Multi-Factor (MFA) | Two-Factor (2FA) Authentication

-MFA/2FA authentication is the simplest, most effective way to make sure users are who they say they are.

Total Cost of Ownership

The total cost of ownership (TCO) includes all direct and indirect costs of owning a product – for a two-factor solution, that may include hidden costs, such as upfront, capital, licensing, support, maintenance, operating and many other unforeseen expenses over time, like professional services and ongoing operation and administration costs.

How can you be sure you’re getting the best security return on your investment? Consider:
MFA 2FA Balances

Secure Everything, Everywhere

Upfront Costs

See if your vendor’s purchasing model requires that you pay per device, user or integration – this is important if your company plans to scale and add new applications or services in the future. Many hosted services provide a per-user license model, with a flat monthly or annual cost for each enrolled user. When investigating licensing costs, make sure to confirm whether licenses are named (locked to a single user ID) or transferable, whether there are add-on charges for additional devices or integrations configured, or delivery charges for different factor methods. Estimate how much it will cost to deploy two-factor authentication to all of your apps and users.

Is this included in the software license?
Additional management software is often required – without this, customers can’t deploy 2FA. Does the service require the purchase and configuration of hardware within your environment? Confirm the initial and recurring costs for this equipment, and research the typical time and labor commitment necessary to set up these tools. For administrative access with tiered permissions based on license version, confirm all functionality you depend on is available, or collect a complete list of necessary upcharges.

Look for vendors with simple subscription models, priced per user, with flexible contract times.

MFA 2FA Hardware Token
Token-related help desk tickets can account for 25% of the IT support workload.
While network environments with a traditional perimeter defense model rely on a handful of key services to maintain visibility and enforce security standards, the growth of SaaS adoption has resulted in many piecemeal solutions to cover the expanded needs of securing cloud-based data and assets. Secure access includes strong authentication through 2FA to validate users and may also include:

+ Endpoint management or mobile device management tools for defending against device compromise threats
+ Single sign-on portals to centralize and simplify login workflows for users
+ Log analysis tools to identify and escalate potential security threats + Multiple dashboards to manage disparate services and cover unsupported applications, and more

Along with the redundant costs that can accrue from these overlapping services, each added tool increases complexity and the chances of human error or oversight. Finding a solution with comprehensive utility for secure access can reduce both initial and ongoing management labor costs.


Do you have to purchase hardware authentication devices?
Physical tokens add inventory, management, and shipping costs to consider. For mobile authenticators, confirm if there is any per-device cost for soft tokens, or if an unlimited number of enrolled devices is permitted for each user license.

Do you have to purchase servers?
Server hosting costs can add up: power, HVAC (heating, cooling and air conditioning), physical security, personnel, etc. A cloud-based solution will typically include these costs in the licensing model.

Check that the vendor’s cloud-based service uses PCI DSS (Payment Card Industry Data Security Solution), ISO (International Organization for Standardization) 270001 and SOC (Service Organization Controls) 2 compliant service providers. It only takes one weak link in the security chain of contractors for a breach to affect your organization.

Ensure your solution comes with detailed logs about your users’ activity so you can create custom reports, ideal for security analysis and compliance auditors. Armed with details about jailbroken statuses, patch levels, browsers and more, you can also take action to prevent opening up your network to known vulnerabilities. Monitoring also gives you insight into any user behavior anomalies or geo-impossible logins – if your user logs in from one location, and then logs in from another location around the world, your security team will know.

Every organization’s environment is unique. Check if the solution provider offers advanced machine learning-based behavioral analytics that can create a risk profile for your specific organization and notify administrators of any unusual login activity.

Deployment Fees

Find out if you can deploy the solution using your in-house resources, or if it will require professional services support and time to install, test and troubleshoot all necessary integrations.

Estimate how long it will take each user to enroll, and if it requires any additional administrative training and helpdesk time. Discuss with your vendor the typical deployment timeframe expected with your use case, and seek feedback from peers to validate how this aligns with their experience. Look for an intuitive end user experience and simple enrollment process that doesn’t require extensive training. Token-based solutions are often more expensive to distribute and manage than they are to buy.

To make it easy on your administrators, look for drop-in integrations for major apps, to cut time and resources needed for implementation. Also confirm the availability of general-purpose integrations for the most common authentication protocols to cover edge use cases, along with APIs to simplify integration for web applications. See if you can set up a pilot program for testing and user feedback – simple integrations should take no longer than 15 minutes.

Ongoing Costs

Annual maintenance can raise software and hardware costs, as customers must pay for ongoing upgrades, patches and support. It’s often the responsibility of the customer to search for new patches from the vendor and apply them. Look for a vendor that automatically updates the software for security and other critical updates, saving the cost of hiring a team.

One of the benefits of SaaS and cloud-hosted services is that servers, maintenance and monitoring are covered by the provider’s network and security engineers, lightening the load for your team. Depending on your solution, you may have to manually upgrade to the latest version.

You should also consider the frequency of updates — some vendors may only update a few times a year, which can leave you susceptible to new vulnerabilities and exploits. Choose a vendor that updates often, and ideally rolls out automatic updates without any assistance from your team.
Live support via email, chat and/or phone should also be included in your vendor’s service – but sometimes support costs extra. Consider how much time is required to support your end users and helpdesk staff, including troubleshooting time.

Gartner estimates that password reset inquiries comprise anywhere between 30% to 50% of all helpdesk calls. And according to Forrester, 25% to 40% of all helpdesk calls are due to password problems or resets. Forrester also determined that large organizations spend up to $1 million per year on staffing and infrastructure to handle password resets alone, with labor cost for a single password reset averaging $70.

If a solution requires extensive support from your IT or infrastructure teams, will you get charged for the time spent supporting your on-premises two-factor solution? Estimate that cost and factor it into your budget.

Consider the costs of employing full-time personnel to maintain your two-factor solution. Does your provider maintain the solution in-house, or is it up to you to hire experts to manage it?

Estimate how long it takes to complete routine administrative tasks. Is it easy to add new users, revoke credentials or replace tokens? Routine tasks, like managing users, should be simple. Sign up for a trial and take it for a test run before deploying it to all of your users.

Digital Assurance Advisors, your personal authority in cyber security, will assist in securing your Authentication Validation needs and more. Contact us for more information or to begin your complementary 30-day Proof of Value! +1.414.236.4200