The Real Cost of Passwords : Why 2FA and SSO don't help

This post is by IDEE and originally appeared on their website.

The use of passwords in companies, and the risks involved, become more visible with each new hacker attack. Ransomware attacks alone caused costs of around 7.9 billion dollars last year - in the USA alone. Now the question naturally arises: What does ransomware have to do with passwords? Well, according to a recent report on ZDnet, the most popular gateway for ransomware is still a brute force attack, where hackers target weak passwords. Moreover, the methods are becoming more sophisticated and new ransomware (for example "FTCODE") is able to steal passwords from browsers like Firefox or Chrome as well as Microsoft Outlook.

Passwords make employees more expensive

But you don't have to start from the worst case - password theft. It is enough to think about what happens if an employee forgets his password. The first reaction in many companies is probably that he or she contacts IT support to have the password reset. This may not be a problem for a small company, but large corporations with several thousand employees should think carefully about whether they can and want to do this to their helpdesk. After all, resetting a password costs companies on average around $70.

This is not relevant for you, because your company relies on automated password resets? Great. But even if your IT support is not inundated with requests for password-related issues, what about the employee himself? The employee is not operational while waiting for the new password or the mail with the reset link. Even if it's just a few minutes, over the course of a year and with a view to large companies with many employees, the costs add up. During this time, no revenue is generated, acquisition stagnates or the customer request is not processed. A study commissioned by Centrify Corporation estimated the monetary loss of productivity due to password resets at around $420 per employee per year.

Of course, such costs are difficult to quantify, but considering that on average employees are productive for a maximum of 60% of their working time, they should not be ignored. By the way, the same applies to "Password Expiration Policies", which are now common practice in many companies. Not without reason did Microsoft announce last year that it would no longer recommend a corresponding guideline for changing passwords at certain intervals in the future. The reason: The regular change does more harm than good, as it tempts users to use easily remembered passwords.

Convenience becomes a danger

This is generally one of the main problems with passwords: people are not only forgetful, they are also bad at remembering multiple passwords at once. Therefore, many of them tend to use one password more than once. This is not only problematic if they use the same passwords for different business applications. It becomes fatal if they use privately used passwords in the company. Examples from the past have shown this several times.

2FAs and standard MFAs do not make it better

In order to get the situation under control and minimize the risk factor "forgetful employees", companies increasingly rely on approaches such as "Single-Sign-On"(SSO), "Two-Factor-Authentication" (2FA) or "Multi-Factor-Authentication" (MFA). However, this only increases the cost of their password solution - and not necessarily the security. Because many password-based problems remain:

Single-Sign-On

Single-Sign-On only postpones the problem. Instead of many passwords, only one is used. However, this makes the password a single point of attack: if attackers gain possession of this credential set, they have access to all programs and data that are protected by it. This makes the use of passwords and other insecure authentication factors particularly dangerous. In addition, the costs for password management - in addition to acquisition and license costs - remain. 

Two-factor Authentication

Two-factor authentication includes the use of additional factors for authentication. For example, additional "security factors" are built into the login processes or for the release of transactions, such as SMS PINs. This two-factor authentication makes the process more difficult for hackers, but far from secure. The weakest link in the security chain is and remains the user himself. Companies are powerless if users voluntarily hand over their pins and passwords. Attacks such as phishing and CEO fraud are not aimed at "cracking" the individual factors, but at the user's knowledge. The attack on Twitter, for example, made headlines in July 2020 when a 17-year-old hacker posed as a colleague in IT to company employees who needed the access data to access the customer service portal. The bottom line is that the cost of passwords remains and new ones are added - in the form of setup, licensing and maintenance costs.

Multi-factor Authentication

Multi-factor authentication is probably the most reliable option in terms of security, as it combines several credentials. However, this only applies if they can do without passwords. Because the password is and remains the weakest link, and if it falls into the wrong hands, it will cause damage. Be it through insider threats, account transfers (ATOs) or simply because a former employee was not carefully deleted from the system. If your solution manages without passwords and dispenses with centralized logon databases, not only are considerable costs for system administration eliminated, but the risk of an attack on your company is significantly reduced.

Switching to passwordless authentication is easier than you think

The concept of multi-factor authentication can also be implemented without passwords - and without considerable effort. AuthN™ for example is interoperable and can be used in addition to your existing investments in SSO, hardware tokens and password management. Regardless of whether it is a standalone or integrated system, you achieve a significant reduction in risk by truly removing the password. Most password-based enterprise applications can be easily upgraded by using a SaaS MFA authentication provider (like our AuthN™).