Passwordless Authentication: FIDO2 and WebAuthn Implementation

Help desk password resets

$217,000

14,600 reset tickets @ $14.86/ticket

4.2 resets per employee per year

Account lockout incidents

$89,000

2,400 lockout tickets @ $37.08/ticket

Lost productivity during lockout

Password rotation compliance

$156,000

18 hours/year per employee @ $72/hr for compliance tasks

Includes: selecting new password, updating stored passwords, re-authenticating apps

SMS-based MFA costs

$42,000

840,000 SMS messages @ $0.05/message

International employees cost 3x more

Password manager licensing

$64,000

1,200 licenses @ $53.33/user/year

Plus 280 hours IT support annually

Security awareness training (password focus)

$78,000

Quarterly phishing tests, password training, remediation

40% of security training budget

Credential-stuffing mitigation

$124,000

WAF rules, bot detection, monitoring, incident response

3-4 incidents monthly

Account recovery processes

$52,000

Manual verification, documentation, security checks

18 minutes average handling time

Privileged access password vaulting

$91,000

CyberArk licensing, maintenance, administration

1.5 FTE for vault management

Breach costs (annualized)

$487,000

2 breaches in 3 years averaging $730K each

Includes forensics, notification, credit monitoring, legal

Compliance audit remediation

$38,000

Password policy violations, documentation, evidence collection

6 findings per annual audit

Lost productivity (password friction)

$1,342,000

8.7 minutes/day per employee in password-related delays @ $72/hr

Login failures, forgotten passwords, MFA friction

TOTAL ANNUAL COST

$2,780,000

$2,317 per employee

Does not include reputation damage or customer churn

WebAuthn

W3C web standard

Browser API for public key authentication

Standardized across all modern browsers

Requires HTTPS, modern browser versions

CTAP2

Client to Authenticator Protocol v2

Communication protocol between authenticator and device

Enables external authenticators (security keys)

USB, NFC, Bluetooth support required

Authenticator

Physical or platform-based security device

Generates and stores private keys, performs cryptographic operations

Keys never leave the device - unphishable

Platform authenticators (TouchID, Windows Hello) vs. roaming authenticators (YubiKey, Titan)

Relying Party

Your application/service

Validates authentication assertions

Your backend that trusts the authentication

Requires cryptographic validation library

User Agent

Web browser

Mediates between web app and authenticator

Handles WebAuthn API calls

Chrome 67+, Firefox 60+, Safari 13+, Edge 18+

Public Key Cryptography

Asymmetric encryption

Private key on authenticator, public key on server

Eliminates shared secrets - nothing to phish

Requires key storage and management infrastructure

1

User

Initiates registration

Clicks "Add security key" or "Enable passwordless"

User-initiated, no automatic enrollment

2

Relying Party (RP)

Generates challenge

Creates random 32-byte challenge, stored server-side

Prevents replay attacks

3

RP

Sends registration options

Includes: challenge, RP ID, user info, authenticator requirements

Defines acceptable authenticator types

4

Browser

Calls navigator.credentials.create()

Invokes WebAuthn API with registration options

Standardized browser API

5

Authenticator

User verification

Biometric, PIN, or presence test

Ensures authorized user is registering

6

Authenticator

Generates key pair

Creates new public/private key pair unique to this RP

Private key never leaves authenticator

7

Authenticator

Creates attestation

Signs public key with attestation private key

Proves authenticator legitimacy

8

Browser

Returns credential

Sends public key, credential ID, attestation to RP

Credential bound to this origin

9

RP

Validates attestation

Verifies signature, checks attestation certificate chain

Prevents rogue authenticator attacks

10

RP

Stores credential

Saves public key, credential ID, counter associated with user account

No secrets stored - only public key

1

User

Initiates login

Enters username or email (or skips if using discoverable credentials)

Can be username-less with resident keys

2

RP

Generates challenge

Creates random 32-byte challenge unique to this session

Fresh challenge each login prevents replay

3

RP

Sends authentication options

Includes: challenge, allowed credential IDs, RP ID, user verification requirement

