The Cost of Implementing Multi-Factor Authentication

January 31, 2006 (PRLEAP.COM) Business News
In October of 2005, the Federal Financial Institutions Examination Council (FFIEC) issued a letter clarifying its expectations for combating the growing problems of online fraud and identity theft. Online financial institutions must implement multi-factor authentication by the end of 2006.

The number of vendors offering multi-factor authentication solutions is comparatively small, perhaps 20 to 25 nationwide. Overwhelmed by the 8,848 organizations competing for their resources, it appears unlikely they will be able to bring the US financial industry into compliance before the deadline.

Financial Institutions are faced with four competing options:

1. Hardware Tokens.
2. Software solutions.
3. Zero footprint or "virtual tokens".
4. "Home-grown" solutions.

A vendor-sponsored survey recently compared the total cost of ownership for these four options, calculating "apples to apples" costs based on a regional bank scenario of 25,000 on-line users.

HARDWARE TOKENS:
Hardware tokens have implementation and recurring costs. For 25,000 users, implementation costs include server infrastructure ($30,000 to $75,000), implementation staffing ($3,800 to $7,700), vendor support ($10,000 to $20,000), token production ($161,000 to $1,200,000), and token distribution ($40,000 to $80,000). One vendor charges $600,000 for additional software. Implementation times range from one to three months. Recurring costs include annual licensing ($112,000 to $275,000), administration ($70,000), support ($210,000), and token replacement based on a 3% loss rate ($4,800 to $37,000).

The total cost of ownership for implementing a Hardware Token solution to 25,000 on-line users ranged from $641,000 to $2,430,000 for the first year, and $397,000 to $569,000 each year thereafter. They were the most costly option and took the longest to implement.

Hardware Token vendors include:
ActivCard, Aladdin Knowledge Systems, Authenex, Datakey, Griffin Technologies, TriCipher, Ion, RSA, Vasco, and Verisign.

SOFTWARE APPROACHES:
Software approaches have implementation and recurring costs. For 25,000 users, implementation costs include network infrastructure costs ($15,000) staffing costs ($3,000) and vendor support ($10,000). Software approaches have less implementation costs than hardware approaches and implementation can be accomplished in three to six weeks. Recurring costs include annual licensing ($15,000 to $50,000), administration ($70,000), support ($210,000), and in one instance, per transaction fees (of $.60 each).

The total cost of ownership for implementing a Software solution to 25,000 on-line users ranged from $358,000 to $1,100,000 for the first year, and $330,000 to $1,100,000 each year thereafter. They were less costly than hardware solutions to implement but disproportionately more costly to support.

Software and related vendors include:
41st Parameter, Anakam, Authentify, Cavion, Cyota, Digital Resolve, Passmark Security, Secure Computing, Soltrus, and Think Security.

ZERO-FOOTPRINT (“VIRTUAL TOKENS”):
There is only one vendor offering this technology due to their ownership of the patent rights. Being a web-based solution that can be implemented by a single webmaster, implementation costs were essentially non-existent. Recurring costs were less than $150,000.

Because of its "zero footprint" (hardware/software free) approach, this solution has the lowest cost of ownership and fastest implementation time.

Vendor:
Sestus Data Corporation (PhishCops) is the only vendor in this category.

HOME-GROWN APPROACHES:
Some organizations are considering developing their own solution. Experts caution that such approaches will likely cost more than vended solutions. Vended solutions were perfected over many years and an IT organization is unlikely to surpass their achievements in less than a year. Multi-factor authentication is an extremely technically challenging problem. An in-house developer is unlikely to create a solution adequate to pass regulatory muster. There is also a risk that the developer may leave, saddling the organization with an unsupportable system. Costs are often underestimated owing to naivety about the technical challenges, or prejudice against vended solutions.

“If you snooze, you lose”
Given the disparity between the number of vendors and the number of organizations requiring compliance, IT managers may pick up the telephone this summer only to learn they have waited too long. Vendors are already reporting implementation delays. One hardware token vendor reports that their current "deployment time" for 25,000 online users is now 3 months, with initial deployment costs of $162,692.

PhishCops by Sestus Data Corporation offers the lowest total cost of ownership with the fastest implementation time and minimal support requirements. President & CEO T. Eric Willis explained, "We are unique among the multi-factor authentication providers in that we have perfected a web-based solution to a web-based problem. With PhishCops, there is no hardware or software to install which means implementation can be accomplished swiftly with minimal long-term support. If you pay someone to maintain your website, you already have all the staffing support you need."

Incidentally, PhishCops also appears to be the only vendor using government-approved authentication methods. PhishCops uses authentication algorithms developed by the National Institute of Standards and Technology (NIST) under the authority of the U.S. Department of Commerce, the current authentication standard. In 2005, the U.S. government named PhishCops a semi-finalist for the Homeland Security Award.