On Fri, 20 Feb 2009 02:36:17 +1300
pgut...@cs.auckland.ac.nz (Peter Gutmann) wrote:

> There are a variety of password cost-estimation surveys floating
> around that put the cost of password resets at $100-200 per user per
> year, depending on which survey you use (Gartner says so, it must be
> true).
> You can get OTP tokens as little as $5.  Barely anyone uses them.
> Can anyone explain why, if the cost of password resets is so high,
> banks and the like don't want to spend $5 (plus one-off background
> infrastructure costs and whatnot) on a token like this?
Because then you need PIN resets, lost token handling, and "my token
doesn't work and I'm on a trip and my boss will kill me if I don't get
this done" resets.  I've personally had to deal with two of the three,
and it was just as insecure as password resets....

                --Steve Bellovin, http://www.cs.columbia.edu/~smb

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to