[CONTENT]
$
USD
Total Economic Impact
Reduced Risk, Savings, And Business Growth Enabled By YubiKeys
A FORRESTER TOTAL ECONOMIC IMPACT STUDY COMMISSIONED BY Yubico, January 2026
Total Economic Impact
A FORRESTER TOTAL ECONOMIC IMPACT STUDY COMMISSIONED BY Yubico, January 2026
High-quality deepfakes and genAI-driven extortion make authentication that does not harm the user experience more important than ever for enterprises’ employees, partners, and customers.1 Forrester recommends moving beyond traditional multifactor authentication (MFA), which can be susceptible to MFA-bypass attacks, to deploy phishing-resistant MFA.2 Phishing-resistant MFA, like YubiKeys, eliminates the risk from social engineering attacks such as phishing and stolen credential abuse.3 Security leaders are also seeking solutions that are quick and easy to deploy and enhance the user experience.
YubiKeys are hardware-based, phishing-resistant MFA security keys built by Yubico. They support multiple modern authentication protocols; come in a range of form factors; have USB, Lightning, and NFC connectors; and have more than 1,000 integrations to apps and services, delivering options for almost every organization and end user. Yubico offers enterprise services to make deployment and management as streamlined as possible, including YubiKey as a Service, Delivery, the Yubico Enrollment Suite, professional services, and support.
Yubico commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study and examine the potential return on investment (ROI) enterprises may realize by deploying YubiKeys.4 The purpose of this study is to provide readers with a framework to evaluate the potential financial impact of YubiKeys for their organizations.
To better understand the benefits, flexibility, costs, and risks associated with this investment, Forrester interviewed decision-makers from six large organizations that authenticate users with YubiKeys. Forrester aggregated the data to form a representative composite organization, which is a global enterprise of 5,000 employees that replaces basic MFA and traditional one-time passwords (OTPs) with YubiKeys, and modeled the financial impact for it based on interviewees’ results.
Prior to using YubiKeys, interviewees’ organizations typically used traditional MFA such as SMS and email OTPs, varied MFA solutions for different user groups, or even just single-factor authentication with usernames and passwords. However, these prior authentication environments were insufficient to protect against all attacks, resulting in reported breaches and losses while also falling short of users’ desired expectations for speed and ease.
By deploying YubiKeys, the interviewees’ organizations successfully made all end users phishing resistant while achieving or progressing toward passwordless authentication. The investment in YubiKeys strengthened security by effectively eliminating phishing and credential theft-related risk; enabled business growth by enhancing security reputation, trust, and customer experience; improved user experience and productivity by minimizing authentication friction; increased security and help desk productivity; and enabled cost savings.
Quantified benefits. Three-year, risk-adjusted present value (PV) quantified benefits for the composite organization include:
Strengthened security worth $1.6 million. All the composite organization’s end users and some of its partners adopt YubiKeys and become phishing resistant, reducing risk exposure to breach costs from addressable attacks by 99.99%.
Business growth worth $1.9 million. By adopting YubiKeys, the composite organization strengthens its security reputation and can meet its customers’ security requirements, helping attract and win new business. It protects revenue from existing customers by reducing the risk of churn due to breaches or lost trust. The composite also delivers a better customer experience (CX) by enabling customers to access its services using YubiKeys and enabling employees to authenticate with YubiKeys quickly and professionally instead of pulling out their phones in view of customers or in areas where mobile devices are not allowed.
Enhanced end-user experience worth $2.2 million. The composite organization ends quarterly password updates because it has adopted phishing-resistant MFA and simplified password policies, saving an average of 30 minutes per user per update. The composite’s users save an average of 1 hour each on unplanned password resets annually and can authenticate 80% faster with YubiKeys compared to their legacy MFA solutions.
Security operations efficiency labor savings of $912,000. With strengthened security, the composite organization’s security and identity and access management (IAM) employees reallocate 7,280 hours to more productive work from avoided attack investigation, traditional MFA management, and password management.
Help desk support savings of $476,000. The composite organization eliminates help desk tickets for password resets and its prior traditional MFA solutions.
Cost savings from decommissioned authentication solutions of $321,000. After deploying modern phishing-resistant MFA with YubiKeys, the composite organization retires its traditional MFA solution, yielding cost savings.
Reduced risk of exposure to breach costs from addressable attacks with Yubico YubiKeys
Unquantified benefits. Benefits that provide value for the composite organization but are not quantified for this study include:
Strengthening security for customers. The composite organization allows its customers to use YubiKeys when authenticating, resulting in strengthened security for those customers.
Meeting cyber insurance requirements. By adopting YubiKeys, the composite organization strengthens its security and can better meet requirements for cyber insurance to save on premiums.
Meeting compliance requirements. YubiKeys enable the composite organization to meet industry standards and strict regulatory requirements.
Ease of YubiKey adoption and management, enabled by Yubico’s services and support. The composite organization has access to Yubico’s professional services and support as well as partner services to facilitate YubiKey adoption and management. Its security and IAM employees feel well supported by Yubico and report a high-quality experience.
Speed of adoption and ease of management, enabled by Yubico’s enterprise services. With YubiKey as a Service, the composite organization rolls out keys faster and spends less time managing keys compared to a perpetual buying model. Delivery compounds these effects as Yubico manages and ships the keys instead of the composite organization. Furthermore, Yubico Enrollment Suite enrolls YubiKeys on behalf of end users with the composite’s identity provider solution, accelerating adoption, saving deployment time with direct delivery or enrolled keys to users, and supporting the move to passwordless.
Financial flexibility. The composite organization can choose between purchasing YubiKeys with the YubiKey as a Service subscription model or with a perpetual buying model. With a subscription model, the composite organization can gain budget predictability and reduce upfront costs with the shift from capital expenditures to operating expenditures.
Flexibility. Deploying YubiKeys enables the composite organization to consider potential additional uses and business opportunities in the future, including:
Moving to passwordless. This investment gives the composite organization the option to go passwordless with secure device-bound passkeys on YubiKeys.
Moving to Zero Trust. By investing in phishing-resistant MFA and ultimately progressing toward passwordless authentication, the composite organization can accelerate its Zero Trust journey.
Flexibility with authentication standards. YubiKeys support multiple protocols including FIDO2, U2F, smart card, OTP, and OpenPGP 3, which give the composite organization flexibility in how it authenticates now and in the future across all its environments and systems.
Allowing users to also secure their personal technology use. End users can use YubiKeys to protect workplace accounts and systems as well as personal accounts for greater security with a consistent experience in and outside of work.
Costs. Three-year, risk-adjusted PV costs for the composite organization include:
YubiKey as a Service costs of $527,000 for 5,000 end users. YubiKey as a Service starts at 500 users and is priced per user per month per year, shifting the upfront capital expense of a perpetual buying model to a more flexible and consistent operating expense.
Delivery costs of $20,000. To streamline key distribution and accelerate the adoption of phishing-resistant MFA for its distributed global end users, the composite organization utilizes Delivery instead of managing and shipping the keys itself. Delivery services are included with YubiKey as a Service.
Implementation costs of $582,000. Security and IAM employees, cross-functional leaders, and pilot end users invest time to plan, validate, integrate, launch, and adopt YubiKeys for all the composite’s end users.
Ongoing management and support costs of $262,000. The composite organization’s security and IAM employees dedicate time to YubiKeys management, new application integration, training, support, and key distribution. Yubico’s enterprise services reduce ongoing management.
End-user training and setup costs of $610,000. To ensure that all its global end users and new hires become phishing-resistant end users, the composite organization invests the necessary resources to train all employees. This includes 2 hours of initial training and setup time for current employees and 1 hour for all new hires.
Results. The financial analysis for the composite organization measured benefits of $7.3 million over three years versus costs of $2.0 million, adding up to a net present value (NPV) of $5.3 million and an ROI of 265%.
Faster authentication with YubiKeys
Return on investment (ROI)
Benefits PV
Net present value (NPV)
Payback
| Role | Industry | Region | YubiKey Users |
|---|---|---|---|
| Senior manager, cybersecurity | Telecom services | North America | 200,000 |
| Vice president of identity, cloud, and compute | Hospitality | Global, based in North America | 50,000 |
| General director of information assurance | Transportation | North America | 30,000 |
| Director of client authentication | Financial services | North America | 20,000 |
| Principal identity engineer | Technology | Global, based in North America | 7,000 |
| Director of information technology and cybersecurity | Government | North America | Less than 1,000 |
Before adopting YubiKeys, interviewees’ organizations authenticated in varied ways. Some organizations only had single-factor authentication with a username and password. Other interviewees’ organizations had more traditional MFA including SMS and email OTP. Others had mixed authentication environments even if they had some hardware authentication and app-based authentication for particular roles. However, these authentication methods were insufficient, and interviewees noted how their organizations struggled with challenges, including:
Security. Regardless of the prior authentication solutions used, interviewees said they were inadequate. Their organizations faced social engineering, phishing, credential abuse, weak and shared passwords, and more, and they even suffered breaches. However, they still had to meet standards and regulations. The senior manager of cybersecurity at a telecom services organization said, “We are in a climate where it is not if, it is when and it is how many accounts are already at risk.” They added: “Ninety-five percent of all account-related, identity-related incidents are due to weak, leaked, or stolen passwords. … Our CEO said, ‘No more, that is not us, let’s go.’”
