Do you know how much your business spends supporting passwords and SMS one-time passcodes for user authentication? The good news is; you don’t have to continue bearing these expenses. MIRACL offers a more cost-effective solution for secure login experiences for your staff and customers.
Watch (or read below) the discussion hosted by Margaret Sherer, MIRACL’s Head of Marketing, with guests - Correy Voo, MIRACL Chairman and former UBS CTO, and Michael Tanaka, MIRACL COO - as they delve into the true costs of password authentication and SMS one-time passcodes.
Margaret Sherer
I’m Margaret Sherer, Head of Marketing at MIRACL, joined by Correy Voo, our Chairman, and Michael Tanaka, Our CCO. Today we’re discussing the real costs of passwords. Before we get all into that, Correy, Could you do an introduction of yourself?
Correy Voo
A quick 30-second summary. I have been in IT for 35 years or so in various roles; I was recently in a CTO/CIO role in some fairly major banks around the World Bank of America, UBS, etc. Before that, in large IT companies and telecommunication businesses worldwide.
Margaret Sherer
So you are used to talking about tech, technology, technology as it evolves, and as we take old processes and renew them into our modern day.
Correy Voo
It’s quite an important part of what I’ve had to do as a business leader, making transformational changes and investment cases for senior managers.
Margaret Sherer
You’re well equipped to cover our discussion today, which will look at the true costs of passwords; a couple of data points are constantly passed around. Why spend so much time on this outdated technology with many sunk costs?
Correy Voo
What most people consider to be the birthplace of cyber security started in the 60s-70s, when computational systems became more popular and widespread. Passwords were always thought of as the first part of a solution towards securing systems. But in those days, we only knew a little about the threats to security and various other things. So it was always considered the default solution for a long time and still is for many people. However, the world has moved on, and the solution is no longer the only solution or irrelevant in many cases. Many modern cybersecurity requirements require us to be much more flexible and adaptable to these kinds of things, and basic password solutions are no longer fit for purpose.
Margaret Sherer
Can you elaborate on the projects you’ve worked on where passwords have got in the way both in terms of the time it’s taken to log in and added frustration then we’ll get to the actual costs afterwards.
Correy Voo
I won’t go into specific details for confidentiality reasons. In many cases where I’ve worked, password systems, and in general, security systems, have been based on designs, theories, ideas and concepts that were first generated long ago. It has taken a lot of recent changes in the cybersecurity world for those theories to be superseded by new ideas and concepts. Finally, security and access controls are always about allowing people to access a service or gain access to a particular function. And if it doesn’t happen in a fast, efficient, quick way, you’re effectively limiting the amount of performance that the user or a business can perform. An example I can give you is when I worked in a bank where the authentication and access control systems in that business should have been replaced long ago and were earmarked to be replaced. But for one particular example, one specific set of systems took 11 minutes or so to log in and then 11 minutes or so to log out simply because of the complexity of the systems. So if you imagine that as a total amount of time wasted on a given day for everybody in the business, that’s 22 minutes per day for every employee in that business, that isn’t productive.
Margaret Sherer
And in that scenario, we’re talking about Enterprise, and your time spent on it was considered a successful day, with nothing going wrong in your login process. It’s just that’s how long it took to make it. So if you can imagine any failure to get into it, or what we talked about the login success rate, can you go into it a bit further, like what are the real costs you’ve seen for password resets and a poor login success rate?
Correy Voo
The login success rate is a relatively modern concept; in the early days when securities were designed, it was about stopping people from getting into systems. But what we talked about today is access control rather than access prevention. And when you’re talking about access control, login failure rates, the percentage of success for logins, and even how many times you log in, it equates to and calculates and quantifies towards the actual operational cost of providing that security system. The idea of an authentication and access control system is to allow you to safely enter a system and control what you do in that system. If you look at past studies, the average cost of a single password reset call to the support desk ranges from $55 to about $150. The top end is about $257 per single call, which relates to the complexity of the business and the complexity of the system that you’re applying to those security systems. But even if you take the medium number, they say we take $70 as an average, you then let’s take a company with 100,000 employees or customers, more importantly, logins per month. Then you look at passwords alone; 10% of those result in a failure. Only some people are going to report those failures. But let’s assume that 25% of those failures are reported to the helpdesk; you’re talking an average of $175,000 equated cost per those reset calls. That is a substantial amount of money for anybody to equate to.
