Two-Factor Authentication Adoption ROI Calculator

Assumptions & References

• The Annual Loss Expectancy (ALE) model follows NIST SP 800-30 risk quantification methodology: ALE = Annualised Rate of Occurrence × Single Loss Expectancy.
• Microsoft reports that 2FA blocks 99.9% of automated account-compromise attacks (Microsoft Security Blog, 2019).
• The average cost of a compromised credential is estimated at ~$4,200 per account based on IBM Cost of a Data Breach Report 2023 ($4.45M average breach / ~1,000 affected accounts as a conservative per-account proxy).
• The annual probability of account compromise without 2FA is organisation-specific; Verizon DBIR 2023 reports credentials are involved in 49% of breaches. A 10–20% per-user annual rate is a common enterprise baseline.
• Implementation and training costs vary widely; SANS Institute estimates $20–$50 per user for initial rollout including helpdesk overhead.
• This model assumes flat annual costs and savings (no discounting). For NPV analysis, apply a discount rate to each year's cash flows.
• Risk reduction is applied uniformly across all users. In practice, privileged accounts benefit disproportionately from 2FA enforcement.
• Compliance cost avoidance (GDPR fines, PCI-DSS penalties) and reputational damage are not included — the actual ROI is likely higher.