<img alt="" src="https://secure.hook6vein.com/218483.png" style="display:none;">

BIO-key Blog

Read below for news, insights, and discussion on identity and access management.

IAM Security Black Hole: 3 Reasons ROI Matters for Authentication

by Mary Roark, CISSP


Security
can be a line item that is like a black hole for CFOs and business leaders. PwC noted,Cyber budgets in 2024 are increasing at a higher rate compared to last year.” Despite increased spend, the threats, risks, and costs are expected to mount in 2025.
 

A graph of a number of orange squares

Description automatically generated with medium confidence

How can you measure ROI for cybersecurity?  

Return on Investment (ROI) is best calculated based on what adds value to your organization. Universities have a different definition of value creation than a regional credit union. Yet, no matter how your organization measures value, you can take the following approach to justifying investment and trying to calculate ROI for your organization when it comes to authentication and Identity Access Management (IAM). 

Reason 1:

Investment in security reduces Business Disruptions. 

Investing in stricter MFA to reduce risk and prevent costly business disruptions can be quantified to establish your ROI for security. 

PwC reports: “Organizations who show greater maturity in their cybersecurity initiatives, report a greater number of benefits and a lower incidence of costly cyber breach of USD$1M, or a breach at all.” 

Reason 2:

There is a direct correlation between MFA options and reducing risk.  

Weighing costs against the increasing probability and the increasing costs of phishing leads to quantifying risk, which easily justifies adding MFA and more secure authentication options 

Reason 3:

Streamlining workflows with faster biometric MFA increases productivity.  

Outdated MFA methods and poor user training are productivity drains. Updating your MFA to passkeys and modern biometrics can simplify employee workflows and increase customer loyalty.


This blog will show the research for each of these reasons which should motivate every organization to reevaluate their current MFA policy and review if increasing security and flexibility within their authentication methods will increase productivity, reduce risks, reduce business costs and easily justify increasing their investment in the authentication options that are best suited for the success of their operations. 

 

Which threats matter to your organization?  

It is necessary to identify which threats are the most costly due to their time-consuming nature or frequency. 

An analog to this is how a small water leak can do as much financial damage as a flood. A flood is visible, but a hidden leak can linger and do much more costly long-term hidden damage. 

A white background with red text

Description automatically generated

Source: PwC 2025 Global Digital Trust Insights

Ignoring the smaller incidents in security can lead to higher cumulative risk in the long run. If everyone writes down their complex password on a sticky note, your business risk has increased with complex password enforcement. Although password resets may seem like minor consequences of passwords, they cumulatively waste a significant amount of time and open the door to threat actors who may use social engineering penetration tactics.  If increased employee productivity is a strategic goal, then streamlining MFA and including passkeys or other biometric access makes sense. 

As pointed out by a “survey by Allied Market Research found that the biometric market is expected to grow to $68.6 billion by 2030. It’s no surprise when 79% of IT leaders now see biometrics as essential for secure digital transformation, according to a recent PwC report. These leaders recognize that the cost of implementing biometrics is outweighed by the potential cost of a single breach.” 

Source: 

https://www.finextra.com/blogposting/27181/the-secure-fingerprint-why-biometrics-have-become-essential-for-corporate-clients 

 

How can security leaders and business executives speak the same language regarding ROI for security?  

 

PHISHING 

In 2023, IBM identified phishing as the number one infection vector in 41% of cybersecurity incidents. (IBM Security X-Force 2023). With phishing as the number one threat to organizations around the globe, both public and private, large or small, nearly all enterprises are seeking cost-effective ways to increase security without increasing operating costs and disrupting existing workflows. Most importantly, businesses want to maintain their productivity 

 

MFA is a productivity tool  

Multi-factor authentication (MFA) has been seen as a productivity inhibitor. MFA is perceived to slow business down. While many embrace SSO (Single-sign-on) as a time saver, MFA is seen as necessary only due to the weaknesses of passwords. But there are many different options for authentication 

“Some, but not all, MFA solutions also mitigate phishing attacks. Given the prevalence of phishing as an attack vector, phishing resistance should be a key consideration when choosing an MFA solution.

 

Ranking Authentication Methods by Level of Risk and Security

A close-up of a computer

Description automatically generated

According to CISA, “Some, but not all, MFA solutions also mitigate phishing attacks. Given the prevalence of phishing as an attack vector, phishing resistance should be a key consideration in choosing an MFA solution.” NSA and CISA joined together to provide comprehensive guidance available as BEST PRACTICES for Administrators for Identity Management.

Further guidance is also available in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-6315, NSA’s publication, Selecting Secure Multi-Factor Authentication Solutions, and the Cybersecurity Infrastructure Security Agency’s guidance on MFA.

 

BEST PRACTICES for Administrators for Identity Management

Source: NIST and NSA 

A screenshot of a computer

Description automatically generated

Source:

https://media.defense.gov/2023/Mar/21/2003183448/-1/-1/0/ESF%20IDENTITY%20AND%20ACCESS%20MANAGEMENT%20RECOMMENDED%20BEST%20PRACTICES%20FOR%20ADMINISTRATORS%20PP-23-0248_508C.PDF

 

Get your ROI here 

Organizations are tracking and basing their satisfaction on the ROI that tools deliver. IT and security teams have realized that there is no point in owning feature-rich products if they are too complicated to use. G2 consolidates the feedback from customers.  For MFA, ROI is something customers care about and provide feedback on. This is one of the areas where BIO-key’s PortalGuard platform stands out. In Summer 2024, PortalGuard was recognized for delivering the best ROI for MFA. According to G2: PortalGuard (https://www.g2.com/products/portalguard/reviews) delivers ROI on average in just 18 months for Enterprise customers.  Despite the popularity and market dominance of other players, a differentiating factor in why customers choose PortalGuard is that they can be confident that they will get their money’s worth. As one customer said, “It does what I need, and for a great price compared to other products.” Another customer indicated that “We chose PortalGuard to replace a much more expensive portal solution and have never been more pleased.”  

 

A screenshot of a phone

Description automatically generated

 

Part of the art of ROI is choosing MFA methods that can enhance productivity such as 

  • Authenticator apps: A widely adopted and convenient option for receiving verification codes on smartphones. PortalGuard offers MobileAuth.
  • Biometrics: Fingerprint or facial recognition can provide a seamless login experience on supported devices.
  • Push notifications: Instant alerts on devices to quickly approve login attempts  

 

Potential pitfalls to avoid when implementing MFA for productivity: 

  • Excessive MFA prompts: Too many verification steps can significantly slow down user workflow. 
  • Outdated MFA methods: Relying on SMS-based verification, which is susceptible to phishing attacks, can compromise security and user trust. 
  • Poor user training: Not adequately educating employees on MFA usage can lead to confusion and frustration.  

 

Don’t wait till 2025  

Continually questioning whether the right solutions are installed is necessary to stay ahead of threat actors. Having MFA solutions in place is not the same as choosing the right MFA solutions that optimize security, and productivity in order to get the ROI you deserve for your efforts. 

 


About the Author: Mary Roark, CISSP

Mary is a seasoned leader and strategist in the cybersecurity domain. She holds a CISSP credential, a BSEE, and an MBA. I am passionate about security technology that easily and quickly secures people, data and business.

Mary Roark, CISSP

Author: Mary Roark, CISSP

Subscribe to the BIO-key blog!

Recent Posts