The interviewees explained that traditional MFA and even app-based MFA were not meeting or would not meet their security needs. The vice president of identity, cloud, and compute at a hospitality organization said: “MFA fatigue is certainly one of them. Users are going to approve requests because they see them every day not thinking that there is a bad actor on the other side of that MFA request.” The director of client authentication at a financial services organization said: “Our commercial clients authenticated through TOTP tokens as a step up. We were seeing impersonation sites that looked like our commercial login page and were getting people to just give up their credentials. … The phishing site even prompted for the TOTP token, and they were just logging in in real time in the background to the real site. The impact of one client getting compromised is high.” The senior manager of cybersecurity at a telecom services organization said, “We
found that authenticator apps are not as secure as advertised.”
The interviewees told Forrester that these risks were evolving and increasing these challenges, especially in the context of AI. The senior manager of cybersecurity at a telecom services organization said, “The threats are becoming more real, more complex, and harder to get in front of.” The director of information technology and cybersecurity at a government organization said, “I just sent out an alert to our employees about the use of AI deepfake voice interactions.”
End-user experience. In addition to challenges with security, interviewees said that their organizations’ end users suffered from poor experiences with prior authentication methods. They explained that end users disliked having to remember long and complex passwords that they had to change periodically and often forgot. The director of information technology and cybersecurity at a government organization said, “Everyone hates having to reset their password every 90 days or less.” Hardware solutions, like smart cards, failed too often. Other MFA solutions simply offered poor user experiences and interviewees said they took additional time to authenticate.
Cost. Depending on their organizations’ prior states, interviewees noted that authentication solution costs were a challenge. The senior manager of cybersecurity at a telecom services organization said, “There is a lot of overhead with smart cards.” The vice president of identity, cloud, and compute at a hospitality organization said: “With unions, our hotels would have to buy an employee a cell phone to use app-based authentication. A YubiKey is a lot cheaper than a cell phone.”
Diverse use cases, locations, and environments. Interviewees explained that their organizations all had unique circumstances that influenced how their end users needed to authenticate and what solution would offer the most secure and frictionless experiences. They had to consider employees working onsite or remotely, those needing privileged access, those in mobile-restricted environments or call centers, and more. For example, the vice president of identity, cloud, and compute at a hospitality organization said: “Most of our contact center workers cannot bring cell phones onto the call center floor. So they give them YubiKeys.” They also had to consider the customer experience. The senior manager of cybersecurity at a telecom services organization said: “In a retail setting, you can’t use authenticator apps because it would be a little weird if I was standing next to a rep in a store and they said, ‘Hold on a second, let me pull my phone out of my pocket.’”
The interviewees searched for a solution based on open standards that could:
Offer the highest standard of authentication security for employees, partners, and customers.
Be easy to use for efficient and fast authentication.
Deploy easily and quickly on a global scale.
Operate regardless of location, infrastructure, system, function, or use case.
Support a move to passwordless and passkey-based authentication.
Offer reliable and secure construction.
Meet cost requirements.
After an evaluation and business case process involving multiple vendors, the interviewees’ organizations chose YubiKeys and began deployment.
Multifactor Authentication
Forrester defines MFA as enforcing the use of two or more factors to verify that a user is who they claim to be before granting access to a system, application, or service. MFA methods include OTPs delivered via SMS/email, mobile app push notifications, software tokens, hardware tokens, and smart cards.5
Phishing-Resistant MFA
The Cybersecurity & Infrastructure Security Agency (CISA) states that phishing-resistant MFA “is the most secure form of MFA.”6 Weaker forms of MFA include app-based authentication and SMS and voice authentication.7
CISA “strongly urges all organizations to implement phishing-resistant MFA as part of applying Zero Trust principles.”8 It advises that “while any form of MFA is better than no MFA and will reduce an organization’s attack surface, phishing-resistant MFA is the gold standard and organizations should make migrating to it a high priority effort.”9
FIDO is one of the authentication forms of phishing-resistant MFA.
CISA lists the forms of MFA from weakest to strongest. It lists phishing-resistant MFA, such as FIDO, as the strongest with the least susceptibility to threats including phishing, push bombing, exploitation of SS7 protocol vulnerabilities, and SIM swaps.10
Based on the interviews, Forrester constructed a TEI framework, a composite company, and an ROI analysis that illustrates the areas financially affected. The composite organization is representative of the interviewees’ organizations, and it is used to present the aggregate financial analysis in the next section. The composite organization has the following characteristics:
Description of composite. The composite organization is a global enterprise based in North America. It has 5,000 employees and $2.5 billion annual revenue. Before adopting YubiKeys, the composite organization used traditional MFA and enforced quarterly password updates and strict password policies for employees, which led to regular password resets. The organization plans to move toward passwordless authentication by first adopting phishing-resistant MFA.
Deployment characteristics. The composite organization deploys YubiKeys to all 5,000 of its end users and encourages its partners to also adopt YubiKeys. It opts to purchase these keys using YubiKey as a Service and have them delivered to its sites and employees with Delivery. It also saves time by enrolling all end users with the Yubico Enrollment Suite.
5,000 internal end users
$2.5 billion annual revenue
Previously used traditional MFA
| Ref. | Metric | Source | Metric |
|---|---|---|---|
| R1 | Revenue | Composite | $2.5 billion |
| R2 | Operating margin11 | Research data | 12% |
| R3 | Internal end users (employees and contractors) | Composite | 5,000 |
| R4 | YubiKeys per end user | Composite | 1 |
| R5 | Prior MFA state | Composite | Traditional MFA |
| R6 | Fully burdened hourly rate for end users12 | Research data | $48 |
| R7 | Fully burdened hourly rate for security and IAM employees | Composite | $70 |
| R8 | Fully burdened hourly rate for leadership | Composite | $104 |
| Ref. | Benefit | Year 1 | Year 2 | Year 3 | Total | Present Value |
|---|---|---|---|---|---|---|
| Atr | Strengthened security | $628,983 | $628,983 | $628,983 | $1,886,949 | $1,564,188 |
| Btr | Business growth | $0 | $720,000 | $1,680,000 | $2,400,000 | $1,857,250 |
| Ctr | Enhanced end-user experience | $876,802 | $876,802 | $876,802 | $2,630,407 | $2,180,478 |
| Dtr | Security operations efficiency | $366,912 | $366,912 | $366,912 | $1,100,736 | $912,456 |
| Etr | Help desk support savings | $191,250 | $191,250 | $191,250 | $573,750 | $475,610 |
| Ftr | Cost savings from decommissioned authentication solutions | $129,060 | $129,060 | $129,060 | $387,180 | $320,953 |
| Total benefits (risk-adjusted) | $2,193,007 | $2,913,007 | $3,873,007 | $8,979,022 | $7,310,935 |
Evidence and data. Interviewees confirmed that their organizations had not experienced any account takeovers or breaches relating to phishing or credential theft since deploying YubiKeys. They were passing security audits, and their end users were now phishing resistant.
Since adopting YubiKeys and with 100% of their employees now using MFA, the general director of information assurance at a transportation organization said that account takeovers had not happened. They added: “Phishing attacks cannot happen. Password spray attacks go away. Account sharing becomes difficult. Strong authentication is just necessary at this point.”
The vice president of identity, cloud, and compute at a hospitality organization said, “We haven’t had a single account takeover since we adopted YubiKeys.”
The director of client authentication at a financial services organization said: “We have seen zero fraud against accounts secured with YubiKeys. I cannot say the same for the mobile app.”
The director of information technology and cybersecurity at a government organization said, “YubiKeys increased our security.” They continued: “We had a [government group] go over our security posture and rate us. They were really impressed. We are meeting and exceeding the federal requirements for cybersecurity.”
Beyond internal security, the senior manager of cybersecurity at a telecom services organization detailed how they were able to have their partners start using YubiKeys to magnify the impact. They said: “We funded and seeded all first-time keys out of our corporate cybersecurity budget, even for partners, call centers, and retailers. If we protect these identities and restrict their usage to FIDO2, it really reduces the attack surface.” They continued: “It is affordable for your partners. You can build it into your contracts and offset that cost. Yubico ships globally and they will handle logistics.” They added, “No partner wants to be the reason that your customer data got out.”
