read

The Costs of Implementing a 2FA Solution

Analysing the needs and understanding the costs behind different regulations is a daunting and time-consuming task and Strong Customer Authentication is no different. To make things a bit easier, we’ve done the work for you by analysing how much building or buying a 2FA solution would cost for you.

Essentially you have two options: build and maintain a multilayered customer authentication system in-house or deploy an API and use a trusted partner’s toolkit. You could also mix and match some tools, such as have the code generation part in-house and outsource the authentication value delivery portion. But this leaves you with both sides to tackle, so going either way is best.

We surveyed our customers to find out how long it takes to deploy our tools, as well as how long it would take them to build tools like ours. When these aspects are put into numbers, we reach a much better understanding of what building it yourself costs vs using a trusted provider.

Option 1: Build your own

Based on our survey, as well as our own experience, it takes 5-6 weeks of full-time developer hours to build an MVP for an SMS-only 2FA solution. Step up to a time-based one-time password system (which is the security standard that needs to be reached), and it will be 8-10 weeks for an MVP.

Assuming that the average cost of an in-house developer is €1,750-2,000 per week, a fully functioning in-house solution will cost €14,000 to €20,000. Add 50% if the work is outsourced and add in the ongoing maintenance you will need for the development, maintenance and inevitable improvements that need to be made once the business grows, new products, tools or markets come into play.

The technology team would also be required to maintain SMS delivery quality and manage connections to network operators. Then add the cost of sending SMS messages to variable costs and ultimately setting up the connections yourself can be much more costly as pricing varies greatly depending on the volume you send (you are much more important of a client to a mid-sized aggregator than a network operator; hence the pricing will pretty much always be better via a partner).

You’ll need to dedicate people on your tech team to maintain the 2FA solution, which adds to ongoing costs. Often enough if you want real cost efficiency, you’ll need someone with some sales acumen for negotiation pricing and features and handle any restrictions new markets may impose. Markets are always in flux and pricing changes can hit pretty quickly and hard if you’re a small player.

Pros: More control over specific functionality.

Cons: Longer implementation time, larger investment, and handling all service and quality issues internally.

Option 2: Use an API from a trusted partner

The same customer survey tells us that developers dedicate 8-24 hours to deploy every verification and authentication tool available from Messente, this includes both the customer-facing toolset and all the back-end bits and pieces needed for future scalability. We have no deployment costs, so deploying the tools costs €350 to €1,200 of developer time.

Also, Messente does not charge for support and delivery quality. Account managers come as standard due to our focus on business-critical messaging, which means every message sent requires a dedicated person to manage the customer journey for peak efficiency.

Variable costs will be similar, if not less, on the SMS side of things, as we maintain much higher volumes than a single business would. We have bargaining power with higher SMS volumes and have more options for SMS routing. One-time password costs are typically half of the SMS costs per authentication. Though SMS cost can vary between 2FA and other messaging traffic due to the former being safer form of traffic and of higher priority (as compared to marketing messages for example that can have a 2-3x higher price and more regulations, what the content has to be and what needs to be included in the message, leading to larger message length).

While building your own 2FA solution negates the one-time password variable costs, our data shows that 70% of authentications are still SMS PIN codes. So, an SMS fallback option is crucial for successful 2FA adoption by the customers as there is a definite habit of using the system. SMS still has a higher reach than any other easily adoptable 2FA method. Also, the tech team would need to maintain the one-time password system and mobile app.

Due diligence is still required though as it’s important to make sure all of the requirements for Strong Customer Authentication are met as well as any other related security and privacy-related regulations to truly be certain in the partner and in their ability to deliver on the multi-layered security promised.

Pros: Significantly lower implementation time and costs, optimised SMS delivery routes by the partner, and have the partner handle any delivery quality issues.

Cons: Less control over specific functionality.

Conclusion

Overall, leaving it to the experts with two-factor authentication makes more sense. While making your own gives you more control over functionality, Messente is completely open to customer feedback, and we build our tools to suit customer needs. This enables us to provide you with tools that both meet your requirements as well as scale to whatever business with however many users.

Uku Tomikas
2019-07-04 00:00:00 UTC
1991130