model.
High Availability Configuration
Is this also included in your software license? Setting up duplicate instances of your software and connecting a load balancer with the primary instance, you can end up tripling your software costs. Deploying a redundant or disaster recovery configuration can also increase costs significantly. In fact, some vendors charge additional licensing fees for business continuity.
“The simple subscription-based pricing is easy to manage and we know exactly what we are getting.” —Wayne Keatts, Assistant Vice President & Information Security Officer Methodist Health System
Tip: Look for vendors with simple subscription models, priced per user, with flexible contract times.
Deployment & Configuration
Find out if you can deploy the solution using your in-house resources, or if it will require professional services support and time to install, test and troubleshoot all necessary integrations.
Estimate how long it will take each user to enroll, and if it requires any additional administrative training and helpdesk time. Discuss with your vendor the typical deployment timeframe expected with your use case, and seek feedback from peers to validate how this aligns with their experience. Look for an intuitive end user experience and simple enrollment process that doesn’t require extensive training. Keep in mind: token-based solutions are often more expensive to distribute and manage than they are to buy.
To make it easy on your administrators, look for drop-in integrations for major apps, to cut time and resources needed for implementation. Also confirm the availability of general-purpose integrations for the most common authentication protocols to cover edge use cases, along with APIs to simplify integration for web applications. See if you can set up a pilot program for testing and user feedback – simple integrations should take no longer than 15 minutes.
Patches, Maintenance & Upgrades
Annual maintenance can raise software and hardware costs, as customers must pay for ongoing upgrades, patches and support, and even search for new patches from the vendor and apply them. Look for a vendor that automatically installs software and updates the software for security and other critical updates, saving the cost of hiring a team.
One of the perpetual benefits of SaaS and cloud-hosted services is that servers, maintenance and monitoring are covered by the provider’s network and security engineers, lightening the load for your team. Depending on your solution, you may have to manually upgrade to the latest version.
You should also consider the frequency of updates c some vendors may only update a few times a year, which can leave you susceptible to new vulnerabilities and exploits. Choose a vendor that updates often, and ideally rolls out automatic updates without any assistance from your team.
Consider the costs of employing full-time personnel to maintain your multi-factor solution. Does your provider maintain the solution in-house, or is it up to you to hire experts to manage it? Estimate how long it takes to complete routine administrative tasks. Is it easy to add new users, revoke credentials or replace tokens? Routine tasks, like managing users, should be simple. Sign up for a trial and take it for a test run before deploying it to all of your users.
“Connectria Hosting reduced the number of help requests by more than 75% since deploying Duo.” —Steve Grzybinski, Director of Security and Compliance, Connectria Hosting
Support & Helpdesk
Live support via email, chat and/or phone should also be included in your vendor’s service – but sometimes support costs extra. Consider how much time is required to support your end users and helpdesk staff, including troubleshooting time.
Gartner estimates that password reset inquiries comprise anywhere between 30% to 50% of all helpdesk calls. And according to Forrester, 25% to 40% of all helpdesk calls are due to password problems or resets. Forrester Research determined that large organizations spend up to $1 million per year on staffing and infrastructure to handle password resets alone, with labor cost for a single password reset averaging $70.
If a solution requires extensive support from your IT or infrastructure teams, will you get charged for the time spent supporting your on-premises two-factor solution? Estimate that cost and factor it into your budget.
Token-related helpdesk tickets can account for 25% of the IT support workload. You should look for a provider that offers:
Modern solutions with high value, upfront costs
Simple subscription model
Free authentication mobile app
No fees to add new apps or devices
No data center/server maintenance
High availability configuration
Automatic security and app updates
Administrative panel included
User self-service portal included
User, device and application access policies and controls
Device health and posture assessments
Device context from third-party security solutions
User behavior analytics
Single sign-on (SSO) and cloud support
Traditional solutions potentially have low upfront costs, but not much value.
Lots of Hidden Costs:
Additional cost to add new apps or users
Authenticators – tokens, USB, etc.
Data center and server maintenance
High availability configuration
Patches, maintenance and upgrades
Time to Value
Time to value, or speed to security, refers to the time spent implementing, deploying and adapting to the solution. Determine how long it takes before your company can start realizing the security benefits of a multi-factor authentication solution. This is particularly important after a recent breach or security incident.
Proof of Concept
Setting up a two-factor authentication pilot program lets you test your solution across a small group of users, giving you the ability to gather valuable feedback on what works and what doesn’t before deploying it to your entire organization.
Implementation scenarios: Walk through likely implementation scenarios so you can estimate the time and costs associated with provisioning your user base. Cloud-based services provide the fastest deployment times since they don’t require hardware or software installation, while on-premises solutions tend to take more time and resources to get up and running.
Drop-in integrations: Most security professionals don’t have time to write their own integration code. Choose a vendor that supplies drop-in integrations for all major cloud apps, VPNs, Unix and MS remote access points. You’ll also want to look for a vendor that enables you to automate functionality and export logs in real time. Also, to save on single sign-on (SSO) integration time, check that your multi-factor solution supports the Security Assertion Markup Language (SAML) authentication standard that delegates authentication from a service provider or application to an identity provider.
