Given hard tokens are still part of our every day business lives, which token is the best value for my money? What values should I use to compare tokens? Which tokens are best for all of my use cases? Should I use a mix of tokens depending on optimal fit to a use case or try to choose a single token type that works best across ALL use cases?
There are many factors to consider when selecting tokens for your users. This blog attempts to compare the most important factors between keyfobs and OTP cards which may reveal some things you didn’t know about the total costs related to token form-factor and token quality. It’s not all about straight unit cost and this year’s budget.
Cost-driven decisions, by definition, often select the “cheapest” token to satisfy the compliance requirement with more consideration given to the up-front costs and budget constraints than the total lifetime cost of a hard token. Forget about user convenience and whether the user is happy about their token. The CISO dictates which token thou shalt carry and usually that means the cheapest token that can be purchased to get by the compliance audits.
But it shouldn’t be about just direct costs and this year’s budget. Because in reality, it’s about the characteristics of the tokens that cause “friction”. Or in other words, clumsiness which leads to helpdesk calls. Clumsiness applies to both the tokens themselves and the users. Let’s be real, we all know we can count on a regular number of people who are simply going to experience lost, forgotten, or failed tokens. And the frequency of this friction is directly related to the token form-factor. And there are other factors that contribute to this friction, such as the assumption that clunky keyfobs are rarely put on keychains, making them more prone to misplacing or losing them.
Conversely, OTP cards are kept in everyone’s wallet or badge-holder, so the lost/forgotten/stolen rate drops to near-zero. That’s much less friction.
Let’s talk about the numbers.
In a 1,000-user company, on average, you can expect approximately 1.7% of users to call the helpdesk every month for something related to their token. That’s 17 calls per month. “My number won’t work.” “I lost my token.” “I accidentally broke my token.” “I left my token at home.” “My token stopped working.” This statistic is based on a market that is 99% keyfobs.
In each of these incidents you have:
- A down user, productivity stopped. Costs: internal user hourly rate, output value (as a percentage of revenue), token replacement, token inventory reserves to cover incidents, storage and handling costs, packaging and postage, help desk personnel, and general overhead.
- Increase in security risk: social engineering vector/impersonation risk, temporary OTP codes can be intercepted, found token or insider theft may lead to compromised user account, ransomware, data breach, and more.
In an average 1,000-user company where MFA is a requirement, a rough estimate of a lost token is approximately $105 per incident. Keyfobs generate 17 calls per month times $105 each incident equals $1785/month in total lost value to the company. Approximately $40 of each incident is a hard cost for token replacement, package/postage, and labor at 30 mins for all hands that have to touch each helpdesk token incident through resolution (new token in the correct user’s hand). Simple math 204 X $40 makes that about $8,200/year for keyfob overhead. Stay with me.
Let’s quickly compare OTP cards which have a .2% incident rate which is 2 per month instead of the overall keyfob token average of 17 per month. Total annual hard cost for OTP card incidents: $960.
Hard cost difference between the two form-factors is $7,240. That’s an annually recurring number. Hold that thought.
Now for the final analysis, “Is it less expensive to buy ‘cheap’ tokens?”
1,000 keyfobs costs $15,000 + $8,200 hard cost overhead = $23,200.
1,000 OTP cards costs $25,000 + $960 hard cost overhead = $25,960.
Well, it would seem the cheap tokens have about a $2700 advantage over the OTP cards. The first year.
However, there’s much more to consider:
Keyfobs have a 3% failure rate after warranty so that’s 30 failed fobs x $15 = $450. ka-ching!
Let’s add in the soft costs at another $65 x 204 incidents/year = $13,260. KA-CHING!
What about OTP cards?
OTP cards have less than 1% failure rate after warranty which is less than 10 cards out of 1,000. We’ll use 10 for easy math. 10 failed cards x $25 = $250
Add-in the soft costs of $65 x 24 annual incidents = $1,560.
To sum it up:
Keyfobs total overhead cost: $13,710 + $23,200 = $36,910 with a 10X higher breach risk factor than OTP cards.
OTP cards total overhead cost: $25,960 + $1,810 = $27,770 with a 10X lower breach risk factor than keyfobs.
That’s about a $9,000 savings in overhead with OTP cards. And that’s just the first year. If you include 4 additional years of recurring incident costs, the gap widens to almost $38,000 in favor of OTP cards.
A don’t forget, in the end, all tokens shall perish so you have to add the end-of-life incidents: 1,000 x $40 hard cost or $40,000. Or if it makes you feel any better, just use the direct token replacement costs where the fobs have a $10,000 advantage.
Lastly, consider the security risk factor at a cost of… you guessed it, priceless. But let’s set this aside since either token type that is compromised could spell disaster for the company if it leads to ransomware or an embarrassingly massive data breach that goes public. You can see that the volume of
incidents related to MFA tokens is actually a very important consideration. Increased incidents, more threat chances. Less incidents, less risk of lawsuits, loss of large sums of money, brand damage, etc.
Final analysis: For 1,000 users, OTP cards have a lifetime cost advantage of about $28,000 over keyfobs.
On the human side, users love the OTP cards over the keyfobs so the clear advantage of user friendliness goes to OTP cards. And they are still a little wonder of authentication technology with a 5-year battery, flex circuit, CPU, tactile flat button, an easy to read e-Paper display (like your Kindle – not LCD), all packed into a bank quality (ISO 7810) credit card form-factor (sizzle sound).
Happy users, happy workplace, less stress, more productivity, more security, less cost.
Case closed.
Kevin Raineri, V.P. Business Development
Expert in authentication technologies, OTP cards, and human fobphobia 😉
Inspired by the excerpt below from a white paper by Celestix entitled “How to reduce the cost and complexity of two-factor authentication”, September 2012.
The issue of lost tokens is considerable. Surveys indicate that an organization with 600 users would typically expect up to 10 tokens lost per month, equating to 1.67% of the install base. If the hardware token costs $50 and it costs an additional $50 to dispatch the token then the cost of handling lost tokens alone can add a cost of $1000 per month which should also be factored in to any solution costs.
Helpdesk Costs
Surveys indicate that on average a traditional two-factor authentication system can generate two helpdesk calls per day. Typically, these would be from remote users who have questions relating to the use of their hardware token. User education is a serious consideration. Many users call in to question why they have received a token, what do they do with it, and why should they use it.
Then there are the more serious issues of users being unable to authenticate because they have lost their token, or de-synchronized their tokens.
Two-factor authentication is an enabling solution so ease of use should be considered very carefully. Adding technology that complicates a process or is at odds with the way in which users interface with their corporate resources may result in increases in helpdesk costs and cost.