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
The total annual risk exposure to security breaches for the composite organization is $2,118,000. This is based on Forrester’s 2025 Security Survey and the total number of end users.13
Fifty-eight percent of breaches originate from external attacks targeting organizations, or external attacks targeting remote environments. This is calculated using Forrester’s 2025 Security Survey.14 Forrester increased this slightly to account for attacks or incidents involving the external ecosystem based on Forrester’s 2025 Security Survey and the 2025 Data Breach Investigations Report data on third-party involvement in breaches.15
According to the 2025 Data Breach Investigations Report, 60% of breaches that involve the human element with credential abuse and social actions are the top two components.16 Forrester has conservatively adjusted this down.
YubiKeys reduce the risk of exposure to breach costs from these addressable attacks by 99.99%.
Reduced risk of exposure to breach costs from addressable attacks with Yubico YubiKeys
Risks. Strengthened security benefits may vary depending on:
The size of an organization and how much risk exposure it faces.
Whether an organization can convince its partners to adopt phishing-resistant MFA and to what degree.
The types of attacks an organization faces and whether YubiKeys can address those attacks.
Whether an organization was previously using any form of MFA and the degree of improvement it can realize with YubiKeys.
How an organization deploys YubiKeys and how well its end users adopt them.
Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1.6 million.
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| A1 | Total annual risk exposure to security breaches for the composite organization | Forrester research | $2,118,000 | $2,118,000 | $2,118,000 | |
| A2 | Percentage of breaches originating from external attacks targeting organizations, external attacks targeting remote environments, attacks, or incidents involving the external ecosystem | Forrester research | 60% | 60% | 60% | |
| A3 | Percentage of those attacks addressable with Yubico YubiKeys | Research data | 55% | 55% | 55% | |
| A4 | Annual risk exposure addressable with Yubico YubiKeys | A1*A2*A3 | $698,940 | $698,940 | $698,940 | |
| A5 | Reduced risk of exposure to breach costs from addressable attacks with Yubico YubiKeys | Interviews | 99.99% | 99.99% | 99.99% | |
| At | Strengthened security | A4*A5 | $698,870 | $698,870 | $698,870 | |
| Risk adjustment | ↓10% | |||||
| Atr | Strengthened security (risk-adjusted) | $628,983 | $628,983 | $628,983 | ||
| Three-year total: $1,886,949 | Three-year present value: $1,564,188 | |||||
Evidence and data. By adopting phishing-resistant MFA with YubiKeys, interviewees’ organizations were able to grow new business and protect existing business. The interviewees explained that their organizations strengthened their security reputations which built customer trust, won new business with security requirements, delivered better customer experiences, strengthened customer security, and reduced churn risk.
First, the interviewees explained that they were able to strengthen and more effectively avoid damaging their security reputations, which led to increased trust and drove revenue. The senior manager of cybersecurity at a telecom services organization said: “We see the confidence in the brand rising. The world wants to know that their information is secure.” They continued: “We wanted to be the best in class. What is it worth to your brand to be the most secure? Looking at companies that have high brand confidence, a lot of that comes down to customers trusting that their information is safe.”
Second, by strengthening security, they were able to win customers and deals that had particular security requirements.
Third, interviewees’ organizations were able to deliver better customer experiences by using YubiKeys instead of cell phones when authenticating in front of customers.
Fourth, and relatedly, interviewees discussed the value of heightened security from their customers’ and clients’ use of YubiKeys. The director of client authentication at a financial services organization said, “Our customers appreciate the extra security we are providing.” They continued: “Is it a better story for our business? We are providing a level of security for our commercial clients that I do not think you will find with other institutions. The account takeover risk has lowered, and the security posture of these accounts has increased greatly since we implemented FIDO with YubiKeys.” They concluded, “The customer experience is better with YubiKeys because the losses are significantly less.”
Last, strengthening security with YubiKeys not only enabled new revenue growth but also revenue protection with reduced churn. The vice president of identity, cloud, and compute at a hospitality organization said, “It takes years to recover from that type of reputational hit.” Forrester’s 2025 Security Survey shows that breach effects include lost customers and greater difficulty attracting new customers.17 Similarly, more than 20% of customers would permanently stop doing business with a company in response to a data breach.18 Breaches and outages erode customer confidence and brand equity.19
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
Its end users in customer-facing roles use YubiKeys, offering better in-person customer experiences as compared to using cell phones.
The composite organization can win contracts and deals that require increased security.
The composite organization gains new customers from an improved security reputation, which results in increased trust. It also enables customers to use YubiKeys with its customer accounts to strengthen security for customers.
In addition to new revenue growth, the composite organization protects its revenue and reduces churn risk associated with decreased trust from security incidents.
Risks. Business growth benefits may vary depending on:
The nature of an organization’s business, its prior state, and whether it can deliver an enhanced customer experience.
Whether an organization can capitalize on an improved security reputation for new business growth and improved customer retention.
Results. To account for these risks, Forrester adjusted this benefit downward by 20%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1.9 million.
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| B1 | Revenue | R1 | $2,500,000,000 | $2,500,000,000 | $2,500,000,000 | |
| B2 | Percentage of revenue from acquisition | Composite | 20% | 20% | 20% | |
| B3 | Increased revenue attributable to adopting Yubico YubiKeys (percentage points) | Estimate based on interviews | 0.00% | 0.50% | 1.50% | |
| B4 | Subtotal: Incremental revenue from improved customer experiences and security reputation | B1*B2*B3 | $0 | $2,500,000 | $7,500,000 | |
| B5 | Percentage of revenue from retention | 1-B2 | 80% | 80% | 80% | |
| B6 | Reduced risk of churn attributable to adopting Yubico YubiKeys (percentage points) | Estimate based on interviews | 0.00% | 0.25% | 0.50% | |
| B7 | Subtotal: Incremental revenue from improved customer experiences and security reputation | B1*B5*B6 | $0 | $5,000,000 | $10,000,000 | |
| B8 | Subtotal: Incremental revenue attributable to YubiKeys | B4+B7 | $0 | $7,500,000 | $17,500,000 | |
| B9 | Operating profit margin | R2 | 12% | 12% | 12% | |
| Bt | Business growth | B8*B9 | $0 | $900,000 | $2,100,000 | |
| Risk adjustment | ↓20% | |||||
| Btr | Business growth (risk-adjusted) | $0 | $720,000 | $1,680,000 | ||
| Three-year total: $2,400,000 | Three-year present value: $1,857,250 | |||||
Evidence and data. Interviewees told Forrester that their organizations’ end users were more productive on two fronts. First, by simplifying password policies and eliminating periodic, planned password updates or even going fully passwordless, end users saved considerable time. End users valued not having to regularly change and memorize passwords that needed to meet strict requirements and required disruptive, unplanned resets when forgotten. Second, interviewees explained that MFA with YubiKeys was faster than other MFA methods. Those interviewees’ organizations that went passwordless with YubiKeys authenticated even faster. End users were able to save time and focus on more valuable activities. Plus, the authentication experience was better overall.
Interviewees discussed time savings from reducing planned password updates and unplanned password resets. The principal identity engineer at a technology organization that went passwordless with YubiKeys said: “When we told employees that they were not going to have to remember a password and they just needed to plug the key in and tap it, it was an easy sell. The experience was better for everybody.”
The interviewees also discussed the authentication experience and speed with YubiKeys. They noted that this could vary depending on a worker’s role, such as knowledge or frontline workers, as well as the environments in which they operated. It also depended on their prior state and whether their organizations went passwordless.
Overall, interviewees noted that they received positive feedback on the user experience.
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
The composite organization previously mandated quarterly password updates for each end user, which it eliminates when it adopts YubiKeys. Each end user saves 30 minutes per planned password update.
Each end user also avoids one unplanned password reset per year. This saves 60 minutes of unplanned disruption per end user per year.
The composite recaptures 50% of the password-related time saved for productive work.
The composite organization’s internal end users authenticate twelve times per day, and each authentication attempt previously took 25 seconds with traditional MFA authentication.
With YubiKeys, the end users authenticate 80% faster on average, taking 5 seconds per attempt. Instead of using their phones and waiting for a code via SMS, they can simply tap their keys. The composite recaptures 20% of the time saved for productive work.
The average fully burdened hourly rate for end users is $48.
Faster authentication with YubiKeys
Risks. Enhanced end-user experience benefits may vary depending on:
The number of internal end users and the number of planned and unplanned password resets per year.
An organization’s prior password policy, including how frequently it mandated updates.
The time each end user takes to complete a planned password update and the time disrupted by unplanned password resets.
How many times end users authenticate per day, how long it took them to authenticate per attempt based on their roles, and the prior authentication methods.
