Here’s an ignorant question. I see this comment all the time, that an ID and PIN is exactly the same as a longer ID, but is it actually true?

I get the logic of it, but in a practical sense doesn’t it have the potential to be different? For example, if you have to enter a correct ID, wait, and then get prompted for a password, couldn’t that potentially slow down an attacker?

Alternately, couldn’t a bunch of correct meeting ID’s followed by incorrect PINs present an opportunity to flag the ID as under attack, or give a prompt to a host that would spur inquiry, or something?

Perhaps I’m wrong about this but it seems like there are some non trivial differences between the two.