Two-Factor Authentication TCO SecureAuth® vs. OTP Tokens

How to procure better two-factor strong authentication while reducing costs

Hardware tokens are one of the most popular forms of two-factor authentication in the enterprise. IT professionals are beginning to look for alternatives because they know that hardware tokens are difficult and expensive to deploy and manage. Moreover, the entire true cost is not always readily apparent. Because tokens have been around for quite some time, many associated costs are hidden in various other cost centers. For example, the cost just to ship tokens as they are lost and expire, as well as provisioning them to new employees, can be significant.

SecureAuth is an all-software alternative to hardware tokens. SecureAuth innovates on top of proven enterprise- class technologies, creating a pure browser-based software solution that is not only simple and inexpensive to deploy and maintain, but is also much less expensive in upfront licensing/subscription fees. While technically superior, SecureAuth is also less expensive no matter how you determine the overall cost of ownership.

Of course, a company’s actual cost for deploying any solution varies depending on the size of the user base, the infrastructure of the IT department, and the personnel. This paper is intended to serve as a guide in analyzing these costs. The costs typicmain categories:

Primary TCO Cost Categories

1. Cost to purchase hardware/tokens

   While this is the easiest cost to quantify, the cost for tokens can vary widely depending on the vendor and negotiations. RSA SecureID® tokens can cost as much as $50 apiece, while off-brand tokens can sometimes be had for around $20 each. The cost for tokens normally averages $30 or more. Token systems also require one or more servers to run the back-end software. The incremental cost depends on the servers the enterprise decides to use.

   SecureAuth requires no hardware for the user. At the enterprise, SecureAuth can run as a virtual appliance or on a small dedicated hardware appliance. At $2,000 for one appliance, cost per user for a 1,000-user deployment is under $1 per year over three years for the appliance.

2. Technology licensing/subscription fees

   Licensing schemes for token solutions can take many different forms. A license is often required for the administrative server software and/or per user. Exact costs will depend on the product offering by the vendor. Some might charge a large upfront fee that covers all users; others will charge some combination of a system license and per–user charge. For large quantities, major vendors often charge around $18 per user per year.

   SecureAuth charges only a per–user per-year subscription. The subscription lists at $7.35 per user per year for quantities of up to 2,000 users. The price decreases with volume.

3. User Provisioning

   User provisioning is a significant cost that can be underestimated. Every token must be associated on a one- to-one basis with an individual user. This requires both management of the token inventory and a process to assign each user a specific token from inventory, while tracking it on an ongoing basis. These costs are often distributed among various groups from human resources to IT help desk, etc. For these reasons, it makes it somewhat difficult to quantify the overall management and maintenance costs. However, specialty firms exist who will take this service on for a charge of $20 per user per year or more. Assuming these firms are efficient and take advantage of scale economies, costs to run in-house are likely more.

   SecureAuth, on the other hand, leverages an enterprise’s existing user database. Software credentials are created via a dynamic, automated system which requires no incremental effort by an administrator as users come and go.

4. Device Deployment

    

   Hardware tokens, once they are assigned, must then be physically delivered to each employee at hire, and again when units are lost, stolen or broken. This requires time and management labor and, in most cases, shipping costs. Taken together deployment costs per token will average at least $15. SecureAuth involves a self-service, browser-based enrollment process. Registration is automated for end users in such a way that requires no intervention by IT staff.

Summary of "hard" costs

We have summarized some of the more quantifiable costs associated with using tokens as strong authentication. While your mileage may vary, SecureAuth will probably save more than the conservative estimates outlined here.

The annualized cost difference for a 1,000-user deployment over three years is $37.79 per user per year. The total delta for 1,000 users over three years would be $113,370.

Additional TCO considerations

In addition to these hard costs, intangible costs exists that, while difficult in some cases to quantify, are significant. For example:

1. Hardware tokens are still passing a one-time-password across the internet, exposing that OTP to interception or man-in-the-middle attacks. The cost of a resulting security breach would be huge. For initial deployments, there is significant cost to integrate a token solution into the enterprise environment and enable data synchronization. This requires special skills and significant time.


2. Loss of productivity by users due to a lost or inoperable token has unknown, albeit significant cost to the enterprise.


3. There is an increased cost for help desk calls for temporary access, sync issues, and hardware malfunction of tokens.

Many of these “softer” costs are difficult to quantify and the actual cost to the enterprise can be endlessly debated. Nevertheless, these additional items are real and should be taken into consideration in an overall analysis of a solution.

Summary

In the end, each IT decision maker will need to perform his or her own analysis. However, one must seriously consider alternative authentication methods, since the cost of hardware tokens is so high. When presented with an all-software solution like SecureAuth, it is easy to establish lower TCO, while achieving a higher level of security and a lessened impact on end users.