End-user adoption of YubiKeys and their proficiency using them.
End users’ roles and their fully burdened hourly rates.
How well end users can recapture and repurpose the time saved.
Results. To account for these risks, Forrester adjusted this benefit downward by 20%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $2.2 million.
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| C1 | End users | R3 | 5,000 | 5,000 | 5,000 | |
| C2 | Policy-mandated password updates | Composite | 4 | 4 | 4 | |
| C3 | Time saved per end user per planned password update (minutes) | Interviews | 30 | 30 | 30 | |
| C4 | Subtotal: Time saved on policy-mandated password updates (hours) | C1*C2*(C3/60 minutes) | 10,000 | 10,000 | 10,000 | |
| C5 | Avoided password reset tickets | E3 | 5,000 | 5,000 | 5,000 | |
| C6 | Time saved per end user per unplanned password reset disruption (minutes) | Estimate based on interview data | 60 | 60 | 60 | |
| C7 | Subtotal: Time saved on password resets (hours) | C5*(C6/60 minutes) | 5,000 | 5,000 | 5,000 | |
| C8 | Authentication attempts per day per end user | Composite | 12 | 12 | 12 | |
| C9 | Time to authenticate per attempt before adopting YubiKeys (seconds) | Interviews | 25 | 25 | 25 | |
| C10 | Percentage faster authentication with YubiKeys | Interviews | 80% | 80% | 80% | |
| C11 | Subtotal: Time saved authenticating (hours) | C1*C8*230 days*(C9/3,600 seconds)*C10 | 76,667 | 76,667 | 76,667 | |
| C12 | Fully burdened hourly rate for end users | R6 | $48 | $48 | $48 | |
| C13 | Productivity recapture rate for password updates and resets | TEI methodology | 50% | 50% | 50% | |
| C14 | Productivity recapture rate for time spent authenticating | TEI methodology | 20% | 20% | 20% | |
| Ct | Enhanced end-user experience | ((C4+C7)*C12*C13)+(C11*C12*C14) | $1,096,003 | $1,096,003 | $1,096,003 | |
| ↓20% | ||||||
| Ctr | Enhanced end-user experience (risk-adjusted) | $876,802 | $876,802 | $876,802 | ||
| Three-year total: $2,630,407 | Three-year present value: $2,180,478 | |||||
Evidence and data. As a result of strengthening security, interviewees explained that their organizations’ IAM and security employees were able to spend less time investigating the attacks that YubiKeys prevented such as phishing and credential theft. There was also the opportunity to save time on password-related tasks, audit-related tasks, and ongoing management related to their prior authentication solutions. This meant they were able to spend more time on more meaningful tasks. The general director of information assurance at a transportation organization said: “The less they have to investigate, the better off we are. We benefit from less reported account takeovers.” They added, “It is simplifying compliance and audit reporting.” The vice president of identity, cloud, and compute also noted, “We save time investigating account takeovers.”
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
The composite organization’s security team spends less time investigating attacks that YubiKeys address, saving two FTEs.
The composite organization decommissions its prior authentication solution and saves half an FTE on ongoing management and support.
It is also able to simplify its password policy management and do less compliance and auditing reporting, adding up to one FTE in time savings.
The fully burdened hourly rate for security and IAM employees is $70.
These employees can recapture 80% of this time savings for productive, higher value security and identity-related work.
Security hours saved per year
Risks. Security operations efficiency may vary depending on:
The prior state of an organization and how much time it spent investigating addressable attacks and managing other authentication solutions, password policy, compliance, and auditing reporting.
The individuals engaging in this work and their fully burdened hourly rates.
How well an organization can recapture time savings into productive work.
Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $913,000.
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| D1 | Security time saved investigating attacks addressable with YubiKeys (hours) | Composite | 4,160 | 4,160 | 4,160 | |
| D2 | Security time saved on decommissioned authentication solutions (hours) | Composite | 1,040 | 1,040 | 1,040 | |
| D3 | Security time saved on password policy management, compliance, and auditing reporting (hours) | Composite | 2,080 | 2,080 | 2,080 | |
| D4 | Subtotal: Security time saved (hours) | D1+D2+D3 | 7,280 | 7,280 | 7,280 | |
| D5 | Fully burdened hourly rate for security and IAM employees | R7 | $70 | $70 | $70 | |
| D6 | Productivity recapture rate | TEI methodology | 80% | 80% | 80% | |
| Dt | Security operations efficiency | D4*D5*D6 | $407,680 | $407,680 | $407,680 | |
| Risk adjustment | ↓10% | |||||
| Dtr | Security operations efficiency (risk-adjusted) | $366,912 | $366,912 | $366,912 | ||
| Three-year total: $1,100,736 | Three-year present value: $912,456 | |||||
Evidence and data. Adopting phishing-resistant MFA with YubiKeys enabled the interviewees’ organizations to simplify password policies or even go completely passwordless. This meant that their help desks received fewer password-related tickets, yielding cost savings. The general director of information assurance at a transportation organization said, “[Password-related tickets] are down to zero now.” Similarly, the vice president of identity, cloud, and compute at a hospitality organization said, “Our password reset tickets have gone down.” They added: “We have locations that went YubiKey only and passwordless. We do not get any password reset requests from these employees.” Interviewees’ organizations were also able to eliminate tickets relating to their prior authentication solutions.
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
Its internal end users previously averaged one password reset ticket per year that required help desk involvement.
The composite organization had a prior authentication solution. Each internal end user averaged 0.5 legacy authentication-related tickets that required help desk involvement per year.
It eliminates these tickets by adopting YubiKeys, resulting in cost savings.
The average cost per IAM-related help desk ticket is $30.20
Reduction in password reset tickets
Risks. Help desk support savings may vary depending on:
The number of internal end users and how many password reset tickets they used to submit that required help desk support.
Whether an organization enables its customers to use YubiKeys.
Whether an organization had a prior authentication solution and how many tickets end users submitted to the help desk.
Who resolves these tickets, how many people are involved, the time it takes, and the resulting cost per help desk ticket.
Results. To account for these risks, Forrester adjusted this benefit downward by 15%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $476,000.
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| E1 | End users | R3 | 5,000 | 5,000 | 5,000 | |
| E2 | Password reset tickets per end user requiring help desk support | Composite | 1.0 | 1.0 | 1.0 | |
| E3 | Subtotal: Avoided password reset tickets | E1*E2 | 5,000 | 5,000 | 5,000 | |
| E4 | Decommissioned authentication solution tickets per end user requiring help desk support | Composite | 0.5 | 0.5 | 0.5 | |
| E5 | Subtotal: Avoided decommissioned authentication solution tickets | E1*E4 | 2,500 | 2,500 | 2,500 | |
| E6 | Average cost per IAM-related help desk ticket | Forrester research | $30 | $30 | $30 | |
| Et | Help desk support savings | (E3+E5)*E6 | $225,000 | $225,000 | $225,000 | |
| Risk adjustment | ↓15% | |||||
| Etr | Help desk support savings (risk-adjusted) | $191,250 | $191,250 | $191,250 | ||
| Three-year total: $573,750 | Three-year present value: $475,610 | |||||
Evidence and data. Each interviewees’ organization had a different prior state with some using only usernames and passwords, some using traditional MFA, and some using more advanced MFA or a blend of authentication solutions. By adopting YubiKeys, there was an opportunity to retire those prior authentication solutions and realize cost savings.
Reduction in legacy MFA solution costs
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
The composite organization previously used traditional MFA authentication. This cost $143,400 per year.
By adopting YubiKeys, the composite organization stops using traditional MFA authentication and begins realizing those cost savings in Year 1.
Risks. Cost savings from decommissioned authentication solutions may vary depending on:
Whether an organization was using prior authentication solutions and what those solutions were.
The cost of any prior authentication solutions and the degree and speed at which an organization can retire those costs.
Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $321,000.
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| F1 | Annual cost of legacy MFA solution(s) | Composite | $143,400 | $143,400 | $143,400 | |
| F2 | Percentage reduction in legacy MFA solution(s) | Composite | 100% | 100% | 100% | |
| Ft | Cost savings from decommissioned authentication solutions | F1*F2 | $143,400 | $143,400 | $143,400 | |
| Risk adjustment | ↓10% | |||||
| Ftr | Cost savings from decommissioned authentication solutions (risk-adjusted) | $129,060 | $129,060 | $129,060 | ||
| Three-year total: $387,180 | Three-year present value: $320,953 | |||||
Interviewees mentioned the following additional benefits that their organizations experienced but could not quantify:
Strengthening security for customers. In addition to strengthening security for internal end users and even partners, interviewees explained that their organizations’ customers could also benefit. The director of client authentication at a financial services organization said, “YubiKeys break the entire fraud pattern that we were seeing with clients.” They added, “The attackers disappeared as soon as they saw that we were enforcing FIDO authentication.” Using YubiKeys with customers yielded productivity gains for security and IAM employees, reductions in help desk tickets, and better customer experiences in addition to improved security and fewer losses.
