Analysing the needs and understanding the costs behind different regulations is a daunting and time-consuming task, and customer authentication is no different. To make things a bit easier, we've done the work for you by analysing how much building or purchasing an SMS verification solution for two-factor authentication would cost you.

What is two-factor authentication?

Two-factor authentication, or 2FA, is becoming increasingly popular. The most common form of this security measure involves a user being granted access to a website or other form of application only after successfully presenting two forms of identification proofs.

People are constantly looking for ways to protect their data from unknown individuals. 2FA is one of the most popular ways to achieve this. This security system protects you against a person trying to gain access to your personal data, such as ID details or financial assets.

There are many ways to build an MFA solution, with many possible authentication factors. 2FA is a type of MFA system that uses two types of factors to grant access. One of these factors is usually a preset password that is used with some form of unique ID, such as a username or email address. The second factor can take the form of one-time passwords, hardware tokens, or biometric data that only the right user could possess.

What options do you have to maintain security?

You have two possible options for adopting any multi-factor authentication mechanism.

  1. Build and maintain a multi-layered customer authentication system in-house

  2. Deploy an Application Programming Interface (API) and use a trusted partner's toolkit

You could also mix and match some tools, such as having the code generation part in-house and outsourcing the authentication value delivery portion. But this leaves you with both sides to tackle, so choosing either one is best.

We surveyed our customers to find out how long it takes to deploy our tools on two-factor authentication, as well as how long it would take them to build tools like ours. When these aspects are put into numbers, we reach a much better understanding of what building it yourself costs vs using the services of a trusted provider.

Person sketching technical solutions on a paper

Option 1: Build your own

Based on our survey, as well as our own experience, it takes 5 to 6 weeks of full-time developer hours to build a Minimum Viable Product for an SMS-only 2FA solution. Step it up to a time-based one-time password system (which is the security standard that needs to be reached), and it will be 8 to 10 weeks for an MVP. A system using a more complex factor, such as a biometric ID based on fingerprint scanning or voice recognition, for example, would probably take even longer.

Assuming that the average cost of an in-house developer is €1,750 to 2,000 per week, a fully functioning in-house solution will cost €14,000 to €20,000. Add 50% if the work is outsourced and add in the ongoing maintenance you will need for the development, maintenance and inevitable improvements that need to be made once the business grows and new products, tools, or markets come into play.

The technology team would also be required to maintain SMS delivery quality and manage connections to network operators. Then add the cost of sending SMS messages to your variable costs, and ultimately setting up the connections yourself can be much more costly as pricing varies greatly depending on the volume you send. You are much more important of a client to a mid-sized SMS aggregator than a network operator; hence the pricing will pretty much always be better via a partner.

You'll need to dedicate people on your tech team full-time to maintain the two-factor authentication solution too, which adds to running costs. Often enough, if you want real cost efficiency, you'll need someone with some sales acumen for negotiating pricing and features and handling any restrictions new markets may impose. Markets are always in flux, and pricing changes can hit very quickly and very hard if you're a small player.

Pros: More control over specific functionality.

Cons: Longer implementation time, larger investment, and handling all service and quality issues internally.

Two men fistpumping

Option 2: Use an API from a trusted partner

The same customer survey tells us that developers dedicate 8 to 24 hours to deploy every verification and authentication tool available from Messente. This includes both the customer-facing toolset and all the back-end bits and pieces needed for future scalability. We have no deployment costs, so deploying the tools costs €350 to €1,200 of developer time.

Also, Messente does not charge for support and delivery quality. Account managers come as standard due to our focus on business-critical messaging, which means every message sent requires a dedicated person to manage the customer journey for peak efficiency.

Variable costs will be similar, if not less, on the SMS side of things, as we maintain much higher volumes than a single business would. We have bargaining power with higher SMS volumes and have more options for SMS routing. One-time access password costs are typically half of the SMS costs per authentication.

Though SMS cost can vary between 2-factor authentication and other messaging traffic due to the former being a safer form of traffic and of higher priority (as compared to marketing messages, for example, that can have a 2-3x higher price and more regulations, what the content has to be and what needs to be included in the message, leading to larger message length).

While building your own two-factor authentication solution negates the one-time password variable costs, our data shows that 70% of authentications are still done via SMS PIN codes. So, an SMS fallback option is crucial for successful 2FA adoption by the customers as they are definitely habitual of and used to this system. SMS still has a higher reach than other easily adoptable two-factor authentication methods. Also, the tech team would need to maintain the one-time password system and mobile app.

Pros: Significantly lower implementation time and costs, optimised SMS delivery routes by the partner, and have the partner handle any delivery quality issues.

Cons: Less control over specific functionality.

Which option to choose for your business

As you can see, while building your own multi-factor authentication system gives your business more control, the benefits of using an expert company in the industry far outweigh the cons, with the biggest factors being time consumption and costs.

Two-factor authentication cost comparison

Using an Application Programming Interface from professionals in the industry will decrease the cost to the user by a significant amount, especially with deployment from Messente being free. Trying to build the API yourself for your business can easily cost over €20,000, and to set up the hardware yourself properly to be secure will take countless unnecessary hours.

And this doesn't even factor in all the problems you could possibly run into. Using experts in the industry for your business's needs is the smart solution with the level of support you will get along with minimising time and cost so you can focus on the more important parts of your business, knowing your sensitive data and user devices are all secured and protected.

Maintaining protection

Due diligence is still required, though, as it's important to make sure all of the requirements for Strong Customer Authentication, as well as any other related security and privacy-related regulations, are met to truly be certain in your partner and in their ability to deliver on the multi-layered security promised.

Conclusion

Overall, leaving it to the experts with two-factor authentication makes more sense. While making your own gives you more control over functionality, Messente is completely open to customer feedback, and we build our tools to suit customer needs. This enables us to provide you with tools that both meet your requirements as well as scale to whatever business with however many users.