Specifies which credentials are acceptable

4

Browser

Calls navigator.credentials.get()

Invokes WebAuthn API with authentication options

Standardized browser API

5

Authenticator

User verification

Biometric, PIN, or presence test

Proves user possession and presence

6

Authenticator

Signs challenge

Uses private key to sign challenge + authenticator data + client data

Private key operation - unphishable

7

Authenticator

Increments counter

Increases signature counter to detect cloned authenticators

Anti-cloning protection

8

Browser

Returns assertion

Sends signed challenge, authenticator data, signature, counter

Cryptographic proof of authentication

9

RP

Validates assertion

Verifies signature using stored public key, validates origin, checks counter

Multi-layer validation

10

RP

Grants access

Creates session after successful validation

No password ever transmitted or stored

Platform - Biometric

TouchID, FaceID, Windows Hello, Android Biometric

Single-device users, BYOD programs, consumer applications

Device-specific, no cross-device

$0 (built into device)

Excellent - fast, convenient

Medium - requires device recovery

Platform - PIN

Windows Hello PIN, Android PIN

Devices without biometric, backup method

Device-specific, PIN can be observed

$0 (built into device)

Good - familiar to users

Medium - device-dependent

Roaming - USB Security Key

YubiKey 5, Titan Security Key, Feitian ePass

Shared workstations, high-security environments, IT admins

Requires USB port, can be lost

$20-$70 per key

Good - universal, reliable

Low - issue replacement key

Roaming - NFC Security Key

YubiKey 5 NFC, Google Titan

Mobile + desktop users, flexible deployment

Requires NFC support on device

$30-$75 per key

Good - works across devices

Low - issue replacement key

Roaming - Bluetooth Security Key

YubiKey 5C NFC, Feitian BioPass

Mobile-first users, modern device fleets

Bluetooth pairing complexity, battery concerns

$70-$150 per key

Medium - pairing friction

Low - issue replacement key

Hybrid Approach

Platform + roaming backup

Most enterprise deployments

Initial setup complexity

$25-$50 per user

Excellent - convenience + portability

Low - multiple recovery paths

Application Inventory

What applications need passwordless? Which are compatible? Legacy systems?

60-80% of apps are compatible, 15-25% need updates, 5-15% require workarounds

Drives scope and timeline

Medium - 1-2 weeks

User Segmentation

Who are your users? What devices do they use? Technical sophistication?

40% power users, 50% average, 10% low-tech; device diversity is higher than expected

Determines rollout strategy and support needs

Low - 1 week

Authentication Architecture Review

Current auth flows, identity providers, session management, API authentication

70% have complexity debt, multiple auth systems, poor session management

May require refactoring before passwordless

High - 2-3 weeks

Recovery Process Design

How do users recover from lost authenticator? Temporary access? Account recovery?

85% have no recovery plan, 10% have weak recovery, 5% have good recovery

Critical - poor recovery destroys user experience

High - 2 weeks

Compliance Requirements

Regulatory requirements, audit needs, documentation standards

75% find new compliance requirements they didn't know about

May require additional features or evidence

Medium - 1-2 weeks

Integration Points

SSO systems, identity providers, directory services, legacy auth systems

Average 4-7 integration points, some undocumented

Integration complexity and testing scope

Medium - 1-2 weeks

Browser/Platform Support

Which browsers and OS versions are supported? Mobile apps?

90%+ coverage typical, but edge cases exist

Drives backward compatibility requirements

Low - 1 week

Network Infrastructure

Proxy configurations, certificate management, firewall rules

30% have proxy/firewall issues blocking WebAuthn

Infrastructure changes needed

Medium - 1-2 weeks

Rollback Strategy

Can you revert if needed? Dual authentication during transition?

