I recently blogged on the hassle of moving from one iPhone to another, and quite rightly people commented on the fact that it should not actually be that easy to do for good security reasons. My blog was very much done as a "typical end user" type rant.
At the end of the day, these devices are becoming critical personal devices that are our companions and providing security in a way we have to trust. The security they offer is way more than we ever had before. It is tricky when the device we trust is written by some company in a foreign land, and we don't have all of the details of how it works. We have to sort of trust them to keep security principles. I think, in most cases, they do, and a lot better than the alternatives. Even then we have to be cautious.
My old iPhone held a number of security details locked by fingerprint or long PIN, and the new phone does the same but using "face recognition". Both are a massive convenience. Convenience is good for security as that is what people will "do".
Now the end result is some things, on my phone, can get access based on that authentication, and in theory I could be forced to smile for the camera now, or previously submit a finger even if unconscious. It would allow some access to some things.
Even then, the company systems use a lot of two factor stuff, so the "authenticator" on my phone only works with a username (easy to guess) and a password (harder) and the authenticator. So we have quite a few barriers in place. This is actually better than the online banking on my phone, which trusts the phone for many things - but even that wants extra steps to send money to random new people.
Obviously I would never share any of my passwords with anyone, unlike MPs.
I appreciate the comments on that blog post though - they are correct in that the security is important. But a key aspect of security is making it usable for the masses. It has to be "convenient" to be used at all.
This is where the MP tweets come in - we see over the last few days that many MPs are fucking idiots, allowing access to anyone on their staff (including interns and temps) to their computers which may hold personal information. They may even be criminal in their actions.
To say it is related to porn use is distracting and why the hell can they not use incognito mode?
This is where systems need to make it easy to actually be secure. Things like fingerprints and face recognition go a long way. They allow me to be secure, and then only select the specific cases of say "inbox sharing" for email to specific staff to check and filter my email, etc, not general access to my computer. TBH I do not share my inbox - one day I may have a PA to handle it. If I was an MP, some trusted permanent staff may be there to filter email and post.
So in the case of changing iPhone, what do I want? Well, a simple, safe, SECURE, way to transfer all of that personal information for everything from email to banking (and an authenticator app), via local encrypted means, as part of the new phone set up. No iCloud or even iTunes backup. That would have saved me a lot of hassle. They manage to transfer the apple ID login details in some way that involves pointing the camera of one phone to the screen of the other, so why not all of this sensitive stuff?
But, just in case anyone has any doubts, all my staff and all my family know that passwords are never shared.
Friends do not let friends share passwords!
MPs take note.