Analysing the needs and understanding the costs behind different regulations is a daunting and time-consuming task and Strong Customer Authentication is no different. To make things a bit easier, we’ve done the work for you by analysing how much building or buying a two-factor authentication solution would cost for you.
What is two-factor authentication?
Two-factor authentication, or 2FA, is becoming increasingly popular. The most common form of this security measure involves a user being granted access to a website or other form of application only after successfully presenting two forms of identification.
People are constantly looking for ways to protect their data from unknown individuals. 2FA is one of the most popular ways to achieve this. It protects you against a person trying to access your personal data such as ID details or financial assets.
What options do you have to maintain security?
Essentially you have two options: build and maintain a multi-layered customer authentication system in-house or deploy an Application Programming Interface (API) and use a trusted partner’s toolkit. You could also mix and match some tools, such as having the code generation part in-house and outsource the authentication value delivery portion. But this leaves you with both sides to tackle, so going either way is best.
We surveyed our customers to find out how long it takes to deploy our tools on two-factor authentication, as well as how long it would take them to build tools like ours. When these aspects are put into numbers, we reach a much better understanding of what building it yourself costs vs using a trusted provider.

Option 1: Build your own
Based on our survey, as well as our own experience, it takes 5-6 weeks of full-time developer hours to build a Minimum Viable Product for an SMS-only 2FA solution. Step up to a time-based one-time password system (which is the security standard that needs to be reached), and it will be 8-10 weeks for an MVP.
Assuming that the average cost of an in-house developer is €1,750-2,000 per week, a fully functioning in-house solution will cost €14,000 to €20,000. Add 50% if the work is outsourced and add in the ongoing maintenance you will need for the development, maintenance and inevitable improvements that need to be made once the business grows, new products, tools or markets come into play.
The technology team would also be required to maintain SMS delivery quality and manage connections to network operators. Then add the cost of sending SMS messages to variable costs and ultimately setting up the connections yourself can be much more costly as pricing varies greatly depending on the volume you send (you are much more important of a client to a mid-sized aggregator than a network operator; hence the pricing will pretty much always be better via a partner).
You’ll need to dedicate people on your tech team to maintain the two-factor authentication solution, which adds to ongoing costs. Often enough if you want real cost efficiency, you’ll need someone with some sales acumen for negotiating pricing and features and handling any restrictions new markets may impose. Markets are always in flux and pricing changes can hit pretty quickly and hard if you’re a small player.
Pros: More control over specific functionality.
Cons: Longer implementation time, larger investment, and handling all service and quality issues internally.

Option 2: Use an API from a trusted partner
The same customer survey tells us that developers dedicate 8-24 hours to deploy every verification and authentication tool available from Messente, this includes both the customer-facing toolset and all the back-end bits and pieces needed for future scalability. We have no deployment costs, so deploying the tools costs €350 to €1,200 of developer time.
Also, Messente does not charge for support and delivery quality. Account managers come as standard due to our focus on business-critical messaging, which means every message sent requires a dedicated person to manage the customer journey for peak efficiency.
Variable costs will be similar, if not less, on the SMS side of things, as we maintain much higher volumes than a single business would. We have bargaining power with higher SMS volumes and have more options for SMS routing. One-time access password costs are typically half of the SMS costs per authentication. Though SMS cost can vary between 2-factor authentication and other messaging traffic due to the former being a safer form of traffic and of higher priority (as compared to marketing messages for example that can have a 2-3x higher price and more regulations, what the content has to be and what needs to be included in the message, leading to larger message length).
While building your own 2-factor authentication solution negates the one-time password variable costs, our data shows that 70% of authentications for access are still SMS PIN codes. So, an SMS fallback option is crucial for successful 2FA adoption by the customers as there is a definite habit of using the system. SMS still has a higher reach than any other easily adoptable 2FA method. Also, the tech team would need to maintain the one-time password system and mobile app.
Pros: Significantly lower implementation time and costs, optimised SMS delivery routes by the partner, and have the partner handle any delivery quality issues.
Cons: Less control over specific functionality.

What security to choose for your business
As you can see while building your own factor authentication system gives the business more control, the benefits of using an expert company in this business far outway the cons with the biggest factors being time consumption and costs.
Two-factor authentication cost comparison
Using an Application Programming Interface from professionals in the industry will decrease the cost to the user by a significant amount especially with deployment from Messante being free. Trying to build the API yourself for your business can easily cost over €20,000 and to set up the hardware yourself properly to be secure will take countless unnecessary hours and this doesn't factor in any problems you will run into. Using experts in the industry for your business is the smart solution with the support they give minimising time and cost so you can focus on the more important parts of your business knowing your data is secure and protected.
Maintaining protection
Due diligence is still required though as it’s important to make sure all of the requirements for Strong Customer Authentication are met as well as any other related security and privacy-related regulations to truly be certain in the partner and in their ability to deliver on the multi-layered security promised.
Conclusion
Overall, leaving it to the experts with two-factor authentication makes more sense. While making your own gives you more control over functionality, Messente is completely open to customer feedback, and we build our tools to suit customer needs. This enables us to provide you with tools that both meet your requirements as well as scale to whatever business with however many users.