95% don't plan for rollback initially

Disaster recovery and risk mitigation

Medium - 1 week

Challenge Generation

Cryptographically random, 32+ bytes, unique per request

Use crypto.randomBytes, never Math.random()

Verify uniqueness, proper entropy

Reusing challenges, insufficient randomness

Challenge Storage

Temporary storage (60s-5min), associated with session, cleaned after use

Prevent challenge enumeration, rate limit generation

Stress test cleanup, verify expiration

Memory leaks from non-expiring challenges

Public Key Storage

Database schema for credential storage, indexing by user ID and credential ID

Encrypt at rest, audit access, backup strategy

Migration testing, query performance

Storing private keys (never!), poor indexing

Attestation Validation

Verify attestation statement, validate certificate chain, check revocation

Maintain updated root certificates, handle different attestation formats

Test with multiple authenticator types

Skipping attestation, weak cert validation

Origin Validation

Strict origin checking, validate RP ID matches, check allowed cross-origin

Prevent subdomain attacks, validate full origin string

Test with various origins, subdomains

Loose origin checking, subdomain vulnerabilities

Signature Verification

Correct crypto algorithm, proper ASN.1 parsing, verify signature over correct data

Use established crypto libraries, validate all parameters

Fuzz testing, invalid signature testing

Manual crypto implementation, wrong data signed

Counter Validation

Store and verify signature counter, detect counter decrease or non-increment

Implement counter anomaly detection and alerting

Simulate cloned authenticators

Ignoring counter, no anomaly detection

User Verification

Enforce UV requirements, check UV flag in authenticator data

Match UV requirements to risk level, consistent policy

Test UV combinations, fallback scenarios

Inconsistent UV enforcement

Session Management

Secure session creation after authn, proper session binding, timeout handling

Bind session to authenticator, prevent fixation

Session security testing, timeout verification

Weak session binding, no timeout

Recovery Mechanism

Out-of-band verification, secure temporary access, account recovery workflow

Multi-factor recovery verification, abuse prevention

Recovery flow testing, abuse scenarios

Weak recovery that bypasses passwordless

API Authentication

Token-based authentication for APIs, proper scope management

Secure token generation, short-lived with refresh

API authn testing, token validation

Long-lived tokens, insufficient scoping

Error Handling

Secure error messages, no information disclosure, proper logging

Log security events without exposing system info

Error condition testing, information leakage

Detailed error messages exposing attack surface

Rate Limiting

Limit registration, authentication, recovery attempts per user/IP

Progressive delays, account lockout after threshold

DDoS testing, legitimate burst testing

No rate limiting, easily bypassed limits

Audit Logging

Log all authn events, credential lifecycle, security events

Tamper-proof logs, PII handling, retention policy

Log completeness, integrity testing

Insufficient logging, PII in logs

Enrollment Flow

3-step maximum, clear visual guidance, progressive disclosure

Detect available authenticators, guide selection, handle errors gracefully

>70% completion rate, <30s avg time

"What is a security key?", "Which option should I choose?", "Do I need to buy something?"

Authenticator Selection

Present platform authenticators first, simple language (not "FIDO2/WebAuthn")

Capability detection, platform-specific prompts

>80% choose correct option

Technical jargon, too many choices, unclear differences

Platform Authenticator Prompt

Brand-appropriate messaging, clear action required, timeout warning

Native browser UX, cannot be customized much

>90% understand prompt, <5s hesitation

Confusion about which finger/face, timeout not noticed, "Why is my browser asking?"

Security Key Instructions

Visual diagrams, step-by-step, "Insert and touch" not "Activate CTAP2"

