I would assume (hope?) that when you have an OTP token, you get two factor authentication and don't stop needing a password. You would need a password either to unlock the OTP device or to enter alongside the OTP value. Otherwise, someone who finds your token can impersonate you.
Assuming that's true, OTP tokens add costs by introducing new failure modes (e.g., I lost it, I ran it through the washing machine, etc.). I suspect a similar study would find that the cost of the OTP token would be $500-$700/yr. even if the device itself only cost $5. After all, passwords are free! --Charlie -----Original Message----- From: owner-cryptogra...@metzdowd.com [mailto:owner-cryptogra...@metzdowd.com] On Behalf Of Peter Gutmann Sent: Thursday, February 19, 2009 5:36 AM To: cryptography@metzdowd.com Subject: The password-reset paradox There are a variety of password cost-estimation surveys floating around that put the cost of password resets at $100-200 per user per year, depending on which survey you use (Gartner says so, it must be true). You can get OTP tokens as little as $5. Barely anyone uses them. Can anyone explain why, if the cost of password resets is so high, banks and the like don't want to spend $5 (plus one-off background infrastructure costs and whatnot) on a token like this? (My guess is that the password-reset cost estimates are coming from the same place as software and music piracy figures, but I'd still be interested in any information anyone can provide). Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com