Greg:
You must remember that everything are not as homogeneous as it could/should. Believe or not, there are other companies and policies as well ;D
So question is more like: don't you have to do all to protect your users and environments, why to allow anyone come to your living room for trying to open your safety box? In my mind, it is not right to close your eyes and offer "change your pwd policy" as the only solution. But perhaps we are so old fashion company, and all others has change their policies :-o
Certificate authentication is great idea (the best in my mind) and we keep our eyes open for it, but certificate management with the multiple different device platforms is not the easy task.
(we haven't published OWA, so no need to compare to that)
Microsoft
