The reason you can get away with a 4 digit PIN is that you can only try the PIN if you’re in physical possession of the card. And if an attacker is already in physical possession of the card, you want revoke the card in any case.
Web sites however, cannot just revoke the username - it would allow for trivial denial of service attacks. I could just enumerate all account numbers for my bank and lock out all customers. So the best that’s available is a temporary lockout, and then the attacker gets to try again.
Web sites however, cannot just revoke the username - it would allow for trivial denial of service attacks. I could just enumerate all account numbers for my bank and lock out all customers. So the best that’s available is a temporary lockout, and then the attacker gets to try again.