Meeting cyber insurance requirements. Although they could not quantify it, interviewees noted that deploying YubiKeys could help their organizations meet cyber insurance requirements and reduce their premiums. The director of information technology and cybersecurity at a government organization said, “YubiKeys help with the cost because the likelihood of having a data breach is so much less compared to before.” The general director of information assurance at a transportation organization said, “A rigorous cybersecurity program helps with cyber insurance premiums.”
Meeting compliance requirements. Interviewees’ organizations were part of different industries and had different security requirements or goals that they needed to meet. YubiKeys helped organizations meet and exceed their authentication requirements, pass audits, and achieve certifications.
Ease of YubiKey adoption and management, enabled by Yubico’s services and support. Interviewees’ organizations did not adopt and manage YubiKeys alone. They did so with the help of Yubico and its partners, including support and professional services. As a result, they felt well supported and reported a high-quality experience. The general director of information assurance at a transportation organization said: “Yubico has provided guidance and assistance, and they have made introductions that helped us be successful. They have taken suggestions, they have listened, and they have helped us solve problems. It is a good partnership. It is exactly what I expect from a vendor. They really are an excellent group of people.”
The vice president of identity, cloud, and compute at a hospitality organization elaborated on the value of partners, saying: “Yubico helped us find a reseller that had better reach in particular countries. We can get keys everywhere at this point.” They also discussed how they worked with a vendor to include YubiKeys with laptops when shipping them to new employees.
Speed of adoption and ease of management, enabled by Yubico’s enterprise services. Interviewees said that YubiKey as a Service enabled faster rollouts and streamlined management as compared to purchasing YubiKeys via a perpetual buying model. Delivery compounded the effects by enabling interviewees’ organizations to outsource YubiKey management and shipping to Yubico. The Yubico Enrollment Suite enabled them to benefit from a simplified enrollment process. By leveraging either Yubico FIDO Pre-reg or YubiEnroll, organizations could enroll the keys for their users. The principal identity engineer at a technology organization said that after acquiring YubiKeys for all their employees, they wanted employees’ first login to be through a preenrolled YubiKey. FIDO Pre-reg satisfied both their phishing-resistant requirement and their goal to be passwordless. They said: “It is great. It is all automated. The workflow kicks off for each new hire and automatically dispatches a YubiKey to their address and sends the pin to their personal email.” They estimated that FIDO Pre-reg saves an estimated 30 minutes per hire.
Financial flexibility. Interviewees also noted that they had financial and deployment flexibility with the option to purchase YubiKeys via perpetual or subscription models. This meant that they could opt for upfront capital expenditures or ongoing operating expenditures depending on what suited their organization best. With YubiKey as a Service, organizations gained budget predictability with the opex model and the flexibility to adapt and scale quickly and easily while being able to choose the best keys for their end users. The general director of information assurance at a transportation organization said, “Budget predictability is definitely true.”
The value of flexibility is unique to each customer. There are multiple scenarios in which a customer might implement YubiKeys and later realize additional uses and business opportunities, including:
Moving to passwordless. YubiKeys’ support for multiple protocols and device-bound passkeys made passwordless possible for interviewees’ organizations. This was not just a possibility for interviewees’ organizations, either. Some had moved beyond passwords with YubiKeys. The senior manager of cybersecurity at a telecom services organization said: “Yubico and FIDO2 enabled us to remove not only everyone’s ability to use a password but also their ability to even reset the passwords that they do not know. The business still runs.”
Passwordless Authentication
Forrester defines passwordless authentication as using factors other than static passwords to authenticate users. Today’s solutions leverage public-key cryptography where the private key is kept on a user’s device and accessed using facial or fingerprint biometric authentication on that device.21
Moving to Zero Trust. Along with the opportunity to transition to a passwordless future more easily, interviewees noted an opportunity to progress in their adoption of Zero Trust. The director of information technology and cybersecurity at a government organization said: “YubiKeys are passwordless. Passwordless is Zero Trust by definition. You have to have physical access to the YubiKey, so we do not have to worry about password sharing. YubiKeys have been an influencer on increasing the Zero Trust methodology being used.”
Zero Trust
Forrester defines Zero Trust as an information security model that denies access to applications and data by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices. Zero Trust advocates three core principles: All entities are untrusted by default, least privilege access is enforced, and comprehensive security monitoring is implemented.22
Flexibility with authentication standards. Interviewees valued the fact that YubiKeys support multiple protocols and open standards. This meant that they could swap to newer authentication protocols, like FIDO2, without needing to get new keys or swap to a new solution.
Allowing users to also secure their personal technology use. In addition to using YubiKeys for organizational purposes, end users could also use YubiKeys for personal use. Some interviewees’ organizations actively encouraged their employees to use YubiKeys outside of work. They recognized that this could be seen as a benefit to employees and that their organizations also benefited from strengthened employee security at home. The general director of information assurance at a transportation organization said: “We allow employees to use YubiKeys for their personal use. Most attackers that we see are criminals looking to steal money. They do not care whether it is our organization’s money or our employees’ money, so we encourage the use of MFA in all parts of their life. Employees using a YubiKey for that does not hurt us. It shows that we care about them too.” The senior manager of cybersecurity at a telecom services organization added: “We do not collect the keys after employees leave. We encourage employees to take the keys and have the rest of their life be secure. That is a culture thing.”
Flexibility would also be quantified when evaluated as part of a specific project (described in more detail in Total Economic Impact Approach).
| Ref. | Cost | Initial | Year 1 | Year 2 | Year 3 | Total | Present Value |
|---|---|---|---|---|---|---|---|
| Gtr | YubiKey as a Service | $48,125 | $192,500 | $192,500 | $192,500 | $625,625 | $526,844 |
| Htr | Delivery | $12,464 | $3,115 | $3,115 | $3,115 | $21,810 | $20,211 |
| Itr | Implementation | $582,384 | $0 | $0 | $0 | $582,384 | $582,384 |
| Jtr | Ongoing management and support | $0 | $113,080 | $104,830 | $96,580 | $314,490 | $261,998 |
| Ktr | End-user training and setup | $528,000 | $33,000 | $33,000 | $33,000 | $627,000 | $610,066 |
| Total costs (risk-adjusted) | $1,170,973 | $341,695 | $333,445 | $325,195 | $2,171,309 | $2,001,503 |
Evidence and data. Interviewees’ organizations purchased YubiKeys in one of two ways. Some organizations purchased YubiKeys via a perpetual model where they bought the keys upfront with one-time payments. They then purchased new keys whenever they needed more. Other organizations purchased YubiKeys via a subscription model with monthly per user pricing that covered replacement keys. Interviewees told Forrester that YubiKey as a Service offered a lower cost to entry with flexibility and choice in keys and faster rollouts.
By adopting YubiKey as a Service, the general director of a transportation organization explained how the subscription model gave them a predictable operating expense. They said: “YubiKey as a Service gives us a budget number for planning every year and additional access to support. Renewing it was an easy decision.”
The director of client authentication for a financial services organization told Forrester how YubiKey as a Service enabled greater flexibility and choice. They said: “We used to offer three types of YubiKeys [with the perpetual buying model]. With YubiKey as a Service, we can offer all the models. We do not have to maintain inventories of certain key types. The subscription model lowered the overhead for us in managing this.”
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
The composite organization deploys one key per internal end user. It also encourages its partners to adopt YubiKeys.
The composite organization leverages YubiKey as a Service and selects the advanced tier plan with plus support and a three-year term and pays list price rates.
To allow time for key delivery and training, the composite organization pays for three months of YubiKey as a Service prior to launch.
Pricing may vary. List pricing for perpetual purchases is available on Yubico’s website. Contact Yubico for additional details on YubiKey as a Service pricing.
Risks. The cost of YubiKey as a Service may vary depending on:
The number of internal end users.
The number of external end users an organization purchases keys for, such as customers or partners.
Whether an organization leverages the YubiKey as a Service subscription model or the one-time, perpetual buying model.
The selected YubiKey as a Service tier and service plan as influenced by security and end-user needs.
