In 2025, stolen credentials remain the most common and fastest path into an organization’s systems. Nearly half of breaches begin with compromised logins. The 2025 Verizon Data Breach Investigations Report puts it bluntly: “Hackers don’t break in anymore, they log in.” Web application attacks have followed suit, with 88% now using stolen credentials as the entry point.

While passwordless solutions promised a way out, most fail to fix the core issue. Keys that automatically sync to iCloud or Google shift trust to someone else’s infrastructure, leaving organizations dependent on a third-party cloud to protect their access layer. It is, in essence, merely passwords dressed in a more sophisticated guise.

The cost of staying put is steep. Gartner and Forrester estimate up to 50% of IT help-desk tickets involve password resets. For many enterprises, that means hundreds of thousands of dollars lost each year to outdated access methods.

Zero-trust, properly implemented, changes the game. It keeps the authentication key with the user — no replicas housed in the cloud and no overarching master override — eliminating a key point of failure while cutting ongoing password-related costs.

Why Zero-Trust is the New Security Benchmark

Zero-trust is more than a buzzword. Defined in NIST Special Publication 800-207 (a U.S. National Institute of Standards and Technology framework that defines the principles and architecture of zero-trust security) as “never trust, always verify,” it rethinks security from the ground up. No device, user, or session is implicitly trusted; every request is continuously validated.

Mainstream passwordless approaches often miss the mark. Passkey and FIDO2 implementations that sync credentials to a vendor’s cloud shift the trust boundary off-premises. If that cloud account is compromised — as in the 2022 Retool breach — all synced credentials are exposed. Worse, many of these systems prevent administrators from auditing or overriding credentials, introducing vendor lock-in without full visibility.

For regulated sectors, the stakes are higher. Frameworks like PSD2 in Europe or the U.S. federal government’s PIV mandate require organizations to maintain full custody of authentication keys. While only a segment of entities are obligated to follow such rules, the fact that these requirements exist for certain companies underscores their role as a recognized best practice in safeguarding sensitive systems and data — a benchmark that, when voluntarily adopted, signals a mature and proactive security landscape.

When applied to identity and access management, true zero-trust means there are no cloud-stored credentials and no provider-side recovery mechanism. The organization — and only the organization — controls the keys, reducing attack surfaces and meeting the most demanding regulatory standards.

Why Zero-Trust Looks Unaffordable

Despite its clear benefits, zero-trust adoption has been slowed by budget concerns. Industry research from 2024–2025 consistently places cost among the top three barriers to implementation.

Median zero-trust rollouts run to $656,762 per organization, typically over seven to eleven months. Mid-sized companies often spend between $50,000 and $250,000.

A FedScoop survey (a technology-focused news and research outlet covering U.S. federal IT and cybersecurity policy) found that first-year zero-trust costs consumed up to 10% of annual IT budgets. Two-thirds of agencies expected to shift or redirect funds from other IT or operational budget lines toward zero-trust initiatives at least 4% of budgets — an adjustment that can mean hundreds of millions for large departments over a full transformation cycle.

However, the biggest near-term impact sits in the access layer. Starting with identity provides the fastest, most measurable ROI and a practical on-ramp to broader zero-trust.

Access and Identity — the Critical Nexus of Organizational Costs and Security Risks

Before exploring the depth of this challenge, it is essential to recognize that, while the preceding section focused on the investment required for zero-trust as a whole, here the lens shifts to the equally significant — but often hidden — costs of maintaining passwords, which converge most sharply at the identity layer, the point where financial drain and security exposure meet most directly.

Credential-driven breaches are the costliest to contain, averaging ten months from detection to full remediation, according to IBM’s 2024 report. During that window, attackers can pivot, escalate privileges, and extract sensitive data with minimal resistance.

From an operational standpoint, passwords remain the largest single IT support cost. We have already mentioned that roughly half of help-desk tickets involve password resets, costing $70 per reset. For a 1,000-employee organization, that “password tax” approaches $140,000 annually.

Productivity losses add to the bill. The average employee spends more than ten hours per year on password resets, recovery emails, and MFA resets. Multiplied across the workforce, this represents a measurable drag on efficiency.

Addressing identity through a zero-trust lens removes the number one exploit vector while eliminating up to half of help-desk demand, delivering both security and financial returns.

Solution: Zero-Trust Access Without Compromise or Big Spend

The key to making zero-trust affordable is to focus on identity and authentication first, and to do it without surrendering key custody.

Key custody requirements for zero-trust systems are as follows (that is, the specific technical and procedural conditions an organization must meet to ensure authentication keys are exclusively under its control):

• The private key for authentication is stored only on a user-controlled device, such as a hardware token, mobile token, or smart card.
• There is no copy of the key stored by the provider, and recovery through a provider’s cloud is not possible.
• Split-key encryption or client-side encryption ensures no single party, including the provider, can reconstruct the full credential or impersonate the user.

In this context, these are the practical, real-world deployment choices an organization can adopt to enforce the key custody principles outlined above while moving toward a zero-trust access model.

• Deploy enterprise-grade FIDO2 tokens locally, with cloud synchronization disabled, to ensure keys remain under organizational control.
• Use on-premises systems with smart cards or hardware security modules (HSMs) to store credentials entirely within the organization’s infrastructure.
• Leverage distributed-key platforms, such as WWPass, architected so the authentication provider never possesses the complete key or decrypted credentials, with no master override in existence.

Why does this particular approach meet the zero-trust baseline? With no provider, admin, or cloud override, there is no single point of implicit trust. These models also align closely with compliance regimes such as PSD2, HIPAA, and PIV, all of which require that authentication factors be stored locally and remain unrecoverable by any third party. In addition, by keeping recovery processes entirely within the organization’s control, these approaches sidestep the pitfalls of vendor lock-in, ensuring long-term flexibility and autonomy.

What about integration and rollout? Password-based systems are notorious for lengthy, costly, and disruption-heavy deployments, but zero-trust access done right need not follow that pattern. Solutions can be delivered as SaaS, as a deployable Azure image, or via on-premises installation, offering flexibility to align with both budget and operational preferences. Integration typically uses standard protocols such as OAuth2 or OIDC, which helps minimize disruption to existing applications and workflows while accelerating time to value.

When it comes to trade-offs and operational considerations, certain realities must be acknowledged. Lost tokens cannot be “magically” reset by a cloud provider; therefore, organizations must implement clear and secure recovery workflows for lost credentials. Onboarding processes, token issuance, and user support logistics should be carefully planned to ensure smooth adoption. Likewise, initial investments in user education and process documentation typically pay off in faster assimilation and reduced support overhead.

By starting with zero-trust at the access layer and ensuring keys are user-controlled, organizations can strengthen their security posture, meet compliance obligations, and cut recurring costs, without the multi-million-dollar transformation budgets often associated with zero-trust.

Conclusion

Zero-trust does not need to be an all-or-nothing overhaul; the most immediate ROI comes from starting with identity and access management.

If you’re planning to go zero-trust in your organization, the general path forward is the following: begin by auditing password-reset volumes, pilot programs that put authentication keys entirely in the hands of users, and design a secure, well-documented recovery workflow. Then measure the tangible reductions in help-desk tickets and phishing exposure. With that empirical evidence in hand, you can extend zero-trust principles methodically, layer by layer.

For CFOs, this represents an opportunity to eliminate the costly burden of the password tax, reclaim valuable budget, and channel resources into security measures that deliver measurable and lasting impact.