Margaret Sherer
And that’s per month, and on that support system, it’s not even talking about any of the other costs that go into running your passwords. And then, we talk about how you wonder why companies tolerate these kinds of sunk costs when the password alone is not fit for purpose, but we’re still using it, as you say, as a default. But how do you equate this cost when you then add in multi-factor authentication, and what, once again, in a default multi-factor authentication environment, people are using SMS, how does that then even add more, dare I say, failure and costs?
Correy Voo
The security systems and many paradigms that we use with security, they would design a long time ago and be waiting a long time to be updated; they are now being updated. So modern security paradigms require a lot more flexibility, a lot more adaptability and a lot more precision in what they do. So you can’t apply the traditional hammer rule to everything. You can’t and should not apply a single solution that covers every single environment because those solutions typically don’t exist; in many cases, users have different needs and consumers, in particular, are learning more about the environment. So in your example, if you take a look at a complex solution of any kind that supports an online website, a retail site, a gambling site, or something similar, most people are resorting to, again, multifactor solutions; they’re resorting to encryption. But if you take a look at multi-factor SMS, for example, not only are you increasing the cost of those support functions, you’re also increasing the cost of the systems themselves. You need SMS support tools; you need SMS transmission tools; you need the phones to be capable of receiving SMS. And then, inherently, within the SMS system itself, you’ve got a lot of risks because SMS itself isn’t a guaranteed transmission protocol; there’s no guarantee that the SMS will be received or transmitted. And the data sent by SMS is clear text. So anybody with access to your SMS system can read that information. So again, I advise people to look at the solution you’re trying to secure for and find a solution that best fits that requirement.
Margaret Sherer
So as you mentioned, there are many actual service costs: SMS, calls to the help desk, and the potential losses of people who can’t get through the door. We’re talking about the real cost; there are these the potential costs, as far as a real-time cost for people, but equally, if somebody, I kind of always say nobody goes to your website or your app to log in, and that’s not part of that, that shouldn’t be part of the experience. And if you remember it taking so long, you’re also risking your brand trust and longevity of opportunity with those customers. So, with all this in mind and the complexity offered to the marketplace, how can companies rethink authentication and claim back the sunk support costs?
Correy Voo
The most straightforward answer is by simplifying and being more precise and clear about what you’re trying to protect and then applying a solution that meets that requirement’s functional criteria. Again, using a sledgehammer to solve this thing, banging a single hammer into a piece of wood, isn’t the solution for every situation. The data solutions, such as MIRACL, for example, provide a lot more simplicity and a lot more speed and performance, suited explicitly to things such as online use, or, or kind of temporal usage of those kinds of things where if the user wants to get into an environment, that’s what they go there to do, as you said, users don’t go to a retail site or a bank, site, etc., to enjoy the privilege of logging it. They don’t do that for that reason; they go there to do a particular function; they go there to do a job, and that job is either to go and buy something to go and place a bet to go and do some banking, maybe even find out what’s going on to view media content, etc., etc. The login process is a function that should not prevent people from getting into those systems in a complicated way; they should simply protect as much as necessary. And the requirement for that protection is appropriate to the number of systems that needs to be protected. MIRACL, in particular, has a lot of speed in what it does. And the system has the capability of logging in within two seconds. It’s as secure as many other solutions out there. But it has several facets that provide more capabilities for online use and other lightweight use cases.
Margaret Sherer
That all makes sense to me. I like hearing all of the data as far as what the actual costs are. And, returning to your previous example of 11 minutes just to log in as part of your daily routine compared to two seconds with MIRACL. I’m going to invite our CCO, Michael Tanaka, now to show what we think a good and simplified MIRACL solution and login looks like, and then we’re going to discuss a little bit more some of the costs and compare them to what we spoke about before. Welcome Michael. So please show us what does MIRACL look like and what does a fast login do?