Results. To account for these risks, Forrester adjusted this cost upward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $527,000.
| Ref. | Metric | Source | Initial | Year 1 | Year 2 | Year 3 |
|---|---|---|---|---|---|---|
| G1 | YubiKey as a Service | Composite | $43,750 | $175,000 | $175,000 | $175,000 |
| Gt | YubiKey as a Service | G1 | $43,750 | $175,000 | $175,000 | $175,000 |
| Risk adjustment | ↑10% | |||||
| Gtr | YubiKey as a Service (risk-adjusted) | $48,125 | $192,500 | $192,500 | $192,500 | |
| Three-year total: $625,625 | Three-year present value: $526,844 | |||||
Evidence and data. Interviewees’ organizations had to consider how to best distribute YubiKeys to their internal employees and contractors and even their external partners and customers. They had to determine what option would be the most cost-effective, least labor intensive, and ultimately, most likely to accelerate MFA adoption. Some organizations managed the distribution of YubiKeys themselves while others worked with Yubico partners. Some opted to take advantage of Delivery.
Interviewees explained that Delivery was cost-effective. They only needed to pay for shipping costs and did not need to invest the labor to ship keys. Plus, outsourcing the shipping meant end users received the keys faster. The general director of information assurance at a transportation organization: “Delivery is great. We originally had interns stuffing envelopes and shipping keys, so that meant distribution was on the interns’ schedules and not the users’ schedules. Now, with Delivery, we send an API request and keys ship very quickly and consistently. I have not heard about any unhappy users. … Our cost has gone down with Delivery too.”
Interviewees also explained that Delivery helped simplify distribution with turnkey delivery. The general director of information assurance at a transportation organization said: “With YubiKey as a Service, we have access to Delivery. If someone reports that they have lost a YubiKey and they are not near a facility, they can have one shipped to them.”
Delivery accelerated MFA adoption for interviewees’ organizations. The director of client authentication for a financial services organization said, “Delivery solved a huge challenge for us because we were not operationally prepared to handle procurement and delivery of the FIDO keys to our clients during the pandemic.”
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
The composite organization leverages Delivery to distribute its keys.
The composite organization initially distributes one key to each end user.
Twenty-five percent of end users need a new key each year due to new hires and lost keys.
Thirteen percent of end users work fully remotely and need their keys shipped to them directly.23 The remaining 87% of end users work fully onsite or hybrid and can pick up their keys in person.
The composite organization is based in North America but has global sites. It pays standard shipping rates averaging $15.00 for each key shipped directly to end users and $0.25 per key bulk shipped to company sites. These rates are based on North America and EMEA shipping rates.
Pricing may vary. Select shipping rates are available on Yubico’s product documentation website. Contact Yubico for additional details on Delivery pricing.
Risks. The cost of Delivery may vary depending on:
The number of internal end users.
The number of external end users an organization purchases keys for, such as customers or partners.
The number of keys allocated per end user and how often end users need replacement keys as influenced by their roles and habits.
Whether an organization leverages the Delivery service, distributes the keys itself, or works with a partner.
Where end users and an organization’s sites are located.
Whether end users work fully onsite, hybrid, or fully remote, and how an organization would prefer to distribute the keys.
How quickly an organization needs its end users to receive the keys.
Taxes and shipping rate adjustments.
Results. To account for these risks, Forrester adjusted this cost upward by 15%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $20,000.
| Ref. | Metric | Source | Initial | Year 1 | Year 2 | Year 3 |
|---|---|---|---|---|---|---|
| H1 | End users | R3 | 5,000 | 5,000 | 5,000 | 5,000 |
| H2 | YubiKeys shipped per end user when needing a new YubiKey | Initial: R4 Y1-Y3: 1 | 1 | 1 | 1 | 1 |
| H3 | Percentage of end users receiving a new YubiKey | Composite | 100% | 25% | 25% | 25% |
| H4 | Percentage of YubiKeys shipped directly to end users | Composite | 13% | 13% | 13% | 13% |
| H5 | Average direct shipping cost per YubiKey | Composite | $15.00 | $15.00 | $15.00 | $15.00 |
| H6 | Percentage of YubiKeys bulk shipped to corporate locations | 1-H4 | 87% | 87% | 87% | 87% |
| H7 | Average bulk shipping cost per YubiKey | Composite | $0.25 | $0.25 | $0.25 | $0.25 |
| Ht | Delivery | (H1*H2*H3*H4*H5)+(H1*H2*H3*H6*H7) | $10,838 | $2,709 | $2,709 | $2,709 |
| Risk adjustment | ↑15% | |||||
| Htr | Delivery (risk-adjusted) | $12,464 | $3,115 | $3,115 | $3,115 | |
| Three-year total: $21,810 | Three-year present value: $20,211 | |||||
Evidence and data. After choosing to invest in YubiKeys, the interviewees’ organizations planned, validated, integrated, launched, and adopted YubiKeys. These rollouts were made easier and accelerated with YubiKey as a Service, Delivery, Yubico Enrollment Suite, and Yubico’s professional services and support.
Interviewees told Forrester that there was some technical implementation effort for YubiKeys although it varied depending on the preexisting technical and MFA environment and their organizations’ goals. For example, some organizations had preexisting MFA solutions that they needed to decommission, while others had thousands of applications that they needed to integrate. Some organizations used the opportunity to undertake other efforts at the same time such as fully moving to passwordless authentication. The principal identity engineer at a technology organization said, “The technical implementation was very simple.”
Each interviewees’ organization approached deployment differently. Some took a top-down approach, others started with IT, and some took a data-driven approach starting with their most at-risk end users. The senior manager of cybersecurity at a telecom services organization said: “We took a data-driven approach to prioritization looking at where our account takeovers were happening. We engaged the leaders of each one of those groups.”
According to the interviewees, sufficient communication and change management was critical to successful organizationwide adoptions. The senior manager of cybersecurity at a telecom services organization said: “We had our service desk all hands on deck. We would white glove you, help you register your key, help you get your account redone, and more after that attestation. It was supportive of that culture change. We had leaders from across the organization in the room. We had cross-functional teams where we were building and refining the documentation. We watched call drivers. We opened special support bridges so we did not overload our service desk. We also got to hear firsthand the actual issues that were being seen, and we could work through and get those resolved. Our communication campaign started from the top down with vice president and above and then director and above. We took an opportunity to have an executive meeting and get all our executives registered. Even prior to that, we looked through our policies. The partnership from the top down was great.”
Some organizations ran pilots. These initiatives helped gain feedback from early end users, demonstrate success and ease of use, and gain internal support. The vice president of identity, cloud, and compute at a hospitality organization said, “We decided that we were going to go with YubiKeys for that entire user population out of the gate, which was about 30,000 people.” They explained: “We had to cover YubiKey content in multiple languages. We put together training videos, knowledge base documents, and more. It took a few months. We did some pilots.”
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
The composite organization commits 6,240 hours to plan, validate, integrate, and launch YubiKeys.
YubiKey as a Service, Delivery, and the Yubico Enrollment Suite accelerate and simplify deployment. The composite organization also benefits from Yubico’s professional services.
The fully burdened hourly rate for security and IAM employees is $70.
Leaders across the composite organization dedicate 780 hours to support the change to phishing-resistant MFA.
The fully burdened hourly rate of the cross-functional leaders is $104.
To validate the investment in YubiKeys effectively, the composite organization runs a pilot program. End users spend 240 hours piloting the keys and sharing feedback.
Risks. This cost may vary depending on:
An organization’s prior authentication environment and the amount of time it will take for planning, validating, integrating, and launching YubiKeys.
The individuals who engage in the implementation effort and their fully burdened hourly rates.
The overall change management effort, including how many cross-functional leaders are involved, their roles, and the degree of their involvement.
Whether an organization conducts a pilot with end users and the size and length of that pilot.
Results. To account for these risks, Forrester adjusted this cost upward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $582,000.
| Ref. | Metric | Source | Initial | Year 1 | Year 2 | Year 3 |
|---|---|---|---|---|---|---|
| I1 | IT labor time for planning, validating, integrating, and launching YubiKeys (hours) | Interviews | 6,240 | |||
| I2 | Fully burdened hourly rate for security and IAM employees | R7 | $70 | |||
| I3 | Subtotal: IT labor cost | I1*I2 | $436,800 | |||
| I4 | Cross-functional labor time (hours) | Interviews | 780 | |||
| I5 | Fully burdened hourly rate for leadership | R8 | $104 | |||
| I6 | Subtotal: Cross-functional labor cost | I4*I5 | $81,120 | |||
| I7 | Pilot labor time (hours) | Interviews | 240 | |||
| I8 | Fully burdened hourly rate for end users | R6 | $48 | |||
| I9 | Subtotal: Pilot labor cost | I7*I8 | $11,520 | |||
| It | Implementation | I3+I6+I9 | $529,440 | $0 | $0 | $0 |
| Risk adjustment | ↑10% | |||||
| Itr | Implementation (risk-adjusted) | $582,384 | $0 | $0 | $0 | |
| Three-year total: $582,384 | Three-year present value: $582,384 | |||||
Evidence and data. After deployment, interviewees discussed how their organizations supported their YubiKey investments on an ongoing basis. This included integrating new applications, occasionally updating YubiKey documentation and training materials, periodic training, onsite key distribution, Yubico relationship management, and more. However, interviewees consistently noted that this time investment was minimal due to their upfront time investment and Yubico’s enterprise services such as YubiKey as a Service, Delivery, and the Yubico Enrollment Suite. They also said that although there were some new tickets related to YubiKeys, such as for lost keys, there were overall net savings that increased over time.
