Some years ago, we were retained by the provider of a managed PKI services to interview some of their customers (large commercial organisations) to find out how the service was going. They hated it, and it later folded. But the service wasn’t proving economic to provide anyway. The service provider had decided to issue soft certificates rather than hardware because of cost, but the fact is that the soft certificates ended up costing far more.
There were two key reasons for this.
One was support costs. The soft certificates would need to be reloaded every time a PC crashed or had to be swapped, they were frequently corrupted by system crashes and because they were personal (ie, the certificate was issued to the PC user, not to the PC) they had to be moved from machine to machine, which was something users couldn’t do themselves.
The other was complexity. Explaining what certificates were and what they did — to junior staff who had no real interest in the topic (like most people!) — was near impossible. By contrast, the simple proposition "when you want to log in to the ordering system or use company e-mail, you must put in your smart card and enter your PIN" would have been significantly less expensive over the system lifetime. The moral of this story is that a $1 soft certificate does not make for a cheaper implementation that a $5 smart card and USB reader bundle.
What’s more, customers in (eg, the UK) already have smart cards and PINs given to them by their banks. So adding a cheap USB reader doesn’t seem like a big deal. Since all UK chip and PIN cards will have to be re-issued as DDA cards at some point (in some countries, such as France, the rollover has already started), they will have cryptographic co-processors that can be used by a digital signature application to provide genuine end-to-end security between the customer and their bank.