It sounds obvious, but an organization’s cybersecurity posture can’t be piecemeal. While an organization may treat certain users differently than others, and while they may need additional protection for higher-risk users, a security program must account for every user.
Meeting that need can become increasingly complex as organizations scale, as IT leaders must evaluate the cost of multi-factor authentication (MFA) solutions alongside user behavior while creating a robust cybersecurity framework.
For many organizations, mobile devices tend to be a pragmatic compromise balancing security, cost, and convenience. Mobile devices are ubiquitous and easy to use to fulfill multi-factor authentication (MFA) requirements: 73% of users believe that smartphones were the most convenient method to fulfill MFA.
As good as mobile app-based authentication may be in creating an organization-wide security program and balancing costs, they’re not a panacea that works for everyone all the time. The cost of multi-factor authentication varies depending on the type of solution and implementation strategy.
User preferences and capabilities
In certain situations, some users may not be able to use mobile devices or rely on mobile connectivity to authenticate (think about a manufacturing clean room). In other cases, employees may not be comfortable installing company-mandated applications on their personal devices to fulfill security requirements.
Hardware tokens
We see organizations deploy two types of solutions to authenticate these users. The first is hardware authenticators using one-time passcodes (OTPs). Hardware authenticators like the DS100 are the gold standard in authentication: they help organizations go passwordless by unifying the cryptographic advantages of FIDO2 protocols and the security benefits of OTP.
The second solution is traditional MFA like SMS-based authentication (which sends OTPs directly to users’ personal devices) and voice OTP.
Maintenance and support fees
Maintenance and support fees can also add to the total cost over time, especially for mobile-based MFA solutions. These costs often include ongoing updates to mobile applications, ensuring compatibility with the latest operating systems, and addressing security vulnerabilities specific to mobile platforms. Vendors may also charge for maintaining reliable push notification services, troubleshooting device-specific issues, or providing support for users with diverse mobile devices. Additionally, organizations might need to invest in user training to handle mobile app updates and ensure seamless integration with their IT ecosystem. Over time, these factors can significantly influence the total cost of ownership for mobile MFA implementations.
SMS and voice OTP have known security flaws: SMS OTP isn’t encrypted and is vulnerable to network outages, SIM-swapping, social engineering, and SS7 and man-in-the-middle attacks. RSA recommends that organizations move to stronger, truly passwordless authentication over the long -term.
However, many organizations still rely on these methods because they:
- support diverse user groups with varying levels of access and risk.
- are often the most affordable MFA options for smaller businesses or specific environments.
The US National Institute of Standards and Technology (NIST) said as much when it wrote that agencies must balance “the practicalities of today’s implementations with the needs of the future,” and that leveraging “SMS to mobile as a second factor today is less effective than some other approaches—but more effective than a single factor.”
There’s no one right way to balance the need to account for all users, enhance cybersecurity, and control costs. Organizations need to weigh each of these factors on their own and choose solutions based on their unique risk profile, resources, users, and goals.
Here are practical steps to control the cost of multi-factor authentication:
- Leverage existing devices like mobile phones to minimize hardware investment.
- Choose scalable MFA solutions that grow with your organization.
- Use free trials or pilots to evaluate solutions before committing to a long-term investment.
While there’s no right way, there is at least one wrong way: organizations shouldn’t let their security solutions be dictated by vendors. Balancing those factors is already difficult enough on its own: it’s exacerbated when vendors impose deadlines or remove capabilities that, while imperfect, still fulfill important needs.