The principal identity engineer for a technology organization estimated the ongoing management cost, saying: “The supportability aspect of YubiKeys is super light. One person could do the job for our entire 7,000-person fleet. It is light touch.”
The director of client authentication at a financial services organization explained the impact of YubiKey as a Service on ongoing costs, saying, “Since we have switched over to a subscription model, there is not much management.”
The general director of information assurance at a transportation organization highlighted the decline in YubiKey-related tickets over time, saying: “Our second year was much better for tickets than our first. I expect next year to be even better.”
By investing time upfront to ensure successful YubiKey adoption, the interviewees’ organizations realized the benefits afterward. The vice president of identity, cloud, and compute for a hospitality organization said: “We spent a significant amount of time at the front end of [the investment] and not at the back end, which really turned out to be wonderful as we continue to expand.”
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
The composite organization commits half an FTE to ongoing management related to the YubiKey investment. This includes time for updates, maintenance, authentication environment support, new application integration, training material maintenance, and onsite key distribution.
YubiKey as a Service, Delivery, and the Yubico Enrollment Suite reduce the time spent on ongoing management and support.
The fully burdened hourly rate for the security and IAM employees engaging in this work is $70.
Twenty percent of end users submit help desk tickets relating to YubiKeys in Year 1. This decreases year over year as the end users gain experience with the keys.
The average cost per IAM-related help desk ticket is $30. 24
Fewer help desk tickets (Year 3)
Risks. This cost may vary depending on:
Whether an organization leverages YubiKey as a Service and Delivery to reduce the ongoing management and support it needs.
An organization’s prior and current authentication environment and the time it spends managing and distributing keys, integrating new applications with YubiKeys, training new end users, and updating training materials.
The fully burdened hourly rates for the security and IAM employees engaging in this ongoing management.
The work habits of an organization’s internal end users and how often they submit YubiKey-related tickets to the help desk.
Who resolves these tickets, how many people are involved, the time it takes, and the resulting cost per help desk ticket.
Results. To account for these risks, Forrester adjusted this cost upward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $262,000.
| Ref. | Metric | Source | Initial | Year 1 | Year 2 | Year 3 |
|---|---|---|---|---|---|---|
| J1 | Security labor time for updates, maintenance, authentication environment support, new application integration, training, and key distribution (hours) | Interviews | 0 | 1,040 | 1,040 | 1,040 |
| J2 | Fully burdened hourly rate for security and IAM employees | R7 | $70 | $70 | $70 | $70 |
| J3 | Subtotal: Ongoing management | J1*J2 | $0 | $72,800 | $72,800 | $72,800 |
| J4 | Percentage of end users submitting a YubiKey-related ticket | Interviews | 0% | 20% | 15% | 10% |
| J5 | Average cost per IAM-related help desk ticket | E6 | $30 | $30 | $30 | $30 |
| J6 | Subtotal: Ongoing support | E3*J4*J5 | $0 | $30,000 | $22,500 | $15,000 |
| Jt | Ongoing management and support | J3+J6 | $0 | $102,800 | $95,300 | $87,800 |
| Risk adjustment | ↑10% | |||||
| Jtr | Ongoing management and support (risk-adjusted) | $0 | $113,080 | $104,830 | $96,580 | |
| Three-year total: $314,490 | Three-year present value: $261,998 | |||||
Evidence and data. To adopt YubiKeys across their organizations successfully, the interviewees emphasized the importance of education and training. As a part of deployment, they created training materials, videos, documentation, and more to support the transition. The principal identity engineer for a technology organization explained: “We have a video that we send out to all new hires. It shows the ways you can use a YubiKey, like plugging into your laptop, plugging into your phone, or tapping the NFC module on your phone.” The interviewees’ organizations also communicated the upcoming change in advance to ease the transition and increase awareness. Although some end users were unfamiliar with MFA, this proactive communication and training helped gain buy-in across entire organizations and ensured smooth adoptions among current end users and new hires.
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
To support and accelerate user adoption, the composite organization trains all its end users.
All 5,000 internal end users initially receive keys and each commit 2 hours of time for training, setup, and familiarization due to the changing authentication process.
After the initial adoption of YubiKeys, each new hire commits 1 hour of time for training, setup, and familiarization when onboarding.
The average fully burdened hourly rate for end users is $48.
Risks. The cost of end-user training and setup may vary depending on:
The number of first-time trainees as influenced by an organization’s total number of internal end users and turnover rate.
The time each end user spends learning about YubiKeys and an organization’s authentication process. Some end users may already be familiar with YubiKeys, and organizations will have differing training processes and materials.
The end users’ roles and their corresponding average fully burdened hourly rates.
Results. To account for these risks, Forrester adjusted this cost upward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $610,000.
| Ref. | Metric | Source | Initial | Year 1 | Year 2 | Year 3 |
|---|---|---|---|---|---|---|
| K1 | End users | R3 | 5,000 | 5,000 | 5,000 | 5,000 |
| K2 | Percentage of end users receiving a new YubiKey | H3 | 100% | 25% | 25% | 25% |
| K3 | Percentage of YubiKeys going to first-time end users | Composite | 100% | 50% | 50% | 50% |
| K4 | Trainees | K1*K2*K3 | 5,000 | 625 | 625 | 625 |
| K5 | Training, setup, and familiarization time per first-time end user (hours) | Interviews | 2 | 1 | 1 | 1 |
| K6 | Average fully burdened hourly rate for end users | R6 | $48 | $48 | $48 | $48 |
| Kt | End-user training and setup | K4*K5*K6 | $480,000 | $30,000 | $30,000 | $30,000 |
| Risk adjustment | ↑10% | |||||
| Ktr | End-user training and setup (risk-adjusted) | $528,000 | $33,000 | $33,000 | $33,000 | |
| Three-year total: $627,000 | Three-year present value: $610,066 | |||||
| Initial | Year 1 | Year 2 | Year 3 | Total | Present Value | |
|---|---|---|---|---|---|---|
| Total costs | ($1,170,973) | ($341,695) | ($333,445) | ($325,195) | ($2,171,309) | ($2,001,503) |
| Total benefits | $0 | $2,193,007 | $2,913,007 | $3,873,007 | $8,979,022 | $7,310,935 |
| Net benefits | ($1,170,973) | $1,851,312 | $2,579,562 | $3,547,812 | $6,807,713 | $5,309,432 |
| ROI | 265% | |||||
| Payback | 8 months |
The financial results calculated in the Benefits and Costs sections can be used to determine the ROI, NPV, and payback period for the composite organization’s investment. Forrester assumes a yearly discount rate of 10% for this analysis.
These risk-adjusted ROI, NPV, and payback period values are determined by applying risk-adjustment factors to the unadjusted results in each Benefit and Cost section.
The initial investment column contains costs incurred at “time 0” or at the beginning of Year 1 that are not discounted. All other cash flows are discounted using the discount rate at the end of the year. PV calculations are calculated for each total cost and benefit estimate. NPV calculations in the summary tables are the sum of the initial investment and the discounted cash flows in each year. Sums and present value calculations of the Total Benefits, Total Costs, and Cash Flow tables may not exactly add up, as some rounding may occur.
From the information provided in the interviews, Forrester constructed a Total Economic Impact™ framework for those organizations considering an investment in YubiKeys.
The objective of the framework is to identify the cost, benefit, flexibility, and risk factors that affect the investment decision. Forrester took a multistep approach to evaluate the impact that YubiKeys can have on an organization.
Interviewed Yubico stakeholders and Forrester analysts to gather data relative to YubiKeys.
Interviewed six decision-makers at organizations using YubiKeys to obtain data about costs, benefits, and risks.
Designed a composite organization based on characteristics of the interviewees’ organizations.
Constructed a financial model representative of the interviews using the TEI methodology and risk-adjusted the financial model based on issues and concerns of the interviewees.
Employed four fundamental elements of TEI in modeling the investment impact: benefits, costs, flexibility, and risks. Given the increasing sophistication of ROI analyses related to IT investments, Forrester’s TEI methodology provides a complete picture of the total economic impact of purchase decisions. Please see Appendix A for additional information on the TEI methodology.
Benefits represent the value the solution delivers to the business. The TEI methodology places equal weight on the measure of benefits and costs, allowing for a full examination of the solution’s effect on the entire organization.