Onboarding & Training Users
Optimize efficiencies: A vendor’s enrollment process is often a major time sink for IT administrators. Make sure you walk through the entire process to identify any potential issues. For enterprises, bulk enrollment may be a more time-efficient way to sign up a large number of users. To support your cloud apps, ensuring your two-factor solution lets you quickly provision new users for cloud apps by using existing on-premises credentials.
Empower users: See if the solution requires hardware or software for each user, or time-consuming user training. Token deployment can require a dedicated resource, but easy self-enrollment eliminates the need to manually provision tokens. With a mobile cloud-based solution, users can quickly download the app themselves onto their devices. A solution that allows your users to download, enroll and manage their own authentication devices using only a web browser can also save your deployment team’s time.
Cloud-based services deploy faster because they don’t require hardware or software installation.
Consider the time, personnel and other resources required to integrate your applications, manage users and devices and maintain/monitor your solution. Ask your provider what they cover and where you need to fill in the gaps.
Some multi-factor authentication solutions require more time and personnel to integrate with your applications, whether on-premises or cloud-based. Check that they provide extensive documentation, as well as APIs and SDKs so you can easily implement the solution into every application that your organization relies on.
User & Device Management
Like any good security tool, your multi-factor authentication solution should give administrators the power they need to support users and devices with minimal hassle. Look for a solution with a centralized administrative dashboard for a consolidated view of your multi-factor deployments.
Your solution should also enable admins to:
Easily generate bypass codes for users that forget or lose their phones
Add and revoke credentials as needed, without the need to provision and manage physical tokens.
Ask your provider if they offer a self-service portal that allows users to manage their own accounts, add or delete devices, and perform other simple tasks.
Make sure that your solution requires minimal ongoing maintenance and management for lower operating costs. Cloud-hosted solutions are ideal since the vendor handles infrastructure, upgrades and maintenance. Can you use your existing staff to deploy and maintain this solution, or will you need to hire more personnel or contractors to do the job? Ask your vendor if monitoring or logging is included in the solution.
A solution that requires many additional resources to adapt and scale may not be worth the cost and time. Evaluate whether your solution allows you to easily add new applications or change security policies as your company needs evolve.
Can your staff deploy and maintain the solution, or will you need to hire more personnel or contractors?
High-Availability Architecture for Duo
Duo has maintained uptime of greater than 99.99%, with a hard service level guarantee backed by SLA. Duo’s servers are hosted across independent PCI DSS, ISO 27001-certified, and SSAE 16-audited service providers with strong physical security. We provide a high-availability service split across multiple geographic regions, providers and power grids for seamless failover, and our multiple offsite backups of customer data are encrypted.
This is important because if an outage occurs on the vendor side, there are business costs assumed with that, for example employees are unable to access critical work resources.
Traditional MFA solutions require physical equipment that must be purchased, racked, configured and integrated with existing IT equipment. Additionally, there are costs associated with purchasing and managing hard or soft tokens.
Duo is cloud-based and comes with hundreds of out-of-the-box integrations, making deployment quick and easy. Duo supports VPNs, RDP, Microsoft OWA and cloud apps such as Salesforce, Box and Office 365.
To keep your security solution free of vulnerabilities, MFA patches need to be installed on a timely basis. Traditional solutions require in-house IT support, which can be time and resource-consuming.
Duo doesn’t require any IT support. New updates are pushed every two weeks to ensure your MFA is updated to protect against new threats. Duo also allows your users to self-enroll and manage their own devices, effectively reducing IT helpdesk requests.
Traditional MFA solutions require a significant amount of administrator time to roll out tokens, educate and train users to use tokens.
With Duo, users enroll themselves when they sign into applications. Users can use their smartphone for authentication. IT needs fewer resources to deploy MFA solutions to users.
Traditional 2FA solutions use SMS and soft or hard tokens to authenticate users, which requires users to manually type OTP codes into browsers.
Duo’s mobile app sends push notifications to users’ phones, allowing them to log in quickly by tapping an Approve button — increasing productivity and security
Duo has an upfront value without hidden fees in the future. Duo is more than MFA. Duo MFA, Duo Device Trust, Duo Network Gateway (DNG) and Duo Trust Monitor combine into one trusted access solution and can secure remote access to on-premises infrastructure and prevent breaches from easily getting access in the first place.
Device Trust checks the health of a device, managed or unmanaged, before granting access to the network and can block untrustworthy devices.
The Duo Network Gateway allows your users to access your on-premises websites, web applications, and SSH servers without having to worry about managing VPN credentials, while also adding login security with the Duo Prompt and Duo SSO.
Trust Monitor is machine learning software that continuously monitors your authentications looking for anomalies and flags them with an alert when found.
Choosing vendors is always a bit of a challenge. Knowing upfront what you're buying and any restrictions makes it easier to make an informed decision. At Duo, we provide not only upfront MFA, but also extra strong security, with more security features to protect your credentials and authentications, and we grow with you.
“Duo provides fast deployment without complicated applications to roll-out or educate end users to use.” —Sean McElroy, Chief Technology Officer Alkami Technology, Inc.