One of my predictions for 2013 back in 2012 was the smartphone playing a larger role in security.  While it itself will need to be secure, it is always with a person second to maybe car keys and wallet – even those items could be integrated one day to your smart phone.

Do you know of anything else with a processor, memory, and connectivity that is as personal to one’s daily life?  I don’t.  I imagine that in 2013 we will see more tech on our bodies with smart watches, smart glasses (I want my Google glasses), chips in shoes, maybe something in a hat or belt.  In a few years, I’ll need 10 to 20 IP addresses just for my wearable network.  This brings a new context to link-local.  I like the term on-body.  Today my on-body network consist of my smartphone and my heart rate monitor but I am ready for more please.

Today on a tech podcast, I heard that someone in Taiwan had leaked rumors of a fingerprint reader on the new iPhones.  It is about time.  The smart phone is in such a great position to deliver multi-factor authentication that is both convenient and can be made secure.  Let’s look at a few:

  • Something you know.  This is the classic password problem that we have been struggling with for years.  Make the password strong and it is too hard to remember, make it easy to remember and it is weak.  Only when coupled with other factors can we overcome these shortcomings.
  • Something you are.  Fingerprint reader is such a no brainer.  Retina scanners might be hard but not impossible and I have already seen facial recognition work pretty well.  You can imagine that when more precise body system monitoring comes in to play, markers like the heart rate patterns, blinking patterns, all those things that a sensor can monitor could generate a unique signature for your identify that can be used for this factor and also have the added benefit of delivering hearth related telemetry.
  • Something you have.  The phone itself is unique so it can count for this factor.  Others include soft cryptographic tokens, all of this is based on the feasibility to remain unique in some manner.
  • Somewhere you are – location based information.  Given that all phones now have some form of GPS, you could even have a policy that would geo-fence an area requiring lower or higher forms of security.

Many Internet services are already using SMS and other out-of-band communication channels to deliver a two factor authentication based on a challenge-response one time password scheme.  Bravo and lets not stop there.  I can’t tell you how much harder they have made it for the bad guys.  If you are using a service on the Internet that does not offer some two factor authentication, demand it from them.  Apple, Dropbox, Google all have done their part and more need to follow.

Yes there will be successes and failures but again I remind you that never before has there been so much capability, so connected, and so personal.