"Owen" == Owen DeLong <owen@delong.com> writes:
Owen> I don't think the average user has a smart card reader at home. They don't need readers. The devices in question support a (supposedly :) secure challenge- response system. With some devices, the web site would display the challenge, the user would enter that into their device, the device displays a response, and the user uses that response as their passwd for that login. With others, the passwd the device displays varies with time rather than any input. The challenge in that case is implicitly the current date/time of the login attempt. The downside of course is that you have yet another small, losable device to keep track of. (And to carry around if you want to login while traveling.) Security as always is a HARD problem. People just hate to bother until the risk hits some magic barrier. Businesses of course have fewer risk protection laws on their side, so adding secure features for business customers will always be easier than adding them for typical consumers. Especially in places like the US where the consumer protection laws are so strong. OTOH, any business in real competition for consumers will eat small losses as part of their advertizing/marketing budget.... -JimC