Costs comprise all expenses necessary to deliver the proposed value, or benefits, of the solution. The methodology captures implementation and ongoing costs associated with the solution.
Flexibility represents the strategic value that can be obtained for some future additional investment building on top of the initial investment already made. The ability to capture that benefit has a PV that can be estimated.
Risks measure the uncertainty of benefit and cost estimates given: 1) the likelihood that estimates will meet original projections and 2) the likelihood that estimates will be tracked over time. TEI risk factors are based on “triangular distribution.”
The present or current value of (discounted) cost and benefit estimates given at an interest rate (the discount rate). The PVs of costs and benefits feed into the total NPV of cash flows.
The present or current value of (discounted) future net cash flows given an interest rate (the discount rate). A positive project NPV normally indicates that the investment should be made unless other projects have higher NPVs.
A project’s expected return in percentage terms. ROI is calculated by dividing net benefits (benefits less costs) by costs.
The interest rate used in cash flow analysis to take into account the time value of money. Organizations typically use discount rates between 8% and 16%.
The breakeven point for an investment. This is the point in time at which net benefits (benefits minus costs) equal initial investment or cost.
Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders.
Related Forrester Research
A Practical Guide To A Zero Trust Implementation, Forrester Research, Inc., December 17, 2025.
The State Of Workforce Identity And Access Management, 2025, Forrester Research, Inc., November 25, 2025.
James Plouffe, Allie Mellen, Tope Olufon, Sandy Carielli, and Janet Worthington, Anthropic Catches Attackers Using Agents In The Act, Forrester Blogs.
The CISO’s Primer For Defining Human-Element Breaches, Forrester Research, Inc., August 5, 2025.
Lessons Learned From The World’s Biggest Data Breaches And Privacy Abuses, 2024, Forrester Research, Inc., March 25, 2025.
Andras Cser and Geoff Cairns, Another Cautionary Tale Of The Perils Of Using Password Managers, Forrester Blogs.
Deconstructing Human-Element Breaches, Forrester Research, Inc., January 27, 2025.
Andras Cser (Vice President and Principal Analyst) and Geoff Cairns (Principal Analyst), How Close Are We To Killing Passwords?, What It Means, September 5, 2024.
Jess Burn, Sandy Carielli, Heidi Shey, and Janet Worthington, Never “Too Small For Cybercriminals”: One Town’s Cautionary Tale, Forrester Blogs.
What 2023’s Most Notable Breaches Mean For Tech Execs, Forrester Research, Inc., May 31, 2024.
The CISO’s Guide To Cyber Insurance, Forrester Research, Inc., May 10, 2024.
High-Performance IT: Security, Privacy, And Resilience, Forrester Research, Inc., January 16, 2024.
How To Optimize IAM To Maximize Employee Experience, Forrester Research, Inc., August 9, 2023.
FIDO Passkeys And The Future Of Customer Authentication, Forrester Research, Inc., January 10, 2023.
Best Practices: Phishing Prevention, Forrester Research, Inc., November 18, 2021.
Using Zero Trust To Kill The Employee Password, Forrester Research, Inc., August 2, 2021.
Remote Workers Turning To SMS-Based Two-Factor Authentication Is Much Better Than Passwords, But It Won’t Stop Targeted Attacks, Forrester Research, Inc., September 22, 2020.
Optimize User Experience With Passwordless Authentication, Forrester Research, Inc., March 2, 2020.
Online Resources
Multi-factor authentication for your corporate online services, National Cyber Security Centre, September 26, 2024.
Bob Lord, Phishing Resistant MFA is Key to Peace of Mind, Cybersecurity & Infrastructure Security Agency, April 12, 2023.
Jen Easterly, Next Level MFA: FIDO Authentication, Cybersecurity & Infrastructure Security Agency, October 18, 2022.
1 Source: The Top Cybersecurity Threats In 2025, Forrester Research, Inc., April 14, 2025; Budget Planning Guide 2026: Security And Risk, Forrester Research, Inc., July 10, 2025.
2 Source: Budget Planning Guide 2025: Security And Risk, Forrester Research, Inc., August 1, 2024.
3 Source: The Top Trends Shaping Identity And Access Management In 2025, Forrester Research, Inc., March 6, 2025.
4 Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders.
5 Source: The Forrester Tech Tide™: Identity And Access Management, Q3 2024, Forrester Research, Inc., July 8, 2024.
6 Source: Implementing Phishing-Resistant MFA, Cybersecurity & Infrastructure Security Agency, October 2022.
7 Ibid.
8 Ibid.
9 Ibid.
10 Source: More than a Password, Cybersecurity & Infrastructure Security Agency; Implementing Phishing-Resistant MFA, Cybersecurity & Infrastructure Security Agency, October 2022.
11 Source: Aswath Damodaran, Margins by Sector (US), New York University Stern School of Business, January 2025.
12 Source: Employer Costs For Employee Compensation – June 2025, US Bureau of Labor Statistics News Release, September 12, 2025.
13 Cumulative breach costs are computed using the composite organization’s size (revenue or number of employees) as an input to a regression analysis of reported total cumulative costs for all breaches for organizations that experienced at least one breach in the past 12 months. Source: Forrester’s Security Survey, 2025, “Using your best estimate, what was the total cumulative cost of all breaches experienced by your organization in the past 12 months?” Base: 1,740 global security decision-makers who have experienced a breach in the past 12 months. The cumulative breach cost is then multiplied by a 67% likelihood for organizations to experience one or more breaches in a given year. Source: Forrester’s Security Survey, 2025, “How many times do you estimate that your organization’s sensitive data was potentially compromised or breached in the past 12 months?” Base: 2,643 global security decision-makers.
14 Percentage of breaches by primary attack vector for breaches, as reported by security decision-makers whose organizations experienced at least one breach in the last 12 months. Source: Forrester’s Security Survey, 2025, “Of the times that your organization’s sensitive data was potentially compromised or breached in the past 12 months, please indicate how many of each fall into the categories below.” Base: 1,766 global security decision-makers who have experienced a breach in the past 12 months.
15 Source: Data Breach Investigation Report, 2025, Verizon Business.
16 Source: Ibid.
17 Source: The State Of Data Security, 2025, Forrester Research, Inc., October 22, 2025.
18 Source: High-Performance IT: Security, Privacy, And Resilience, Forrester Research, Inc., January 16, 2024.
19 Source: Jess Burn, Tidings Of Comfort And Trust: Holiday-Season Security That Bolsters Your Brand, Forrester Blogs.
20 Source: Develop Actionable Business-Centric Identity And Access Management Metrics, Forrester Research, Inc., April 16, 2025.
21 Source: The Forrester Tech Tide™: Identity And Access Management, Q3 2024, Forrester Research, Inc., July 8, 2024.
22 Source: David Holmes and Jess Burn, The Definition Of Modern Zero Trust, Forrester Blogs.
23 Source: Jose Maria Barrero, Nick Bloom, and Steven J. Davis, All Full-Time Wage and Salary Workers: Working Fully Remote, Federal Reserve Bank of St. Louis, November 5, 2025.
24 Source: Develop Actionable Business-Centric Identity And Access Management Metrics, Forrester Research, Inc., April 16, 2025.
Readers should be aware of the following:
This study is commissioned by Yubico and delivered by Forrester Consulting. It is not meant to be used as a competitive analysis.
Forrester makes no assumptions as to the potential ROI that other organizations will receive. Forrester strongly advises that readers use their own estimates within the framework provided in the study to determine the appropriateness of an investment in YubiKeys. For any interactive functionality, the intent is for the questions to solicit inputs specific to a prospect’s business. Forrester believes that this analysis is representative of what companies may achieve with YubiKeys based on the inputs provided and any assumptions made. Forrester does not endorse Yubico or its offerings. Although great care has been taken to ensure the accuracy and completeness of this model, Yubico and Forrester Research are unable to accept any legal responsibility for any actions taken on the basis of the information contained herein. The interactive tool is provided ‘AS IS,’ and Forrester and Yubico make no warranties of any kind.
Yubico reviewed and provided feedback to Forrester, but Forrester maintains editorial control over the study and its findings and does not accept changes to the study that contradict Forrester’s findings or obscure the meaning of the study.
Yubico provided the customer names for the interviews but did not participate in the interviews.
Andrew Nadler
Benjamin Brown
January 2026
ABOUT FORRESTER CONSULTING
Forrester provides independent and objective research-based consulting to help leaders deliver key transformation outcomes. Fueled by our customer-obsessed research, Forrester’s seasoned consultants partner with leaders to execute on their priorities using a unique engagement model that tailors to diverse needs and ensures lasting impact. For more information, visit forrester.com/consulting.
© Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies.
https://mainstayadvisor.com/go/mainstay/gdpr/policy.html
PDF