12 July 2026

The real cost of passwords and SMS codes — and the case for a phone tap

Passwords are a help-desk tax and SMS codes are a metered bill that keeps rising. The business case for passwordless, in numbers a CFO can follow.

Ask a security team about multi-factor authentication and you get a risk conversation. Ask finance about it and you get a cost line. Both are right, and the thing most organizations run today, passwords backed by SMS one-time codes, is expensive in both currencies at once. The bills just arrive from different departments, so nobody adds them up.

Here is the whole invoice in one place.

Passwords are a recurring help-desk tax

Every forgotten password is a support ticket, and password resets are one of the single largest categories of help-desk volume: Gartner has put 20–50% of all help-desk calls in that one bucket, and Forrester estimates the help-desk labor for a single reset at about $70. Each one costs staff time to resolve, and costs the locked-out employee productivity while they wait.

It is a cost that never ends, scales with headcount, and produces nothing: you are paying, month after month, to undo a security control getting in your own users’ way.

The second-order cost is worse: because resets are annoying, users pick weak passwords, reuse them, and write them down. That is how the expensive incidents start.

SMS codes are a metered bill that keeps climbing

Sending one-time codes by SMS turns authentication into a per-message expense:

  • You pay for every login. Each code is a billed message, and application-to- person (A2P) messaging rates have been rising, not falling. Volume scales with every user and every session.
  • International and roaming traffic is worse. Codes to users abroad hit premium rates and carrier surcharges.
  • Undelivered codes cost twice. When an SMS is delayed or never arrives, the login fails, and that failure lands right back on the help desk as another ticket, plus a frustrated user or a lost customer at the worst moment.
  • And it is the weak factor anyway. SMS can be SIM-swapped and intercepted, so you are paying a rising bill for the method attackers find easiest to beat.

The cost you only see after an incident

Breach and downtime costs dwarf the running expenses above, and weak authentication is a leading way in. IBM’s 2025 Cost of a Data Breach Report puts the global average breach at $4.44 million, and breaches that begin with compromised credentials higher still at $4.67 million. A single one can cost more than years of the help-desk and SMS lines combined. The reason those running costs are worth removing is as much about closing that exposure as trimming the monthly bill.

What a phone tap changes on the invoice

Replacing passwords and SMS codes with a hardware-bound approval on the user’s phone removes cost lines rather than shuffling them:

  • No reset tickets. Users enroll themselves in about two minutes and approve with a tap. There is no password to forget and no code to mistype, so the single largest help-desk category shrinks toward zero.
  • No per-message fees. Approvals travel as data, not billed SMS. The metered bill goes away entirely, at home and abroad.
  • Fewer failed logins. No undelivered codes means fewer support tickets and fewer abandoned sessions.
  • Lower incident exposure. A key bound to the phone’s hardware cannot be phished, copied or SIM-swapped, which removes the class of credential attacks that drives the most expensive incidents.

Where Notakey fits

Notakey is built to take those lines off the invoice without a rip-and-replace project.

  • Employees onboard themselves in about two minutes — no IT ticket per user.
  • It runs in your own infrastructure or in the cloud, over the protocols your systems already speak, so you add it to what you have rather than replacing it. See the practical guides for 2FA on a VPN over RADIUS, Windows remote desktop and Linux SSH.
  • PSD2, eIDAS and GDPR alignment is built in, so the same move that cuts cost also helps on the compliance side.

Put a number on it with a pilot

The honest way to size the saving is against your own environment: your reset volume, your SMS spend, your login failure rate. A short pilot on a real VPN or admin login gives you those numbers in a week.

Try the live demo to approve a login from your own phone in about two minutes, or request a demo and we will map your access to a pilot and help you build the business case.

← All posts

See your first passwordless login this week

A 30-minute call with an engineer, not a sales deck. We’ll map your VPN, SSO or Windows setup to a working pilot.