Experts predict cybercrime costs will reach $10.5 trillion by 2025, and organizations of all sizes continue to see the business case for investing in robust IT security. Many are adopting multi-factor authentication (MFA) to verify user identity and secure system access.
Of course, part of planning a smooth MFA deployment is accurately budgeting the total cost of MFA implementation. But MFA solutions use different pricing models, and hidden expenses make it challenging to compare total costs.
Here’s how to calculate the total costs of multi-factor authentication.
Direct costs
First, let’s look at the direct, upfront costs of MFA — the ones you expect to see when evaluating MFA solutions.
Licensing fees
Licensing costs for MFA vary, a lot. Some vendors offer a subscription license model, charging a flat monthly or annual fee per device, user, or integration. Some vendors offer a perpetual license, with large upfront costs for a fixed number of devices, users, or integrations.
Confirm whether licenses are tied to a specific user ID or the overall number of users. Ask about additional charges for extra devices per user, integrations, or additional MFA methods.
Implementation costs
To calculate set-up costs, multiply the hours needed for MFA implementation by your IT department’s hourly labor costs.
If you’ll hire external IT specialists to help with integration, include those fees, too.
Indirect costs
To calculate the total cost of MFA, factor in these hidden costs.
Support fees
Nail down if support is paid or not. Many MFA solutions charge separately for support, while others offer full support with the license. Some vendors call support fees “onboarding” or “implementation training.”
It’s common to underestimate the need for support, only to get stuck in implementation. If your solution charges support fees, overestimate how much support you’ll need.
Productivity costs
Any MFA deployment will impact productivity across the organization — not just on the IT team.
Consider:
1. IT downtime during MFA implementation
MFA solutions can take IT hours, days, or weeks to set up, depending on the solution and your environment. Poorly documented or complicated solutions also increase the likelihood of incorrect setups, causing even more downtime. To minimize disruption, start by testing your solution across a small group of users. Then, prioritize critical systems for initial deployment before extending to other applications.
2. Added complexity for IT
Your MFA solution might not integrate with existing systems or may require you to shift to new systems entirely. One common example is when implementing an MFA solution that requires a move from an on-premise Active Directory to a cloud-based identity provider (IdP). Sometimes, doing this requires expertise that your team might not have. Consider the time it will take to learn a new system or to recruit new skills to the team.
3. End-user experience
Complex MFA processes can frustrate users, leading to lockouts and missed deadlines.
Make sure your MFA solution allows end users to skip MFA enrollment temporarily, so they don’t get suddenly locked out of the tools they need to work.
Test how intuitive the MFA process itself is, too. Does the MFA prompt make it obvious what the end user is supposed to do? Unclear instructions can slow down end users, and can also create unnecessary support tickets for IT.
4. IT support and help desk tickets
Even a well-executed MFA rollout can trigger more help desk tickets than usual. Of course, remote work only exacerbates this issue. Estimate how much time IT will spend on internal IT support and add that to your budget.
5. Efficiency losses because of inflexible MFA policies
Overly zealous MFA policies can slow down employees trying to do their jobs and impact profitability. As best you can, evaluate how granularly you can apply MFA policies. Can you set MFA frequency by user, group, and organizational unit (OU)? Can you adjust how often you prompt for MFA based on session type? For access outside the local network?
If MFA policies are inflexible and get in the way, management may instruct IT to disable it or to prompt for MFA less often. If you can’t strike the right balance between security and productivity, can you still make a business case for MFA?
Maintenance costs
Managing regular updates and patches can be time-consuming and costly, especially if the MFA solution is complex.
Long-term costs
Deploying multi-factor authentication also involves long-term costs, including:
Scalability
As the organization grows, you may need to scale the MFA solution. To accurately predict long-term costs, estimate future growth as best you can.
Vendor lock-in
Being tied to a specific vendor can lead to additional costs, especially if it forces you into a new ecosystem that doesn’t align with your existing tech stack.
Evaluate the total cost of MFA
Understanding the total cost of MFA can make it easier to evaluate solutions. Take the extra time to estimate upfront costs, maintenance, support, and potential impacts on productivity and user experience. Cost is never the only factor, but it’s an important one. Ultimately, the best investment will be an MFA solution that fits your budget and maintains strong security without frustrating users or getting in the way of work.
François Amigorena is the founder and CEO of IS Decisions, a global software company specializing in access management and MFA for Microsoft Windows and Active Directory environments. After a career at IBM and a subsidiary of la Société Générale, Francois became an entrepreneur in 1989 and has never looked back.
