The security risks of passwords are clear, but the price of maintaining a password-based authentication infrastructure should also concern all organizations. These costs, particularly password reset costs, manifest in both “hard” and “soft” expenses. Still, the end result is this: your organization could be spending millions of dollars per year on an inherently flawed system that often lets hackers just walk through the front door. Still, the end result is this: your organization could be spending millions of dollars per year on an inherently flawed system that often lets hackers just walk through the front door.
The costs around lost productivity and increased strain on helpdesk resources are substantial, and that’s only on the employee side. Similar research suggests that customers are willing to abandon high-value shopping carts rather than go through a password reset. In addition, the significant increase in remote workers since the pandemic has increased the complexity and costs of password resets, with the lack of contextual verification adding an extra layer of difficulty to resetting employee passwords.
Here we discuss the hard and soft password reset costs to organizations and how you can alleviate them.
Several figures on your organization’s balance sheets are directly related to password reset costs. The primary among these is the expense of maintaining the password infrastructure itself. Within any organization that uses passwords, a significant amount of IT support tickets are for login problems. This directly strains your IT and security budget, which could be better spent elsewhere.
It’s not just users forgetting their passwords, either. Due to the inherent flaws in passwords as a security system, most companies undergo mandatory password resets across systems and applications every few months.
Solutions such as self-service password resets (SSPR) may help to reduce tickets but can create even bigger problems for remote employees. For example, if a user cannot get on the company network to access the SSPR, they will be unable to reset their own password.
Other attempts to alleviate password reset costs, such as rolling out password managers to your workforce, can cost up to $18/user/month. On a similar note, efforts to improve the security of password-based systems, such as MFA, which includes one-time passwords (OTPs) to prove ownership of a device or account, also have significant direct monthly costs.
Apart from the hard expenses your organization pays to keep employees authenticated through passwords, there are also soft password reset costs. These may not be as tangible but still have a financial impact on the business. The time it takes to reset a password eats into employee productivity. In a recent survey, 63% of IT and security professionals admitted that they could not access critical information for their work after failing to remember a password.
Organizations also need to consider the fiscal consequences arising from the frustration and unsafe practices of employees suffering from password fatigue. This effect can be even more pronounced for remote workers who may not be able to get on a company network or may get locked out of an account for inputting an incorrect OTP code, which can happen easily when dozens of OTPs are stacked in a thread. The lost working hours and demotivational impact of these scenarios represent hidden but still very real password reset costs for your organization.
However, the unsafe security practices that employees take to avoid password resets may create the biggest costs to the enterprise. The cost of a data breach for attacks originating from passwords, including phishing, social engineering and compromised credentials, can be up to $4.65 million. Enterprise employees reuse passwords 64% of the time, despite increased education and training on the dangers.
Password reset policies often result in employees changing a single character or adding a common string, which will not stop hackers in possession of breached credentials for long. With 1.7 billion credential pairs exposed last year, organizations cannot afford to overlook the risk.
While the security risks of password-based authentication systems make frequent headlines, password reset costs represent a less discussed, but significant fiscal risk for your organization. These expenses come in the form of both hard (e.g., lost work hours, use of helpdesk resources, rights costs for password managers or OTP solutions) and soft costs (e.g., employee frustration and demotivation, the introduction of unsafe work practices, added alienation of remote workers, and increased risk of data breaches originating from passwords).
If a user is typing something in, they can be locked out, requiring time and expertise to help them get back in, which ultimately costs money. The solution to removing these password reset costs from your IT and security budget is to remove passwords from your authentication systems altogether by going passwordless.
HYPR's passwordless MFA provides secure, easy to use authentication for your workforce and customers that works with your current SSO and IdP infrastructure. It turns an ordinary smartphone into a FIDO2 security key so users can securely authenticate using daily, familiar technology. Schedule a demo, to learn how HYPR’s low-friction authentication eliminates password reset costs while hardening your security posture.