Today I updated my iPad to the latest iOS 5 developer beta, I restored from an iCloud backup and I was prompted for my iTunes user ID and password, then my FaceTime password, and then my iMessage password (which in itself is a bit strange since they are all tied to my iTunes ID). It occurred to me, between iTunes Store purchases and 3rd party apps one of the primary tasks that I perform on my iOS devices is authenticating myself!
Its a problem which has progressively gotten worse with time with my desire to be more secure I have adapted my habits to use more complex passwords and different passwords for different services - great from a security perspective, but a real pain on a mobile device with a small keyboard.
As a user I feel like the single biggest feature Apple could give me at this point is not improved notifications or a NFC payment mechanism, but some way to manage my identity and authenticate with trusted apps.
On the desktop there is 1Password, which is a great application, but on iPhone/iPad it doesn't really have the system integration to be useful outside of the logging you into web applications. Its a start, but I think Apple is likely the only company who can provide a truly seamless solution.
Imagine an API which can be used by developers to store passwords and/or access tokens. If a user has already authenticated with an application, then they will be logged in automatically, otherwise they will be prompted for credentials and then given the option to store them.
The user could set certain parameters, similar to how they control location services today. For example, defining which applications have this functionality enabled. .
A mobile device such as an iPhone or iPad is also somewhat different to a desktop computer - I don't know about you but my iPhone is rarely more than a few feet away from me, so I have a great deal of confidence that I'm the only person who will be using it. This makes my only really concern that of the physical security of my device - if its stolen I don't want my data exposed.
I can think of a number of different ways this could be mitigated. For example, what if a master password needed to be entered every few days otherwise all the stored authentication tokens would be wiped. Alternatively this could be something which comes with iCloud and/or Find my iPhone, where the entire database, or even settings for individual applications could be purged from another device.
Also, lets not forget the other key asset that a iPhone has over a desktop computer - sensors!
The device knows where it is, what the weather is like, which way up its being held, its surrounding and a lot more.
Just like credit card companies have sophisticated algorithms in order to detect unusual spending patterns which often signal fraudulent usage, this sensor data could be used to hint if a device is in the wrong hands.
- Using the front-facing camera is a no-brainer. Does my owner look different?
- Geolocation is extremely powerful. The device could collect enough data to approximate the users commuting patterns. Have my owners movements changed? Where am I?
- Accelorometer. Why is my owner suddenly left handed?
- Keyboard. Why have my owners typing speed and habits changed?
This is just the tip of the iceberg - sensors and usage data could be used to create a usage profile which very easily could tell if a device's physical security has been compromized and then prompt for a master password or execute other countermeasured.
I certainly feel that a combination of these techniques could be employed to both negate the need for users to be constantly entering passwords, but also to mitigate most of the risks of a child making unwanted purchase, or a device being stolen and undesirables having complete access.
If you are listening Apple - this would be the next killer feature for iOS.