Detect connection, show appropriate visuals

>85% success first try

USB port confusion, "touch the key" unclear, timeout

Error Handling

Plain English, actionable guidance, recovery options

Map technical errors to user-friendly messages

<10% errors result in abandonment

Technical error codes, unclear next steps, frustration

Account Recovery UI

Simple, secure, fast (<5 min), clear expectations

Multi-step verification, temporary access, re-enrollment

>95% successful recovery, <5min avg

Security vs. convenience balance, verification friction, fear of account loss

Fallback Authentication

Clear when/why fallback used, time-limited, encourage passwordless

Temporary password with forced re-enrollment

<15% fallback usage after 90 days

Overuse of fallback, permanent passwords creeping back

Mobile Experience

Native app integration, biometric prompting, smooth handoff

Platform authenticator API, proper error handling

>85% mobile enrollment success

Platform differences (iOS vs Android), confusion about biometrics

Cross-Device Enrollment

Guide users to enroll multiple devices, explain benefits

Allow multiple credentials per account

Avg 2.3 credentials per user

"Do I need to enroll my phone too?", recovery concerns

Admin/Support Interface

View user credentials, revoke compromised keys, temporary access

Secure admin controls, audit all changes

<2% need admin intervention

Over-reliance on admin resets, weak admin controls

Phase 0: Internal Pilot

IT security team, early adopters (20-50 users)

2 weeks

Zero critical issues, <5% enrollment failure rate, positive feedback

Dedicated support channel, daily check-ins

Any critical security issue

Phase 1: Technical Users

IT department, developers, technical staff (5-10% of users)

3 weeks

<3% support ticket rate, 80%+ enrollment, no critical issues

Enhanced documentation, technical support available

>10% support ticket rate, critical bugs

Phase 2: Champions Program

Power users across departments (10-15% of users)

4 weeks

>75% enrollment, <5% support tickets, positive satisfaction scores

Champion training, direct support channel

>15% support tickets, negative feedback

Phase 3: Department Rollout

Phased by department (25% of remaining users)

4 weeks

>70% enrollment per department, declining support tickets

Department-specific training, on-site support

Enrollment <50%, overwhelming support load

Phase 4: General Availability

All remaining users

6-8 weeks

>80% overall enrollment within 90 days, <2% support ticket rate

Standard support channels, self-service resources

Stalled adoption, security incidents

Phase 5: Password Deprecation

Disable password authentication for enrolled users

2-4 weeks after 90% enrollment

95%+ passwordless authentication, <1% fallback usage

Minimal - most users passwordless by now

Significant user backlash, business disruption

1-2

Internal pilot: 28 security team members

28 enrolled (100%)

4 tickets (mostly questions)

Discovered Chrome version compatibility issue on 3 machines

3-5

IT department rollout: 87 users

115 total (113 enrolled, 2 pending)

11 tickets

Fixed Chrome issue, updated docs

6-9

Champions program: 180 power users

291 total (283 enrolled, 8 pending)

27 tickets (declining trend)

Champions providing peer support, positive feedback

10-13

Finance department: 156 users

442 total (428 enrolled, 14 pending)

19 tickets

Smooth rollout, leveraging champions

14-17

Sales department: 243 users

673 total (651 enrolled, 22 pending)

31 tickets (mobile questions)

Enhanced mobile enrollment docs

18-21

Operations department: 198 users

856 total (832 enrolled, 24 pending)

18 tickets

Ticket rate decreasing, peer support working

22-25

Customer success: 167 users

1,008 total (982 enrolled, 26 pending)

14 tickets

High adoption rate, positive feedback

26-30

Remaining users: 192 users

1,200 total (1,159 enrolled, 41 pending/declined)

22 tickets

Final push communications

31-34

Password deprecation for enrolled users

1,200 total (1,182 enrolled - 98.5%)

8 tickets

Disabled passwords for enrolled users, 18 users still on fallback

90 days

Steady state

1,195 enrolled (99.6%)

<3 tickets/week

5 users on permanent exceptions (legacy app access)

Platform authenticators as primary

94% of users on iOS/Android/Windows with built-in biometrics

87% adoption of platform authenticators

YubiKeys only for admins and shared workstation users (32 users)

Cost containment, targeted security

$1,920 hardware cost vs. $28,000 for all users

Phased rollout: Internal → Provider early adopters → General availability

Validate with smaller groups before wide rollout

Smooth launch, minimal issues

Account recovery via email + manager approval

Balance security with UX

98% successful recovery, zero abuse

Maintain SMS MFA as temporary fallback (60 day sunset)

