SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
New Zealand

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Office worker hardware security key login it monitoring high roi
#
MFA
#
Phishing
#
Email Security

YubiKeys promise 265% ROI & 99.99% cut in breach risk

Thu, 5th Feb 2026
Author image
By Joseph Gabriel Lagonsin, News Editor

Yubico has published findings from a Total Economic Impact study by Forrester Consulting that puts a 265 percent return on investment on the use of its YubiKey security keys across a large organisation, alongside a claimed 99.99 percent reduction in exposure to breach costs from "addressable" attacks.

The research draws on interviews with decision-makers at six organisations with more than 5,000 employees. Forrester then modelled a composite organisation of 5,000 staff. The model assumes the organisation replaced traditional multi-factor authentication and one-time passwords with phishing-resistant YubiKeys.

Forrester's financial model put the net present value at USD $5.3 million over three years. It also estimated total benefits of USD $7.3 million over the same period.

Attack pressure

The study frames the shift in authentication against a backdrop of social engineering and techniques that target account recovery, session handling and staff verification processes. It argues that older forms of multi-factor authentication are less effective against MFA-bypass attempts and other forms of deception.

In the modelled organisation, Forrester found that deploying YubiKeys "effectively eliminated phishing and credential-theft risks". It calculated that this reduced risk exposure to breach costs from addressable attacks by 99.99 percent.

Yubico positioned the findings as an argument for phishing-resistant authentication in corporate environments.

"As AI-driven threats make traditional authentication methods increasingly vulnerable, this Forrester study confirms for us that phishing-resistant MFA is no longer optional - it is now a cornerstone to cyber resilience and a business accelerator," said Ronnie Manning, Chief Brand Advocate, Yubico.

Time and cost

The largest individual benefit in Forrester's breakdown related to end-user experience, which the firm valued at USD $2.2 million across three years. It said users authenticated 80 percent faster with YubiKeys than with legacy MFA in the composite organisation.

Forrester also linked the authentication change to simpler password policies. It estimated an average saving of 30 minutes per user each quarter from password updates.

Operational efficiency formed another major block of quantified benefits. The study put the value at USD $1.7 million over three years. It attributed USD $912,000 to reduced security and identity and access management labour through fewer attack investigations.

It also estimated USD $476,000 in savings from fewer help desk tickets connected to password resets. A further USD $321,000 came from retiring legacy MFA costs.

The model assigned USD $1.6 million to "strengthened security" through a reduced likelihood of a credential-based breach after removing phishing risk. It also attributed USD $1.9 million to business growth and tied this to improved brand reputation and the ability to meet customer security requirements.

Customer comments

Forrester included comments from interviewees in government, telecoms and technology roles.

"YubiKeys are a fiscally responsible way to increase your cybersecurity posture," said a Director of Information Technology and Cybersecurity for the government.

Another interviewee focused on delivery at scale.

"Yubico is easy to work with. They had the ability to deliver at the scale and velocity we needed," said a Senior Manager, Cybersecurity for telecom services.

One technology firm described a goal of moving away from passwords altogether.

"Our CEO stated that we are going to be 100 percent phishing resistant and passwordless. We had to look for what could help us achieve passwordless across the full employee lifecycle and what was 100 percent phishing resistant. The only solution that fit the bill was YubiKeys," said a Principal Identity Engineer at a technology firm interviewed for the study.

Deployment services

The report also links the use of hardware-backed authentication to wider identity programmes. It describes YubiKeys as a foundation element for organisations moving towards a Zero Trust architecture. It notes support for FIDO2/WebAuthn, smart card (PIV) and one-time passwords.

Yubico also highlighted a subscription option called YubiKey as a Service. The company said the model shifts spending from capital expenditure to operating expenditure.

The service includes a self-service ordering feature for end users. It also covers enrolment and delivery options for distributed workforces, with direct shipping to an address chosen by the user.

Yubico said it expects more organisations to assess phishing-resistant authentication as they review multi-factor authentication methods and roll out passwordless sign-in across employee populations.

Related stories
eBPF report shows efficiency, security gains at scale
OPSWAT names Jan Miller CTO to lead new Technology Centre
Securing the digital classroom: A layered cybersecurity approach for K-12 schools
LummaStealer returns post-takedown with ClickFix ruse
Okta unveils tools to detect & govern shadow AI risks

Top stories

Xiid & Cytex link AI governance with zero trust access
UK CIOs struggle to govern surge in business AI agents
AI romance scams surge on UK dating apps, says study
Cyber premiums fall as Lockton flags 2027 volatility risk
AI-driven ransomware attacks surge, most go unreported