Cost of Multi-Factor Authentication: Is It Worth the Price?

Mike Engle

Costs of multi-factor authentication can range drastically, but trying to figure out which provider is worth the money can be the hardest part.

Is multi-factor authentication free? While you may be able to find free or cheap multi-factor authentication solutions, these are not in your company’s best interest to use because you’re putting your company at risk of attack if the free version can’t hold up.

What Is Multi-Factor Authentication?

Multi-factor authentication is an authentication technology that uses multiple forms of identity verification in conjunction with one another to strengthen IT system security. Traditional forms of authentication often use a single verification method (typically a username/password combination or a PIN). The problem with this approach is that once a set of credentials is compromised, the entire system is potentially compromised.

Furthermore, relying on a single authentication method leaves the system vulnerable to attacks against that method. For example, a system that relies exclusively on username credentials will remain weak against database attacks or user error without much recourse to other security approaches.

MFA, therefore, combines two or more forms of authentication into a single verification event. To strengthen security, such systems will require that users provide multiple forms of authentication and multiple types of authentications.

These types fall into the following categories:

  • Knowledge (Something You Know):A credential or piece of information the user knows, such as a username and password, a PIN, or other items.
  • Possession (Something You Have): A unique, and usually dynamically generated, piece of information (like a temporary PIN or an email link) sent to the user’s email or phone via SMS. This approach can also include token-based authentication through physical media like USB keys or swipe cards.
  • Inherence (Something You Are): Inherence focuses on biometrics, typically technologies like fingerprint scans, iris scans, and facial recognition.

By combining multiple forms of verification across two or more categories, an identification system can provide more robust security by spreading risk across different types of protection.

What Are the Costs of Multi-Factor Authentication?

Exact costs will be difficult to determine unless a precise set of factors and technologies are understood within the context of your business. However, your organization will incur costs in a few essential areas:

  • Implementation: These upfront costs will include the purchase and installation or adoption of the technology, including migration costs or configuration management services. These costs can include the fees associated with cloud-based identity and access management systems. Some systems leverage “tokens” or USB Keys which have added cost and complexity of distribution and management.
  • Maintenance: Authentication systems will require upgrading, patches, configuration management, and continual monitoring for security and compliance issues. This can call for either an internal, dedicated team or support from a third-party provider.
  • Cost of Training and Onboarding: Any new system will require training, onboarding, and integration with the MFA system. This includes connecting user identities with the new system, setting up employee hardware for the correct software and authentication systems, and formal training and documentation on the use of the system.

What Are Some of the Best Types of MFA Solutions?

We’ve mentioned some potential components of MFA. Not all approaches to MFA are created equal, however. Providers and IT companies are turning to more advanced verification solutions to serve as part of comprehensive security outside of passwords.

Some potential verification solutions include the following:

  • Hardware One-Time Password Tokens: Devices used during authentication will generate cryptographic keys for verification purposes. Often, these devices will require the user to enter a pin or some other identification, and the device will generate a temporary token for the current session.
  • Standalone OTP Mobile Applications: These mobile apps are more common than their hardware counterparts. In fact, many users have encountered these already with software like Microsoft and Google’s respective authentication apps. When users attempt to access a system, they will also provide a temporary password automatically generated by the app.
  • SMS-Based OTP: With SMS technology, an authentication system sends the user a text containing a temporary password or PIN that expires after a few minutes.
  • Mobile Biometrics: Mobile devices have several input forms, including fingerprint scanners, facial recognition, voice recognition, and iris recognition. Facial recognition and voice recognition are advanced forms of biometric ID that are incredibly common with mobile apps.
  • Identity Proofing : Identity proofing is a way to use live interactions and documents to verify a user prior to releasing authentication credentials. For example, an identity proofing system might require a scan of a document, a zoom check-in, or a specific biometric (specifically a facial or iris scan) to prove that the user is present and not another person.

Is MFA Worth It?

That is actually a trick question.  MFA is not only worth it, it is now considered required for any type of sensitive system access.  The real question is, “What type of MFA should an organization use?”

The longer answer involves discussing modern security threats and how they tie into identity management practices. Consider the following trends:

Cyber attacks are increasingly common and sophisticated, costing the economy billions of dollars in revenue. This is because hackers can discover weaknesses in systems and exploit them—and, unfortunately, the weakest point of any security system is the people it protects.

MFA can help mitigate several attacks, including phishing or database hacks—for the following reasons:

  • Reducing Phishing Breaches: Phishing attacks often target users to gain PINs or passwords. However, with a strong MFA implementation, a hacker can’t just use a password to access a system, even if a user accidentally discloses it. They would need biometric information or access to that user’s email or mobile device.
  • Closing Security Gaps: Should hackers breach a database, and should they gain access to password information in that database, they would still need to gain access to user devices, token-generating apps, or biometric information. And, in cases of biometric data, they would need a way to spoof a user’s physical identity.

While an MFA solution might be an investment, it will quickly provide solid return on investment by stopping preventable breaches. And, in cases of cloud or identity-as-a-service systems, the initial investment into an MFA solution may even be less than in on-premise systems.

Strong Identity Proofing and MFA with 1Kosmos BlockID

Many identity and access management providers offer some form of MFA. This approach is a good start towards addressing modern security threats, but it isn’t enough. The newest threats of today, and those coming down the pipeline tomorrow, will need sophisticated and thorough approaches that combine strong biometrics, identity proofing capabilities, and user experiences that minimize user error.

1Kosmos provides such a solution in BlockID, a unique combination of authentication tools and identity management focused on security, compliance, and identity ownership. BlockID includes the following features:

  • Identity Proofing: BlockID includes Identity Assurance Level 2 (NIST 800-63A IAL2), detects fraudulent or duplicate identities, and establishes or reestablishes credential verification.
  • Identity-Based Authentication Orchestration: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through identity credential triangulation and validation.
  • Integration with Secure MFA: BlockID readily integrates with a standard-based API to operating systems, applications, and MFA infrastructure at AAL2. BlockID is also FIDO2 certified, protecting against attacks that attempt to circumvent multi-factor authentication.
  • Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API, including private blockchains.
  • Privacy by Design: 1Kosmos protects personally identifiable information in a private blockchain and encrypts digital identities in secure enclaves only accessible through advanced biometric verification.

Read our whitepaper on 2FA and MFA Capabilities to learn about BlockID as your next authentication provider. Also, make sure to sign up for our newsletter to stay informed about 1Kosmos news and products.

FIDO2 Authentication with 1Kosmos
Read More
Meet the Author

Mike Engle

Co-Founder and CSO

Mike is a proven information technology executive, company builder, and entrepreneur. He is an expert in information security, business development, authentication, biometric authentication, and product design/development. His career includes the head of information security at Lehman Brothers and co-founder of Bastille Networks.