Safety net during transition

8% fallback usage, decreased to 0.4% by day 60

Assessment & Planning

4 weeks

$28,000

Technical assessment, rollout plan, UX design

Backend Implementation

6 weeks

$84,000

WebAuthn server, credential management, recovery system

Frontend Integration

5 weeks

$67,000

Web app integration, mobile app updates, UX implementation

Internal Rollout

3 weeks

$12,000

380 employees enrolled, support materials created

Provider Pilot

4 weeks

$18,000

2,200 early adopter providers, feedback collection

General Availability

8 weeks

$31,000

Remaining 42,800 providers, support scaling

Total Implementation

30 weeks

$240,000

Full passwordless authentication system

Credential compromises

6 incidents in 18 months (avg $127K per incident)

0 incidents

$762,000 avoided cost

Average login time

42 seconds

8 seconds

81% faster

Authentication support tickets

847/month

143/month

83% reduction

SMS MFA costs

$38,000/year

$0

100% savings

User satisfaction (login experience)

5.2/10

9.1/10

+75% improvement

Password reset costs

$22,000/year

$1,800/year

92% reduction

Total Annual Savings

-

$312,000/year

ROI: 130% first year

YubiKey 5 NFC for all users (2 keys per person)

Meets PCI DSS hardware requirement, works across desktop + mobile

100% coverage, zero compatibility issues

Backup key stored in secure office location

Recovery mechanism without helpdesk

Zero lost-key emergency calls

Resident keys (passwordless) for primary apps

True passwordless, no username required

Superior UX, compliance bonus

Platform authenticators disabled by policy

Ensure hardware authentication for compliance

100% hardware authentication

Quarterly key attestation audits

Verify keys not cloned, ensure compliance

Clean audits, QSA approved

Assessment & PCI DSS Alignment

3 weeks

$24,000

Compliance mapping, QSA consultation, technical design

Hardware Procurement

2 weeks

$9,045

134 YubiKey 5 NFC ($67.50 each), secure storage cabinet

Backend Implementation

5 weeks

$72,000

WebAuthn server, resident key support, attestation validation

Frontend Integration

4 weeks

$58,000

All applications (web, mobile, API), admin interface

Enrollment & Training

2 weeks

$8,000

All employees enrolled, backup keys secured, usage training

PCI DSS Documentation

3 weeks

$31,000

Evidence collection, policy updates, QSA review

Total Implementation

19 weeks

$202,045

PCI DSS-compliant passwordless authentication

Hardware token licensing

$12,000/year

$0/year

100% savings

Annual hardware replacement

$3,200/year

$650/year (occasional lost key)

80% reduction

Authentication support incidents

78/year

4/year

95% reduction

Average login time (with MFA)

23 seconds

6 seconds

74% faster

PCI DSS audit findings (authentication)

2-3 findings per audit

0 findings

Zero findings

Credential compromise incidents

1 incident (compromised password)

0 incidents

100% prevention

User satisfaction

4.8/10

9.3/10

+94% improvement

Total Annual Savings

-

$14,550/year

ROI: 7% first year, 7% annually thereafter

Internal Employees

Platform authenticators (primary) + YubiKey backup (admins only)

Maximize convenience, minimize cost, special security for admins

95% platform, 5% YubiKey

Enterprise Customers (10+ licenses)

Platform authenticators encouraged, SSO integration, optional security keys

Flexibility for customer IT policies, SSO reduces friction

60% platform, 30% SSO, 10% security keys

Small Business Customers (1-9 licenses)

Platform authenticators, simple enrollment flow

Cost-sensitive, needs to be dead simple

75% platform, 25% password fallback

API Access

API keys with rotation + optional certificate-based auth

Different paradigm, programmatic access

100% API keys, 15% certificate auth

1

1-3

Internal employees (3,200)

3,104 (97%)

287 tickets

Smooth rollout, built support expertise

2

4-6

Enterprise pilot (500 orgs, 28,000 users)

19,600 (70%)

412 tickets

SSO integration critical, varied IT maturity

3

7-12

Enterprise general (2,100 orgs, 89,000 users)