Michael Tanaka
Yeah, this is one of the fastest demos you’ve ever seen. So as we’ve mentioned, it’s usually around a two-second process, you hit login, type in your pin, and the whole thing is done. And this can be integrated into any cloud-based service. We also have various IAM products and SSOs which can take advantage of this authentication. So logging in, the ID has already been established in the browser here; you can switch to other IDs, and you have a pin for that particular ID, in this case, demo@miracl.com. These are the only user action they need to type in for numbers, and they’re straight in. And that equates to a username password coupled with an SMS OTP, which usually takes around 30 seconds. And, funnily enough, we found that with most of the organisations we’re working with, the average login they talk about is approximately 30 seconds, whether they’re using an authenticator app, or they’re using an SMS, OTP or whatever, pretty much everybody’s happy to say 30 seconds, which means we’re saving 28 seconds each time.
Margaret Sherer
Okay, so that’s a lot of time savings right off the bat. Can you also walk us through the potential costs of our system and compare it to what we’ve been talking about - is it just a password alone, or in the previous example, Correy discussing, say, taking 100,000 logins a month, for example?
Michael Tanaka
Yeah. So, your costs come from several different places. And there’s a lot more subtlety to what I’m going to present here; I’m just going to hit some of the main things. One of the biggest ones that we’re looking at, we’ve already mentioned, is the time spent because that’s a straightforward one that you can measure per authentication. And let’s say in the case of 1000 person enterprise logging in five times per day; believe it or not, that would equate to about four man years saved per year or about £300 per person, every year saved by using our system over let’s say any other 30-second process. The success rate will make a big difference, which Correy mentioned before. Our success rates are almost unbelievable when you look at them on a B2C engagement, which will almost always be the most challenging thing; with low-frequency authentications, we’re hitting as high as 99.87%.
On a B2E, where it’s employees, you could think of that as an SSL or equivalent, which might be around 99.93%. Or, in other words, a 0.07% failure rate. And on B2B, where agents repeatedly authenticate an action, such as a transaction, we’ve hit as high as 99.997%. So that was two failures in 77,000 events by 1500 agents.
You also have direct costs as well. I find it quite funny when people talk about passwords; they always assume they’re free. And they’re not. Passwords rely on infrastructure and people maintaining it; in many cases, they’re not done correctly. You have poorly trained people managing and maintaining these systems, which are the gateway to your systems and your services. They are most definitely not free. The thing is, a lot of people have just forgotten about those costs. You also have items such as the cost of support, which goes back to that success rate. Taking your failure rate down from 10% to 0.13% or 0.2% will save the number of people who will have to hit that support desk. And, as Correy mentioned, it will be a massive saving if you’re going low in the $55 or the high end. And then the other thing which must be mentioned is that we are supplying a secure authentication technology here, which means that we will reduce the account takeovers, things like credential stuffing, password spraying, and phishing attacks - none of those attacks will work against our technology. So that means you don’t have to work or worry about this or remediation of these counter takeovers you don’t have; there’s a lot of staff time taken. And it’s not just the time taken to remediate the direct issue; you’ve also got to investigate why it happened. And if it goes further than just the account that was taken over. So, you hear some numbers; we’re talking about millions of dollars for any sort of takeovers, generally, not an account takeover, but certainly for a breach. And if you can reduce those account takeovers in the violations, you will reduce those costs significantly.
Margaret Sherer
And with that, just curious, is that something that we find businesses are having to add into their budgets, like the ‘Oh no’ budget, if you will, just in case these kinds of hacks are, if those kinds of things happen, you could imagine that’s a reallocation of funds into something that moves your business forward a bit more.
Michael Tanaka
We have seen many more interesting things arise, like cyber risk insurance. And I think many people are saying, Oh, I’ll get my cyber risk insurance, and then I’m covered. The unfortunate part about it is an insurer, and the insurers will only pay out if they have to. So as an example, we heard of one case where they had to attest that all their systems were secured with multifactor. But they were relying on Microsoft’s conditional access, which meant that it decided not to do a multifactor in one particular case, which reached some of the systems, being the emails, and then the attack occurred. So guess what? The insurance company decided not to pay out; the only way it could have avoided this was to get a much higher licence with Microsoft to control the conditional access to force multi-factor in every step, which they didn’t have.
