All posts
Business Value
4 min

The Economics of AI Fraud and the ROI of Device Binding

Written by
Maranda Manning
Published on
November 26, 2025
Copy link

TLDR

Generative AI has pushed the cost of committing fraud toward zero while massively increasing scale. Credential stuffing runs at industrial volumes and deepfakes are now good enough to pass video calls. Losses have surged into the tens of billions. Cryptographic device binding and device-bound passkeys break the attacker’s math by removing reusable credentials, resisting phishing, and cutting OTP and help desk costs. For most fintechs, moving high-risk flows to device-bound passkeys delivers a fast, measurable ROI.

Why AI has changed the fraud math

Tools that once took skilled attackers hours now take minutes. Commodity combo lists, residential proxies, and CAPTCHA-solving APIs have made credential stuffing cheap and continuous, with Akamai counting roughly 26 billion attempts every month in 2024 and rising.

AI also makes social engineering more convincing. In one widely reported case, a deepfake video conference led a Hong Kong finance employee to wire about 25 million US dollars. That was not an outlier. It illustrates how synthetic voice and video lower the cost of believable impersonation at scale.

The macro picture is stark. The FBI’s Internet Crime Complaint Center logged more than 16 billion dollars in reported losses in 2024, up about one third year over year. The FTC separately reported 12.5 billion dollars in consumer fraud losses in 2024, with more people losing money per scam. Underreporting means the true totals are higher.

Where the money leaks

Phishing and stolen credentials drive a large share of breaches and account takeovers. Verizon’s 2024 DBIR again highlights the central role of credential misuse and phishing in real-world incidents.

Credential stuffing remains an especially costly vector. It is cheap to run, scales globally, and the downstream impact ripples into refunds, chargebacks, stored value theft, and support costs long after the login event. IBM’s 2024 Cost of a Data Breach study pegs the average cost of credential-stuffing-driven breaches in the multimillion-dollar range.

For social engineering, deepfakes increase both the success rate and the feasible ticket size, shifting the expected value of a scam. Case studies show eight-figure losses from a single well-executed call.

How device binding changes incentives

Device binding ties authentication and session continuity to a private key stored on a specific user device. There is no shared secret to steal and reuse.

NIST’s latest 800-63 guidance is clear on phishing resistance. Authenticators that require users to manually retype codes, such as SMS OTP and out-of-band OTP, are not phishing resistant because the codes are not bound to the session. Phishing-resistant options use public-key cryptography.

Passkeys implement that model for users. Major platforms have shipped passkeys broadly, with Google enabling them across millions of Workspace accounts and pushing device-bound session credentials to harden sessions after login.

Device Bound Session Credentials (DBSC) go further by cryptographically binding session refresh to the device, reducing the value of cookie theft used by infostealers and AI-assisted account takeover chains.

The operational cost side of the ROI

The fraud benefits are matched by direct cost reductions:

  • OTP delivery costs. US SMS pricing from a major provider is around $0.008 per segment before carrier fees. At scale, OTP retries and international routes push this higher. Replacing a portion of OTP traffic with passkeys cuts a recurring line item immediately.

  • Help desk and recovery. Forrester has long estimated around $70 per password reset, and Gartner data suggests 20 to 50 percent of help desk call volume is password related. Device-bound passkeys reduce reset tickets and eliminate many step-ups that trigger support.

  • Fewer account-takeover cleanups. Microsoft has stated that MFA blocks the vast majority of account compromise attempts; phishing-resistant methods improve that further by removing OTP phishing and push fatigue from the equation.

A simple ROI model you can run

Assume a consumer fintech with 8 million monthly sign-ins. Today, 30 percent use OTP step-ups due to risk or device changes. That is 2.4 million OTPs.

Direct OTP spend at $0.0083 per SMS segment, excluding carrier surcharges and retries, is about $19,900 per month or $238,800 per year. If passkeys and device binding reduce OTP utilization by 70 percent across those flows, that is roughly $167,000 in annual messaging savings before you count international fees or retries.

Now factor support. Suppose authentication issues generate 6,000 tickets per month and 30 percent disappear with passkeys and device binding. At $70 each, that is about $151,200 in annual support savings.

Finally, reduce account takeover losses and write-offs. If your credential-stuffing and social engineering losses total $5 million annually and phishing-resistant authentication plus DBSC cut those by even 15 percent, that is $750,000 preserved margin. Combine these and the first-year benefit often surpasses the integration cost by a wide margin.

