Mobile ID isn't anything new. In my home country (Estonia) there is already fully functioning mobile id system, which works almost with every mobile phone and is considered as secure as smart-cards.
Our phones would become our keys and passwords, and I am assuming they would be the devices that read our biometric ID and then allow access to other devices and services.
Only problem, and one preventing this becoming a real solution is the fact that people lose and forget their phones. If I can't have access to my daily services and devices without my phone then I am stuck in a worse position than I was before passwords.
The solution to access and protection shouldn't come from a change in the key, but a change in the lock.
I know many people who go through 2-4 phones a year. They always lose it at least once a year. Sometimes as often as every 3-4 months.
On the same kind of note... the keys to my apartment are the most important thing I need to grab before I leave. Yet, once every 6 weeks I leave w/o them. Any system has to recongize that the keys will be lost and make them fairly easy to replace.
With a 4 character password, which won't keep out anyone with a bit of free time. And remote-locking solutions are non-solutions for anyone determined and intelligent - just stick it in a Faraday cage.
I haven't heard of that one before, actually. That's interesting... and way way way more complicated than it should be to set up a better password.
Many thanks for the links, I'll certainly aim to do something like that if I ever get an iThing. Know if it encrypts the contents of your phone too, or if they do this by default? Otherwise, I'd think you could just dump the flash memory.
I think the 3GS and 4G encrypt in hardware. Also, you can set your phone to drop the key to wipe the phone if someone inputs the wrong PIN/password 10 times in a row. You don't have to worry about someone brute forcing it.
- It could only be remote wiped if it's turned on and has a signal. A credit/debit card can be disabled no matter where it is.
- Biometric scanners can be outfoxed with a piece of play-doh. And what happens when you just want to loan the thing to your SO?
Authentication is best implemented when it combines what you have (a debit card) with what you know (a pin). Putting biometrics on your phone is just stacking two things that you have (your finger and the phone) with nothing that you know. No, the password, as a concept, should stick around.
In theory, the code that your phone is outputting could be cancelled, so even if you tap your phone against a terminal, it gets rejected, just like credit cards today. Plus, the phone would have to be on to use it, so as soon as it gets signal, it would get wiped before it could be used. (Though that brings up a new concern of what you do in normal use if you have no signal.)
Good point on combining what you have with what you know. I did not think of that. But wouldn't the PIN on your phone be as effective as your credit card PIN?
So at that point you end up with identical functionality to a credit card, except in a gimmicky package that's much more expensive to replace if lost or stolen, and much more valuable to the individual who obtains it. What's nice with a simple card is it has no intrinsic value; it's just a cheap token for authentication.
Sure, something extra you could do with a phone would be wrapping the payment system behind some sort of on-phone authentication before the phone "allows" you to use it, but then that's only as secure as the phone's debug access, so ultimately you end up with a bank-side activation/pin scheme, which puts you back at square one all over again.
To prevent the phone from getting a signal, put it inside a faraday cage (wrap it in aluminum foil).
Both visions require the surrender of vast amounts of personal data to private companies and allowing private companies control of web access and fund transfers. It is easy to see Apple denying your local adult emporium the use of its system for purchases and it is even easier to see Google ID's used to tailor search results in line with Google's commercial interests (since that already happens).
1) The article spoke mostly about the phone being used for authentication. This doesn't necessarily mean that the authentication system has vast amounts of PII.
2) If the authentication system does become the repository for vast amounts of personal data, then the concern is really for consolidation. You've already surrendered vast amounts of data to Visa, Amazon, Google, Apple, NetFlix, etc. Seems you're worried about it being consolidated.
The ability to link an individual's financial data and purchasing history directly to their a complete history of their internet use would appear to be the one ring to rule them all in terms of advertising and data mining.
I agree there is nothing that necessitates a phone based authentication system requiring vast amounts of PII. However, there are strong incentives toward collecting it and both companies have a history of doing so whenever possible.
Life is just full of coincidences. I was just discussing how my iPhone should be able to replace my passwords last night, and wrote a blog post about my ideal car that is controlled by my phone.
My only concern in both of these cases though is what happens when my phone runs out of battery? Nobody seems to have an answer for that.
The problem I see with this isn't having to carry your phone around everywhere - its the biometric system itself.
Biometric systems are much less usable than passwords. Users often fail them by doing things like putting their fingers in the wrong place on the sensor or by not looking directly into the camera.
I think probably that users will need to be somewhat trained in order for this to work well. Probably the hackers will train themselves too.
Stealing fingerprints from someone at a bar? Not so farfetched.
More likely scenario in the next 10 years would be making purchases with your phone by entering a password or pin on the screen of your phone to confirm.
The Biometric portion is a little bit sensationalist at this point because the less invasive Biometric techniques are not accurate enough to verify with 100% accuracy that you have your phone in your pocket. If I have to take a photo of my eye to complete the purchase using my phone, I think I'd rather enter a password.
I think the easiest way around the biometric thing is to put an NFC chip under the skin to handle a public/private key exchange. This is the best way to verify your identity because even a DNA test would not prove that you are present in any way.
They do in some countries. The problem seems to be the upgrade of your ATMs all over the country and all third party ATMs to add a biometric reader too.
Meh. We were told the same thing about voice recognition, RFID, and computers in general. I'll a) believe it when I see it, and b) still want more control over things like this, which will likely require a password in some form.
http://www.id.ee/public/Mobiil_ID_animation/ <<< This clip shows how it basically work.
EDIT: http://www.ria.ee/27525 <<< some more info, if anyone is interested.