Margaret Sherer
Can we say that our solution alone could see a reduction of 99%, 98% of current support costs alone?
Michael Tanaka
Yeah, if you’re using SMS, but there are many parameters to that estimate. But if you’re using mid-rate things for the failure rates for username passwords, coupled with an SMS OTP, if using, let’s say, a support ticket cost of around $70. And if you’re using a fair number, for us, a failure rate of about 0.2%, then what you’re looking at is a cost reduction based on the support, the support costs, mainly about 98% to 99%.
Margaret Sherer
These costs are, to summarise, being able to take your login success rate from 90% with passwords alone. Can you talk more about MIRACL’s pricing model compared to people using SMS as a multifactor authentication second step?
Michael Tanaka
Yeah. Okay, so when you’re looking at our pricing model, we must understand that we are providing the entirety of that authentication framework. If you’re comparing against SMS, often, people, what they’ll do is just look at the SMS costs. And even if you look at it versus the SMS costs alone and exclude all the other infrastructure because you still generally have the credential base or the username password stuff, you still have everything else, which generates these OTPs and consumes them well. Even if you exclude that, just look at the SMS costs; we’re typically from a quarter to a 20th of the cost of the SMS, especially if you’re looking in Western Europe, where it can be as high as around 20 cents in some areas, and certainly in parts of, let’s say, Africa as an example. So our costs are generally about 1 cent per use on low volumes and as low as 0.3 cents per use on high volumes. And that’s the entirety of it. So there are no additional licence fees, bandwidth fees, registration fees, or anything like that. It’s all down to that usage. So very straightforward. So,
Margaret Sherer
Some people might say that this is too good to be true. Some of our clients have said that and thought it was so good to be true, meaning a multi-factor authentication that’s easy for the consumer to use and gives so much cost back to the organisation. How can you reassure those that might be sceptical?
Michael Tanaka
One of the best assurances is speaking to some of our customers, which we can arrange for the interested parties. But a lot of this is obvious when you get to think about it. Because what we’ve done is straightforward. It’s sort of like, ‘Why hasn’t somebody done it before?’ We’re stripping out all the extra steps through the authentication; we’re making it a single-step process. So that means a user just types in that PIN. That’s important because every extra step is another source of failure from a user’s perspective. Also, every additional device you have to bring into play, or network or another sort of technology, is a point of failure as well. So if you think of something straightforward as, let’s say, having to have a mobile phone when you authenticate in a browser, Google found in 2019 that 38% of users don’t have a mobile phone present. And that includes, it’s not it’s in the car, it’s in my jacket pocket, it may be turned off, maybe it doesn’t have a charge. So when you start with those sorts of problems, you can understand why there’s a high failure rate with almost every other form of strong authentication, whereas ours is tied directly to the channel you’re receiving the cloud service. And if it’s a native app, or integrated directly with the native app, if it’s a browser, were delivered directly from the same browser, you’re receiving that that service from, so it means that there won’t be any chance that they won’t be available at the time you need it.
Businesses are facing significant costs associated with passwords in three main areas: operational costs, such as helpdesk expenses that can reach up to $175,000 per month for simple password reset support tickets alone; business waste resulting from time lost due to failed logins; and the actual commercial cost of maintaining systems to support SMS passcodes, which can be as high as 20 cents per use in some parts of the world. In contrast, MIRACL Trust, a security solution, costs around 1 cent per use and can be even lower than 0.03 cents per authentication on high volumes. It is becoming increasingly clear that passwords are no longer suitable for today’s security needs. The login success rate is crucial for cost savings and revenue generation. With MIRACL’s login success rate of 99.8%, customers can easily access their accounts and conduct transactions securely. This discussion was hosted by Margaret Sherer, MIRACL’s Head of Marketing, with guests - Correy Voo, MIRACL Chairman and former UBS CTO, and Michael Tanaka, MIRACL COO.