The True Cost of Password Recovery

by George Skaff, SVP, WW Marketing
October 4, 2023

Most of us have dozens of accounts and multiple devices that require authentication. In some cases, that means entering a password. But how do we keep hundreds of different logins straight – especially without reusing them?

Many of us simply don’t remember all our passwords, resulting in a wealth of consequences for both organizations and users. Although security breaches are perhaps the most well-known downside of password-based authentication, they’re far from the only one. Even for organizations that manage to avoid compromised accounts and data, the expense required to efficiently protect against fraudsters, not to mention the added friction often associated with adding more stringent security measures, can be significant for businesses, their employees, and their customers.

Password-based authentication (also known as a type of KBA, or knowledge-based authentication), is inherently primed to wreak havoc on a company’s bottom line and should be a thing of the past.

Operational expenses of password-based authentication

The numbers are staggering: up to 40% of all helpdesk calls are related to passwords and resets. The average firm spends $5.2 million annually to set and reset passwords. Employees lose 11 hours each year resetting passwords … and so on.

More than just a nuisance, the inability for users to recall passwords is enormously costly as lost productivity and soaring volumes of support tickets deplete IT and security budgets. And there’s little reason to believe the situation will improve.

The rising prevalence of conveniences like online shopping, mobile health, and contactless hospitality experiences has only exacerbated this long-standing issue. Historically, organizations could enjoy an extra layer of protection with all, or at least most, assets and data contained on premise by adhering to stringent and well-regulated policies and procedures and using secure networks. Today, all that’s changed.

With more people accessing and managing accounts from virtually anywhere, companies relying on passwords must continuously find new ways to stay secure. There are some solutions that can help, like password managers or employing one-time passcodes, but among other drawbacks, these methods can be costly.

Most troubling of all: if an organization is relying on passwords for most of its security posture, the methods mentioned above – or any other KBA – can’t come close to ensuring safety from fraud attacks.

Security breaches driven by an inherently flawed system

There are several reasons password-based security measures fail. For one, many customers use Wi-Fi networks and devices that are easily compromised while at the same time neglecting password best practices.

In addition, whether out of frustration or ignorance, most people rely on dangerous methods to avoid password resets. A 2020 report found that 63% of surveyed individuals in the U.S. reuse passwords. Making matters worse, many people reuse easy-to-remember passwords, like their child’s name, a birthday, or an address. Unfortunately, “easily remembered” is virtually synonymous with easy to guess, especially with the help of AI used by fraudsters for increasingly sophisticated hacking attempts.

Here are a few of the risks faced by organizations that rely on legacy security measures:

• Fake password reset communications, like SMS phishing, present a scenario where a bogus message deceives the recipient into revealing passwords and other sensitive information. If a password is the only form of account security, once exposed, the floodgates open to anyone clever enough to gain access.
• Social engineering attacks, which traditionally took place person-to-person in a contact center setting, involve a fraudster calling an unsuspecting target. The fraudster then imitates a genuine user by exploiting compromised data found online. Today, social engineering takes a more dangerous form: deepfakes. Bad actors use AI to manipulate digital content – images, videos, and audio – to deceive individuals into sharing sensitive information and account access.
• The interception of actual password resets through tactics like man-in-the-middle attacks. In these cases, a user is duped into taking some sort of action, like visiting an illegitimate website that closely imitates the genuine service provider’s site or sharing sensitive information through a compromised email account.
• Brute force attacks like credential stuffing, where hackers use a known username and password that’s been obtained through a database breach, phishing attack, or other malicious activity. Since many people reuse passwords, sometimes fraudsters need only obtain one set of credentials to hack multiple accounts.

So, what’s the true cost of these types of missteps? One report found that the average price of a data breach stemming from password-related attacks in 2023 was $4.45 million – up 15% over the last three years.

But trying to outsmart these threats requires serious investment. According to Deloitte, the average cybersecurity spend, including password reset costs, was $2,700 per employee in 2020. In some sectors, it was nearly double that. As you can probably imagine by now, these costly precautions deliver no guarantees.

Customer frustration adds another layer of discontent
As if that all weren’t enough, password-based authentication tends to cause serious frustration among consumers, too. As the average number of accounts per user multiplies, so does the need to recall complicated passwords – and it seems some people are just giving up. Research from the FIDO (Fast IDentity Online) Alliance reveals that 58% of consumers in the U.S. have abandoned online purchases due to password management difficulties.

More than just missing out on a one-time sale, the inconvenience that so often defines these kinds of experiences is not easily forgotten by consumers, quite possibility threatening future sales as well.

So, where do we go from here?

These problems aren’t going anywhere. In fact, they’re only getting worse. Many well-meaning but ill-advised attempts to thwart these myriad password concerns are only compounding the issue. A report this year found that 51% of organizations that have experienced a breach are choosing to spend more to ramp up the same kind of security measures that failed them the first time.

This calls to mind the adage: you shouldn’t throw good money after bad. Spending to fortify existing password-based protocols – which are inherently flawed – cannot be expected to solve an organization’s long-term security woes. On top of that, password-based authentication is tough, if not impossible, to scale for wide use by consumers.

Luckily, there’s a better way. The same study that found more than half of companies increased password-based security spending after a breach also found that organizations extensively employing AI-based security measures and automation save $1.76 million annually compared to those that don’t.

