In discussions about how to secure information assets, the mobile phone is often an elegant solution. If you can tie the phone into the authentication process, as something you must physically have in your possession before you will be granted access, then you have an advantage over just using a PIN or password (something you know) alone.
However, at least two problems jump to mind with the mobile phone approach of using “something you have”. First, since many phones are valuable enough on their own that they are likely to be stolen. Second, many people seem to have a nasty habit of losing or damaging their cell-phones — they tend to toss them around a fair bit and the expensive devices are often, well, cheap.
A new phone in Japan has been announced by NTTDoCoMo that attempts to deal with the former issue, by introducing…another “something you have”. I’m not just talking about a battery that lasts more than a few hours, users are told to carry a separate chip that has to be near their phone for it to work. This would be a clever approach except the second issue mentioned above is still unsolved.
Anyone want to bet some users will tape the extra access device to the cell phone to make sure it is always there when they need it? I have seen so many RSA tokens glued and taped to laptops I stopped counting, so I won’t be surprised if someone releases a case for the P903i that allows you to put your token and phone together for convenience.
After all, can you imagine grabbing your phone and a new pair of pants in an emergency and then realizing that your access token is lost somewhere behind in an old pair? And if you put the token in an important place like your purse or wallet, or if you make the token desireable enough to be worn like jewelry, you have just increased the chances for the first problem (being stolen).
Where would you hide the token that would be both safe from loss, and yet easy to keep with you? Implanted under your skin? Maybe retina scans, or ear canal scans, to unlock a cell phone aren’t far away…especially considering that these phones are increasingly carrying identity/biometric and financial data.
And we have not even begun to look at the issue of securing the signal between the token and phone to prevent replay attacks…