How much does it cost to implement login capabilities?

There’s a lot of apps that require a login feature – mostly out of necessity for the app to work properly – but data has shown giving users the ability to personalize their experience within your app is a powerful UX strategy when used to increase your user retention.

There is, however, one major downside to including the requirement that users set up a profile before they can fully utilize your app: app abandonment due to first impressions.

If users are met with a proverbial checklist of requirements to complete before they can actually use your app, they’re much more likely to give up before proceeding. This is where implementing a login through social feature comes into play – it gives your first-time users the ability to create a profile with one tap, rather than filling out forms and fields.

So, how much does this user-retention-saving feature cost?

Honestly, not too much – it all depends on how secure you want it to be. If you use our favorite app analytics platform, Kumulos, it can take anywhere from 1-3 hours to implement a login feature with an app, depending on the complexity.

Implementing a login feature with the lowest form of security (basic authentication) can cost as little as $100 to implement. Apps that want to utilize the highest levels of security can expect a cost of $10,000 for a login feature implementation.

When it comes to the cost of implementing logins with social media, such as Facebook, or Instagram, there is no extra cost – just the addition to the time it takes to actually implement. The price of these social login features comes from labor cost – the APIs themselves are free.

Let’s look into why adding these extra layers of security can cause such a drastic change in total cost, and, if the added security is worth it in the long run.

The costs of security

There’s many different forms of security when it comes to user authentication. The costs of which can vary depending on many different factors – ranging from time to develop to the cost of physical infrastructure.

There is something important to keep in mind in regards to the cost of security: the cost of code only changes if you are implementing third party APIs that come with a price tag or subscription fee – implementing your own code to allow for security that exists in a digital space only comes with different associated costs due to one factor: time to develop.

Let’s cover those:

Basic Authentication

The least complex login method is called basic authentication. Let’s go over how user authentication (at its most basic levels) works:

1. A user enters their credentials
2. Those credentials are sent to an authentication server
3. The server will then attempt to match the credentials together
4. Upon a match, the server authorizes the user’s attempted access

This process is faster than it sounds – it happens every time you login to a website that requires your username and password, such as your bank. This process is also referred to as “logon” authentication.

Single-Sign-On (SSO)

SSO functions very similarly to logon authentication, but rather than granting access to a single server, it grants access to multiple – a lot of social media and email websites will use this feature.

While SSO is the least secure method (as it gives access to multiple servers), it works well for apps for two reasons – smartphones are generally intimately used devices, so the chances of someone physically accessing your personal information via your smartphone is diminished; and, SSO does wonders for user retention, which is a hard-fought battle for most apps.

IPSec

IPSec is the most secure form of user authentication. IPSec allows data to be encrypted and authenticated over a secure internet protocol network. In order for the user’s device to understand, and then display the correct information based on the encrypted data, a method called mutual authentication is used.

This happens at the first instance of the user logging in, and continues to happen throughout the session as cryptographic keys are exchanged over the secure server. This can be implemented in three types of data transfer: user-to-user, network-to-network, and network-to-user.

Biometrics

Biometric security is largely implemented through physical means, and utilized in mainly on-site locations, rather than remote – therefore, its most common use case is in buildings that require high amounts of security.

Current biometric capabilities include finger print scanners, voice recognition, and retinal and face scanners. These capabilities are rapidly changing and expanding into different realms of biometrics, such as heartbeat and even brain activity.

Biometric security is a high cost investment, as it requires specialized scanning equipment – because of this, its costs can greatly exceed $10,000 – this number depends heavily on the scale and amount of scanning devices required.

Token Authentication

Token authentication requires a user to physically possess a device, such as a dongle, card, or RFID chip (plus a password) in order to access a secure system. While this is a highly robust method of security, due to the requirement of both an actual device and password needed to be used to access a server or system, it mainly only works for organizations that have the infrastructure necessary to implement an extensive system such as this.

Transaction Authentication

Transaction authentication is a pretty straightforward security method. In essence, it boils down to this: If a transaction (via credit card or payment service) seems suspicious, the person making the transaction will be prompted to take extra steps in order to verify that they are indeed the person they claim to be.

While the idea of asking someone “Are you sure you are who you say you are?” Is a simple security measure to wrap your head around, the systems required to make that process possible are intricate and costly – and require a significant amount of investment in infrastructure.

This is largely due to the fact that you must first have significant amounts of data for each customer profile before you can start defining suspicious account activity, and then flagging errant transactions.

Multi-factor Authentication (MFA)

Multi-factor authentication simply means mixing two types of user authentication together into a single authentication process. For instance, the example we used for biometric authentication (requiring bio-data and a password) can be classified as MFA, or, our example of token authentication – requiring a user possess both a device and password.

Out-of-band Authentication (OOB)

Out-of-band authentication validates login requests by requiring the user to provide information that can only be accessed by a device different from the one they are currently using to log on. For example:

When you login to your car insurance website, but before you do, you receive a text message containing an access code that is only valid for a limited amount of time. You then enter that code into the website, and you finish the login process.

This is a method of security that has a very applicable use case for an app that needs a high degree of security.

The costs of not using secure login authentication

First, it’s important to get one thing clear – if your app doesn’t make use of sensitive or highly personal information, go ahead with SSO. There are options you can take to implement extra layers of security on the initial login authentication.

If your app does make use of sensitive info, however, it’s vitally important to your user retention, brand equity, and business in general to use the highest levels of security. When comparing the cost of $10,000 to the cost a negative user review and rating can do to your app’s ranking, it’s definitely worth the upfront cost.

A perfect example of this is what happened to Facebook and its reputation after the Cambridge Analytica scandal; 1 in 10 American users deleted their actual profile, and 26% of American users deleted Facebook’s app from their devices.

Their brand is irreparably ruined in the eyes of some of its former customers – 15% of users who responded to a survey conducted by market intelligence firm Creative Strategies and Techpinions said there was nothing Facebook could do to regain their trust.

This was the response to a social media company’s mishandling of user data – now just imagine what the fallout would be if your sensitive-data-based app mishandled users’ personal information.

Context is key

When budgeting for a login feature with your mobile app, it all comes down to how secure your app needs to be. Basic user authentication can be implemented for as little as $100, and IPSec can reach the realm of $10,000.