62,300 (70%)

891 tickets (declining rate)

Self-service documentation reduced tickets

4

13-18

Small business (9,400 orgs, 463,000 users)

347,250 (75%)

2,847 tickets (0.6% rate)

Simple UX critical, email onboarding effective

Total

18

All users (12,000 orgs, 583,200 users)

432,254 (74.1%)

4,437 tickets (0.76% overall)

Exceeded 70% target, strong adoption

Engineering (internal team)

$840,000

6 engineers × 18 months, backend + frontend + mobile

Product management & UX

$180,000

2 product managers, 1 UX designer

QA & security testing

$120,000

Comprehensive testing, pen testing, compliance validation

Infrastructure costs

$67,000

Database storage, compute, monitoring

Hardware (YubiKeys for admins)

$12,800

160 admins × 2 keys @ $40 average

Consulting (compliance & security)

$95,000

SOC 2 compliance validation, security architecture review

Documentation & training materials

$48,000

User guides, video tutorials, support documentation

Support scaling

$142,000

Additional support staff during rollout

Project management

$85,000

Dedicated PM for 18 months

Total Implementation Cost

$1,589,800

$2.73 per end user, $496 per employee

Password reset tickets

18,400/year

2,100/year

-88.6%

Account takeover incidents

47/year (avg $23K per incident)

2/year

$1,035,000 avoided

Authentication support costs

$487,000/year

$124,000/year

$363,000 savings

Average login time

18 seconds

4 seconds

78% improvement

Mobile app login abandonment

12.3%

3.1%

75% improvement

User satisfaction (login)

6.8/10

8.9/10

+31% improvement

Customer churn (attributed to auth friction)

2.1%

0.8%

62% improvement ($4.2M revenue retained)

Total Annual Financial Benefit

-

$5,598,000

ROI: 252% first year

Skipping account recovery planning

71% of projects

$45K-$180K in rework

"We'll figure it out later" attitude

Design recovery process before launch

Healthcare app launched without recovery. 340 users locked out first week. Emergency rework: $94K

Poor authenticator compatibility testing

58% of projects

$30K-$120K

Testing only on developer machines

Test on actual user devices across OS versions

Fintech app didn't work on Android 8. 18% of users on old Android. 6 weeks to fix

Forcing passwordless too early

49% of projects

$60K-$250K

Pressure to "go live fast"

Keep fallback longer, gradual transition

Retail forced cutover. User revolt. Project canceled. Total loss: $340K

Inadequate user education

67% of projects

$25K-$95K

Assuming users understand tech

Clear education before, during, after rollout

SaaS app assumed users knew biometrics. 12% adoption. Redid training. 76% after

Weak session management after authn

42% of projects

Security risk

Focus on authn, neglect session security

Design session security holistically

Banking app had great authn, 30-day sessions. Audit finding. Had to redesign

No metrics or monitoring

54% of projects

Can't measure success

No planning for measurement

Define success metrics at project start

Can't tell if project succeeded without metrics. Appeared to fail, actually fine

Ignoring mobile app differences

39% of projects

$40K-$160K

Web-first thinking

Design mobile experience explicitly

Mobile app added later. Didn't work well. Complete redesign: $127K

Insufficient rate limiting

36% of projects

Security risk

Assuming authn is secure enough

Implement comprehensive rate limiting

Passwordless API had no rate limits. Enumeration attack. Post-incident fix

Bad error handling revealing attack surface

44% of projects

Security risk

Developer-focused error messages in prod

User-friendly errors, detailed logging separately

Detailed errors exposed authenticator details. Security audit finding

No cross-browser/platform testing

31% of projects

$35K-$90K

Testing in single environment

Comprehensive compatibility matrix testing

Worked perfect in Chrome. Broke in Safari. 40% of users on Safari. 4 week fix

Credential Phishing

Users enter password on fake site

Private key won't sign challenge for wrong origin

95% of phishing ineffective against FIDO2

Sophisticated real-time phishing proxies (rare, expensive)

