Passwords and PINs are a bit of a nuisance. If you try to be a good security citizen and use different ones for each account/context/site, you end up with a horribly long list of things to remember. There are pieces of software for your PC to remember them for you, but if you often log in from different
places, they aren’t much help.
Meanwhile, using cards instead of keys to open doors is becoming ubiquitous. This has been extended to computer systems as well, but not quite as widely. The problem is users need to be able to log in anywhere, but fitting every PC and laptop with a card reader is pretty difficult.
Card systems also suffer from the scalability problem of passwords: inevitably you will have to carry two or three or ten of them around for the different systems that you need to access. Essentially these are little repositories of personal information (i.e. a password) that reside in your wallet, and they are not very efficient ways to store what amounts to perhaps a few hundred bytes of data.
It occurs to me that most of us already carry around a larger repository of personal data that could be called upon to solve this problem: a cell phone and/or PDA. Let us call upon it to do our dirty work.
Yes, there are password database programs for PDAs, but these expose your passwords to shoulder surfing via the PDA screen. I think there is an easier way.
Develop a standard Infrared (IR) protocol for requesting and supplying a password or PIN to any device that requires it. This could be as simple as a keyboard-like protocol that lets the device supply the characters at the appropriate moment, relying on the user to select the right password from a menu on their device. Or you could make it a bit more sophisticated so that the device needing the password could request it with some sort of identification, allowing the device to look up the corresponding password out of a table and beam it back.
Now to enter that door at work, instead of swiping your card you just lift up your phone/PDA and either simply point it at the door, or perhaps tap a few keys.
Advantages include the fact that millions of devices already have an infrared interface that could be used. This includes most PDAs and many cell phones on the password supply side, and laptops and home entertainment devices such as TV set-top boxes on the password demand side.
With ATM PINs, you now have to steal both my debit/credit card (or the account number, somewhat easier) and my cell phone in order to abuse my account. You could potentially do away with the debit card entirely, but then the cell phone becomes an incredibly tempting target.
A problem with the IR versions of this scheme in public places is shoulder surfing could be automated, depending on the IR-friendliness of the environment around the reader. To mitigate this, a small hood around the IR reader could be supplied, simply insert your phone/PDA into the hood before use.
(You could do a Bluetooth version of this too, but shoulder surfing would then be trivially easy. Mitigation would require a Faraday cage around the ATM booth, probably not too practical. You could also use a direct-connect, but there is no entrenched standard for a connector to use. Even cell phones that actually use USB as their data transfer method, almost always use a proprietary connector).
Enhancements to this scheme might include sending back a digital receipt for your transaction after it is complete, for instance at an ATM.