How much does MFA cost, really?
Here's how to estimate the true cost of multi-factor authentication (MFA), from licensing fees to productivity impacts.
A version of this article was originally published on TechRound.
With experts predicting cybercrime costs will reach $10.5 trillion by 2025, businesses of all sizes are investing in robust security measures. Many are adopting multi-factor authentication (MFA) or expanding implementation, to better verify user identity and secure access to systems.
But not all MFA solutions are equal, and it’s important to understand how much MFA costs, including potential hidden costs.
Direct costs of MFA (the obvious ones)
IT professionals are used to seeing and evaluating the direct costs of MFA, including:
MFA licensing costs
Upfront costs for MFA vary widely. Some solutions have a subscription license model, charging a flat monthly or annual fee per device, user, or integration. Others provide a perpetual license, with a large upfront cost for a fixed number of devices, users, or integrations.
Confirm whether licenses are tied to a specific user ID or the overall number of users. Ask about additional charges for extra devices per user, integrations, or additional MFA methods.
The cost of MFA implementation
Integrating MFA with existing systems can demand significant time and resources. Often, this process requires specialized technical knowledge. This might mean adding new team members or outsourcing to IT specialists to develop an integration plan.
Moving from Active Directory to a cloud-based MFA solution is a common project that requires new expertise. Deployment is not straightforward and can involve time-consuming assessment and planning.
To calculate MFA implementation costs, multiply the hours needed for MFA implementation by your IT department’s hourly labor costs, plus the fees for any external specialists.
Indirect costs of MFA (the hidden costs)
To calculate the total cost of MFA, don't forget these less-obvious hidden costs.
Paid support
Not all MFA solutions include support with the license fee. Pay special attention to add-ons marked as "onboarding" or "implementation training." These might indicate that you'll need to pay for support.
UserLock includes full support without additional charges, helping you manage the overall cost of multi-factor authentication more effectively.
Productivity costs
An MFA deployment can impact productivity for end-users as well as for the IT team.
As best you can, try to estimate:
Downtime on the IT team
Depending on the solution (and your environment), MFA solutions may take IT a few hours, days, or weeks to implement. Complicated solutions or unclear documentation raise the chances that you'll make a mistake in implementation, which extends the time you'll spend on implementation. Minimize disruption by testing the MFA solution on a small, pilot group of users. Then, you can do an initial deployment on critical systems, before extending to other applications.
IT management overhead
If your MFA solution doesn't integrate with existing infrastructure, you might need to shift to new systems. We commonly see this when a cloud-first MFA solution requires a shift from on-premise Active Directory to a cloud-based identity provider (IdP). Doing this might require skills that your team doesn't have. Estimate the time it may take to learn new skills or recruit the necessary expertise to the team.
End-user experience
Complex MFA processes frustrate end users, and can lead to lockouts and missed deadlines. Your MFA solution needs to allow end users to temporarily skip MFA enrollment, so they don't get locked out of the tools they need to do their job. Test how intuitive the MFA process itself is, too.
Does the MFA prompt guide the end user? Is it obvious what they're supposed to do? Unclear MFA processes and instructions can slow down users and create more help desk tickets for IT.
IT help desk impact
Any MFA rollout will trigger a few help desk tickets. If you have remote employees, you can expect even more of those. Try to estimate the time IT will spend on help desk tickets and factor that into your budget.
Organization-wide efficiency losses
Inflexible MFA policies can get in the way of employees doing critical work. This brings obvious impacts to profitability and to the organization's bottom line. When evaluating MFA solutions, test how granularly you can apply MFA policies.
Can you control MFA prompt frequency by user, group, and organizational unit (OU)?
Can you tweak how often to require MFA based on session type? Employee location?
Overzealous MFA-ing can backfire, badly. Not to mention, if MFA gets in the way, management can and frequently does instruct IT to disable it or adjust prompt frequency to "so rare it barely matters anymore." Striking the right balance between security and productivity is key to the business case for MFA.
Ongoing maintenance costs
Managing your MFA solution's regular updates and patches can be time-consuming, especially if the MFA solution is complex. Try to understand what's involved in a software update, and what actions implementing updates will require on your end.
Longer-term costs
When you deploy a multi factor authentication solution, you'll also incur long-term costs, far beyond the initial MFA deployment.
Ongoing maintenance costs
Managing your MFA solution's regular updates and patches can be time-consuming, especially if the MFA solution is complex. Try to understand what's involved in a software update, and what actions implementing updates will require on your end.
MFA scalability
If you need to scale the MFA solution across more users, devices, etc., will it be easy? Will costs become an issue if you pass X number of users? To accurately predict long-term costs, estimate future growth as best you can.
Vendor lock-in
Being tied to a specific vendor can lead to additional costs, especially if it forces you into a new ecosystem that doesn’t align with your existing tech stack.
Estimate the total cost of ownership (TOC) for MFA
Understanding the total cost of MFA can make it easier to evaluate MFA solutions. Take time to prepare your MFA implementation, even before you start shopping around. Evaluate how much you're willing to spend in total, then break that down into upfront costs, maintenance, support, and potential impacts on productivity and user experience.
Cost is never the only important factor, but a thorough understanding of MFA's total cost of ownership (TOC) comes with the added benefit of forcing you to thoroughly think through key factors for implementation.
In the end, the best investment will be an MFA solution that fits your budget and maintains strong security without frustrating your end users or getting in the way of moving the business forward.