One of the main issues with the Apple ID is the ease of use vs security. Tying the remote wipe functionality with the ability to purchase low cost content (the primary use case for the Apple ID) is always going to have one group of users unhappy.
I frequently want to quickly purchase a song on my iPhone. I also, frequently tell my friends my password so they can do the same. How many of you have typed your Apple ID password on your Apple TV with others watching? I wouldn't really ask my friends to exit the room to type in a super secure and long password with many characters groups (one that should be required for remote wipe functionality).
How many users keep their password secure knowing the main place they enter it is on their iOS device? For the many every day Apple users I know, they set their passwords to something easy so they don't have to hit their keyboard too many times when entering them.
If Apple, can separate the two authentication functions as they do with OS X and FileVault it would go a long way to preventing these types of rare but high impact events. Another suggestion would be to separate the remote wipe into two phases, erasing the keys and cleaning up the data. The initialization vectors (seed) do present a bit of a problem but I think the FileVault solution is more than adequate. If the encryption keys and the key escrow system is cleared remotely, that would leave me comfortable that my data is still secure. If we really trust our crypto algorithms, then erasing data and removing the encryption keys should really be no different. Users that do not have iOS data protection and OS X FileVault turned on, cannot be considered any level of secure anyway. And even with that data protection turned on, there are still many issues due to each app needing to implement security properly. It would be really great to see Apple improve their App Store to really audit the security of each application more than they do today.
Most of the work lies with Apple but it is a hard problem that will take time. I think Apple is going in the right direction by centralizing on iCloud rather than the PC as the central hub. This will give them a lot more flexibility and agility to move quicker and deliver secure results to the masses.
Absolutely. Forcing users to input their password each time they buy something from iTunes, or log into iCloud in the browsers, encourages simpler passwords. To have a single account in control of everything from buying a $1 song to remote-wiping a computer is madness.
I frequently want to quickly purchase a song on my iPhone. I also, frequently tell my friends my password so they can do the same. How many of you have typed your Apple ID password on your Apple TV with others watching? I wouldn't really ask my friends to exit the room to type in a super secure and long password with many characters groups (one that should be required for remote wipe functionality).
How many users keep their password secure knowing the main place they enter it is on their iOS device? For the many every day Apple users I know, they set their passwords to something easy so they don't have to hit their keyboard too many times when entering them.
If Apple, can separate the two authentication functions as they do with OS X and FileVault it would go a long way to preventing these types of rare but high impact events. Another suggestion would be to separate the remote wipe into two phases, erasing the keys and cleaning up the data. The initialization vectors (seed) do present a bit of a problem but I think the FileVault solution is more than adequate. If the encryption keys and the key escrow system is cleared remotely, that would leave me comfortable that my data is still secure. If we really trust our crypto algorithms, then erasing data and removing the encryption keys should really be no different. Users that do not have iOS data protection and OS X FileVault turned on, cannot be considered any level of secure anyway. And even with that data protection turned on, there are still many issues due to each app needing to implement security properly. It would be really great to see Apple improve their App Store to really audit the security of each application more than they do today.
Most of the work lies with Apple but it is a hard problem that will take time. I think Apple is going in the right direction by centralizing on iCloud rather than the PC as the central hub. This will give them a lot more flexibility and agility to move quicker and deliver secure results to the masses.