A drawback of memory-hard KDFs This applies to use of memory-hard KDFs for authentication in general, it is not specific to scrypt To use a lot of RAM fast, we need to get close to the full memory bandwidth, but this means poor scalability when many concurrent instances are run Thus, we have to choose between using more RAM per instance (and using CPUs' resources poorly when there are concurrent instances) and using CPU cores more fully (but at a lower RAM setting per instance)