BIPI
BIPI

Passwordless ROI: The Helpdesk Numbers That Justify the Project

Cybersecurity

Forgot-password tickets eat about 20 percent of helpdesk volume at most enterprises we audit. Passkeys make that line go away, but only if you solve recovery and the legacy app problem first.

By Arjun Raghavan, Security & Systems Lead, BIPI · October 4, 2024 · 7 min read

#passwordless#identity#passkeys

A retail client asked us to build the business case for passkeys. Not the security case, the CFO already bought that. The business case. We pulled twelve months of helpdesk tickets and the picture was uglier than expected.

Of 84,000 tickets, 17,200 were password resets. Another 4,100 were account lockouts. Combined: 25 percent of ticket volume, roughly 6.2 full-time helpdesk staff burning their year on a problem that has had a fix since 2019.

The numbers that move the CFO

Average handle time for a password reset at this client was 8 minutes including verification. Loaded helpdesk cost was $42 per ticket. Annual spend on this single failure mode: roughly $720,000. Add the productivity loss for the locked-out employee (estimated 22 minutes per incident) and the real number was past $1.2 million.

20%
of helpdesk tickets are password-related at typical clients
$42
loaded cost per reset ticket
0
phishing-driven account compromises post-passkey rollout

Six months after the passkey rollout to their workforce, those tickets dropped 91 percent. The remaining 9 percent were almost entirely device lost or replaced scenarios, which is the recovery problem we will get to.

What passkeys actually defend against

Phishing-resistant is the marketing line. The technical reality is that the WebAuthn signature is bound to the origin. A phishing site at login.acme-corp.evil cannot replay the signature your laptop produced for login.acme-corp.com. Credential stuffing dies the same day, because there is no shared secret to stuff.

We measured this at a client who had been losing about 40 employee accounts per quarter to phishing kits. Post-rollout, that number went to zero and stayed there. Eight quarters now.

The hard parts nobody talks about in the demos

Recovery is the real engineering problem. A passkey on a lost phone is gone unless it was synced to a cloud provider. Apple syncs to iCloud Keychain, Google syncs to Google Password Manager, Microsoft syncs to whatever platform account the device is bound to. Enterprises often do not allow personal cloud sync, which means you need a recovery flow.

  • Enrollment from a second device under attestation, gated by a manager approval step.
  • Backup security key (Yubikey-style) issued at hire, stored in a desk drawer or safe.
  • Helpdesk-mediated recovery with strong identity proofing, ideally video plus government ID.
  • Time-boxed recovery codes for out-of-band scenarios, rotated quarterly.

We have seen all four. The Yubikey-as-backup pattern is the cleanest if procurement can stomach the $50 per employee. Manager-approved second-device enrollment scales better.

The legacy app problem

Your modern SaaS apps speak SAML or OIDC and your IdP can front them with passkeys. Easy. The problem is the 1998-vintage Java app that does forms-based login against an LDAP backend, which your finance team uses for month-end close.

Three options, in increasing order of pain. Wrap with a reverse proxy that handles auth and injects the legacy creds. Replace the auth module if the vendor still ships updates. Replace the application. Most clients we work with end up with a long tail of 5 to 15 legacy apps that hold them at hybrid for two to three years.

The ROI is real, the security gain is enormous, but the project plan that gets you there has to start with an honest application inventory. Start there, not with the passkey vendor selection.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.