Credential Stuffing

Reused passwords from breached sites

No shared secrets to stuff

100% ineffective - no passwords exist

None for passwordless accounts

Brute Force Attacks

Weak passwords can be guessed

No password to guess, rate limiting on authn attempts

100% ineffective

None - cryptographic strength

Man-in-the-Middle

Password transmitted to MITM

Challenge signed only for legitimate origin

100% ineffective - origin binding

None - cryptographic origin binding

Keylogging

Logs keystrokes including password

Biometric/touch provides no loggable data

95%+ ineffective depending on authenticator

Platform authenticators with keyboard-based PIN backup

Social Engineering (password reset)

Weak recovery processes

Hardware possession required

80% reduction in successful attempts

Recovery process is attack surface

Insider Threats (credential theft)

Admins can access password hashes

No password hashes to steal

100% - no shared secrets stored

Admins can still compromise public keys (but useless without private key)

Replay Attacks

Session hijacking possible

Challenge unique per authn, short timeout

100% ineffective

None - cryptographic freshness

Database Breach (credential exposure)

Hashed passwords exposed, hashcat attempts

Only public keys exposed (not sensitive)

100% - public keys are public

None - public key crypto design

Malware-Based Credential Theft

Password manager exfiltration, clipboard logging

Private keys in hardware, can't be exfiltrated from platform authenticators

90%+ reduction

Software-based platform authenticators theoretically exploitable

Authenticator Cloning

N/A for passwords

Signature counter detects cloned devices

High - counter validation prevents cloned device use

If counter not validated properly

Account Takeover (combined techniques)

Multiple attack vectors all viable

Most attack vectors eliminated

98% reduction in successful ATO

Remaining: compromised recovery, malware on authenticator device

Implementation (Year 1)

Initial setup/implementation

$45,000

$280,000

+$235,000

Hardware (if applicable)

$0

$25,000

+$25,000

Training & change management

$12,000

$35,000

+$23,000

Year 1 Subtotal

$57,000

$340,000

+$283,000

Ongoing Annual Costs (Years 2-5, annual)

Password reset helpdesk

$180,000

$18,000

-$162,000

Account lockout support

$74,000

$4,000

-$70,000

SMS MFA costs

$35,000

$0

-$35,000

Credential-related security incidents

$405,000 (avg)

$12,000 (avg)

-$393,000

Security awareness training (password focus)

$65,000

$15,000

-$50,000

Password management tools

$53,000

$0

-$53,000

Compliance remediation (password findings)

$32,000

$8,000

-$24,000

Authentication infrastructure maintenance

$42,000

$28,000

-$14,000

Hardware replacement/upgrades

$0

$6,000

+$6,000

Annual Ongoing Subtotal

$886,000

$91,000

-$795,000

5-Year Total

$3,601,000

$704,000

-$2,897,000

Cost Per User (5-Year)

$3,601

$704

-$2,897 (80% reduction)

1-2

Current state assessment, application inventory, user analysis

Assessment report, compatibility matrix, user segmentation

Security, IT, product, support

Complete understanding of current state

40 hours assessment time

3-4

Technical architecture design, authenticator strategy, recovery process design

Technical architecture doc, authenticator selection, recovery design

Engineering, security, UX

Signed-off architecture

60 hours architecture time

5-6

Vendor/library selection, development environment setup, initial proof of concept

Working PoC, selected libraries, dev environment

Engineering, security

Functional PoC demo

80 hours dev time

7-8

Backend implementation: registration, authentication, session management

Backend API complete, tested

Engineering, QA

All backend tests passing

120 hours dev time

9-10

Frontend implementation: enrollment UI, auth UI, error handling

Frontend complete, tested

Engineering, UX, QA

Functional end-to-end flow

100 hours dev time

11-12

Security testing, penetration testing, compliance validation

Security test report, remediation plan

Security, QA, compliance

Zero critical findings

$15K pen test budget

Post-90

Pilot rollout, feedback iteration, phased deployment

Per rollout plan

All teams

Measured success metrics

Ongoing resources per plan