Re: OMG !
Software costs money, too. (My "favourite" example is a purveyor of fine almost-never-breachable(tm) VPN solutions, a veritable fortiress of data security, who is very proud that they support RFC-complaint *OTP. Well yes, but the way to import the shared secrets is dongled to hell and back, so they still get to charge you money for nothing and you can't bring your own *OTP app.)
That being said, as with everything else in security, it's a tradeoff consideration. Would my elreg account warrant authentication by blood sample? Hardly. Can you afford to lose all customers who can't/won't use smartphones? Along with all using smartphones (authenticator and service app on the same device weakens security)? What's your fallback to re-authenticate when the 2nd factor is lost? If it involves a phone line, you've gained nothing. If it involves postal mail or physical presence, it will be slow.
Biting the hand that feeds IT