Why the ROI holds in regulated financial flows

Device-bound passkeys meet phishing-resistant requirements in modern guidance and avoid OTP pitfalls. They also shorten the authentication path, which lifts legitimate completion rates and lowers abandonment in high-value actions like linking a bank, moving funds, or completing a 3DS challenge. FIDO case studies report lower support volume and smoother UX after passkey adoption, reinforcing the operational side of the ROI.

Practical steps to capture the value

Start with the riskiest and costliest flows:

  • Bind devices and roll out passkeys for sign-in and step-up. Prioritize customer-facing web and app logins where you see OTP drop-offs and account takeover attempts. Use synced passkeys for convenience with policy controls to require hardware-bound options for high-risk actions.

  • Harden sessions with device-bound credentials. DBSC reduces cookie theft payoffs that slip past initial authentication. Pair it with server-side detections for infostealers.

  • Keep OTP as an exception path, not the default. Track OTP volume, resend rates, and international surcharges so reductions show up on the P&L. Use policy to avoid unnecessary OTP triggers when a device-bound key is present.

  • Measure end to end. Instrument enrollment, success rates, fallback usage, ticket volume, and fraud outcomes. Expect a short tuning period, then steady savings across fraud losses, SMS spend, and support tickets.

Positioning device-bound passkeys as a high ROI security investment

Fraudsters thrive when stolen secrets can be replayed and when humans have to spot perfect fakes. Device binding replaces reusable secrets with cryptographic proof and shrinks the human factor in everyday authentication. That combination raises attacker costs and lowers yours. In today’s AI-accelerated threat landscape, that is the kind of compounding advantage product, growth, and risk teams need.

Sources

FBI IC3 2024 Internet Crime Report: https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf
 FBI press release summary of 2024 losses: https://www.fbi.gov/news/press-releases/fbi-releases-annual-internet-crime-report
 FTC press release on 2024 consumer fraud losses: https://www.ftc.gov/news-events/news/press-releases/2025/03/new-ftc-data-show-big-jump-reported-losses-fraud-125-billion-2024
 Verizon 2024 Data Breach Investigations Report (DBIR): https://www.verizon.com/business/resources/Te0/reports/2024-dbir-data-breach-investigations-report.pdf
 Akamai State of the Internet, credential stuffing context: https://www.akamai.com/security-research/the-state-of-the-internet
 Analysis citing 26 B attempts/month: https://www.iddataweb.com/credential-stuffing-attacks/
 IBM 2024 Cost of a Data Breach reference via analysis: https://www.humansecurity.com/learn/blog/credential-stuffing-and-account-takeover-attacks-remain-nagging-business-problems
 Deepfake 25 million dollar Hong Kong case coverage: https://www.ft.com/content/b977e8d4-664c-4ae4-8a8e-eb93bdf785ea
 https://www.helpnetsecurity.com/2024/02/05/deepfake-video-conference-call/
 NIST SP 800-63B phishing-resistant guidance: https://pages.nist.gov/800-63-4/sp800-63b.html
Authenticator section: https://pages.nist.gov/800-63-4/sp800-63b/authenticators/
 Google Workspace on passkeys and DBSC: https://workspace.google.com/blog/identity-and-security/defending-against-account-takeovers-top-threats-passkeys-and-dbsc
 Chromium blog on DBSC: https://blog.chromium.org/2024/04/fighting-cookie-theft-using-device.html
 Chrome developers overview: https://developer.chrome.com/docs/web-platform/device-bound-session-credentials
 W3C working draft on DBSC: https://www.w3.org/news/2025/first-public-working-draft-device-bound-session-credentials/
 FIDO Alliance white paper on replacing passwords and OTP with passkeys: https://fidoalliance.org/white-paper-displace-password-otp-authentication-with-passkeys/
 Enterprise deployment guidance: https://fidoalliance.org/white-paper-fido-deploying-passkeys-in-the-enterprise-introduction/
 FIDO case study showing support reduction after passkey rollout: https://fidoalliance.org/branch-enhances-security-and-user-experience-with-passkey-implementation/
 Twilio US SMS pricing page with per-segment rates and carrier fees: https://www.twilio.com/en-us/sms/pricing/us
 Microsoft on MFA blocking most account compromise: https://www.microsoft.com/en-us/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/
 Password reset cost and volume references: https://blog.hypr.com/how-much-does-a-password-reset-cost
 https://www.manageengine.com/products/self-service-password/blog/mfa/how-much-does-sspr-cost-your-organization.html

Weekly newsletter
No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.
Read about our privacy policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.