This is precisely why it's constantly argued that a phone is not a good 2nd factor for authentication. The auth data should be on a device that is basically worthless except for the data it holds which in turn is also inaccessible to someone else.
Arguing for laws that are "tough on crime" is regressive and doesn't even solve the actual problem.
I think they mean that just passing laws that make it punishable by say 30 years in prison to steal a phone would be regressive, since the punishment is in no proportion to the crime.
However, what would actually be nice if, like people here have suggested, is that the police would actually bum off to retrieve stolen phones, bikes, etc and then deliver whatever appropriate penalties to the perpetrators if found.
Doesn’t matter if it’s only a small punishment so long as people get their stuff back and the thieves learn they’ll be sought after.
So basically, we don’t need better laws here, simply enforcement of them.
> Losing a smartphone today can have a profound impact on people’s lives.
This is the actual problem. Theft is also a problem, but not all that relevant.
"Tough on crime" doesn't really prevent crime when the incentive to commit it is still probably higher than the disincentive no matter how "tough" and getting caught is still unlikely.
A trivial, but more relatable, example of this line of (criminal) reasoning is that people are more likely to enjoy extreme sports vs a high paying "dangerous job" despite working the job being less lethal, less accident prone, and a much greater net positive.
> a phone is not a good 2nd factor for authentication
That's an argument for a phone not being the best 2FA mechanism. The argument for phones as 2FA isn't predicated on them being optimal, it's predicated on them being (1) present in almost all cases and (2) easily used.
Obviously yes, it would be safer if we'd all carry around password-locked yubikeys. But we aren't going to. We do have phones in our pockets, though.
Something you have and something you know, yes. But isn't the thing you have supposed to be separate from the client you're using to authenticate?
We're talking about the case where the phone is stolen. There's almost no reason to steal an authentication device other than harassment or tactical delay of access.
You are techincally correct, the best kind of correct, but just for balance I should mention that cavaliers like me end up merging the factors by having all their logins saved on their phones (modulo fingerprint prompts etc.).
> Arguing for laws that are "tough on crime" is regressive and doesn't even solve the actual problem.
There are definitely tough on crime laws that would solve or mostly solve the problem. Unfortunately these will mostly be cases of the cure being worse than the disease (e.g. panopticon with facial recognition and use of face coverings leading to jail time).
I always wonder why we don’t use decoys more. Have seemingly tipsy girls stand waving their phone around for a cab and a cop a few feet hidden away. Then stiff penalty. It’ll make people think twice about whether their “mark” is legit.
> Unfortunately these will mostly be cases of the cure being worse than the disease (e.g. panopticon with facial recognition and use of face coverings leading to jail time).
Not necessarily. Even if we didn't catch any more criminals than we do now, you could probably reduce the problem a lot just by making sure the ones we do catch actually go to jail.
Arguing for laws that are "tough on crime" is regressive and doesn't even solve the actual problem.