Biometrics: a better bet
Any company that’s serious about combating increasingly prevalent, sophisticated, and disruptive cyber threats must move away from knowledge-based authentication and toward a passwordless posture driven by AI-powered biometrics.

A password is simply too easy for a skilled attacker to exploit. So, rather than requiring users to prove what they know (i.e., a password) to authenticate an account, users can instead prove who they are. This is inherence authentication, which leverages biometrics to confirm an identity and all but eliminates the need to create, secure, and recall passwords.

Biometric authentication uses a person’s biological characteristics – things like fingerprints, facial scans, voice prints, and more – to authenticate that they are truly who they claim to be. It’s virtually impossible to cheat the system or get locked out because physical traits cannot be stolen or forgotten, and advanced liveness detection technology prevents fraudsters from spoofing the system. Through this approach, the costs and risks associated with password recovery are reduced to at or near zero.

Plus, as research indicates, biometric authentication is easy to use, so user satisfaction improves manyfold. The same survey that revealed password fatigue is causing scores of consumers to abandon shopping carts also shows that buyers overwhelmingly prefer shopping with retailers that enable them to log in and make purchases by using their on-device biometrics, like fingerprint or FaceID. In fact, 60% of those surveyed believe retailers that offer on-device authentication care more about their customer experience. This makes buyers more likely to recommend those retailers to friends and family.

Behavioral biometrics is another option. When a person performs an activity – typing on a keyboard, using a mouse, swiping a mobile screen – they follow a pattern. Behavioral biometrics tracks these patterns and uses AI to analyze them. From there, it establishes individual norms and measurable characteristics that can be used to verify a person’s identity.

Just like with physical biometrics, the user experience is frictionless. Operating in the background of a web or mobile session, behavioral biometrics can discreetly detect whether someone is really who they claim to be (or if they’re an automated entity) based on their behaviors.

How to start implementing passwordless security

Despite those promising statistics, the thought of transitioning to a passwordless security approach can feel intimidating. The growing prevalence of passkeys can remove that final hurdle, providing a low effort transition that customers will find familiar.

Developed by the FIDO Alliance, passkeys effectively replace passwords and accelerate frictionless sign-ins. These digital, cryptographic multi-device credentials are safer because they do not require sensitive information that could be stolen or stored. Plus, they incorporate FIDO2/WebAuthn protocols and work with the latest device security features.

Why passkeys?
Passwords offer poor security, poor user experiences, and are expensive to support. Passkeys are none of those things.

A passkey consists of an encrypted key pair. One key is public and is discoverable by browsers or is housed within native apps. The other key is private and stored only on the user’s device, not a server that could be hacked. At sign-in, the two keys communicate using powerful, industry-standard cryptography that only the keys can understand.

The experience is effortless and supremely safe for users; when they go to login to a website or app, the user can approve the access attempt using the same biometric or PIN that unlocked the device they’re on (smartphone, tablet, computer, etc.). And since that biometric or PIN is securely bound to the device, the remote server is only assured that it is accurate. It never actually sees or has access to it.

Plus, passkeys that are managed by a phone or operating system automatically sync between the user’s devices using a cloud service, which also stores an encrypted copy of the passkey. In addition to providing superior protection, the user experience improves massively with passkeys thanks to a consistent, low-effort experience across devices and use cases.

More specifically, passkeys keep users secure and happy because:

• They can’t be guessed. A public passkey has no value for a would-be attacker (it can almost be thought of as a username). On its own, the public key is worthless, and the private passkey stored on a device is tethered to the user through biometric factors that are impossible to steal. For passkeys to work, the intended user (via their biometric template), and no one else, must have access to their passkey device. Passkeys are also long, random, and unique strings of numbers that are difficult to decipher.
• They create a unique link between the platform they were generated for and a user’s device. It’s impossible to fall victim to a phishing scam or other fraud tactics using a passkey because it will only work on the site or app that created it. This means that an unsuspecting user can’t unknowingly employ that same passkey to log into a fraudulent platform.
• They provide the peace of mind that comes with knowing the keys are synced through a secure mechanism, so login and account data can’t be leaked during a website breach or other attack.
• They require little effort. Passkeys don’t have to be actively created, remembered, or protected by the user. They cannot be lost, stolen, or forgotten, and don’t require anything extra of the user.
• They function as a streamlined authentication solution that removes the hassle of registering multiple devices and accounts.

It’s time to eliminate the costs and risks of passwords once and for all

At its core, FIDO authentication revolves around removing the need for passwords, which are a constant headache for users, a financial burden for companies, and a security threat to everyone.

Daon was an early member of the FIDO Alliance and currently serves on the board. We’ve woven FIDO protocols throughout our products as an innovative and effective way to improve identity verification and ongoing authentication while helping our customers eliminate costly security risks.

Our xAuth platform can assist any company in moving from passwords to passkeys or other forms of FIDO authentication, and our xFace solution can help organizations implement the highest level of authentication security through the use of facial biometrics. We can also combine any authentication factors, both active and passive, to develop a multi-factor authentication solution that’s perfect for your organization and that embraces the strictest set of security standards.

Learn more about how Daon can help you transition to a passwordless security posture by checking out xAuth.