You all may be interested in reading Ars Technica's excellent analysis of this, including their reporting that the website Equifax has set up for people to check their status is, itself, insecure and eminently hackable!
See "Why the Equifax breach is very possibly the worst leak of personal info ever"
I was going to sign up for the credit protection program, stopped, then asked myself, "why am I signing up with the idiots who just allowed this hack?"
I've read of one state that is moving forward with a lawsuit against them and I assume most of the states will do this. Might be worth waiting a day or two to see what happens at your individual state level.
Also, one suggestion I read that made sense, but would make life VERY inconvenient: Put a lock on all of your credit card and bank accounts, then unlock as needed, then re-lock. You'd be protected, but you'd be unable to do anything but monitor and take care of problems all day long.
One suggestion I read that made sense, but would make life VERY inconvenient: Put a lock on all of your credit card and bank accounts, then unlock as needed, then re-lock. You'd be protected, but you'd be unable to do anything but monitor and take care of problems all day long.
And it's not like they won't have all your lifelong personal data forever. Am I suppose to keep this locked for a year, 5 years, 20 years?
I have monitoring services for free via CCs, AA, and some other source that I think I'm covered if anything odd comes up. I can check my score and other values affecting my score at will (updated monthly), and I get emails each month that usually say nothing has changed. Additionally, I do an annual free credit report download from all three bureaus—as allowed by law—which I keep in a PDF form when I get to the Print option in the Safari browser and I store in a protected folder after looking it over for anything that stands out. This is a calendar entry that reminds to check this each year, otherwise I'd forget.
One of the 'best' ways to counter this attack is to put a freeze on your credit. You would need to do this with the 3 agencies. And for most states that will cost you between $5-$10 per agency. So a couple would have to pay $60 to freeze their credit because of the stupidity and gross negligence of Equifucks.
But it gets better. With your credit frozen you can't apply for any loans or new accounts. To do so you need to unfreeze your credit. Which will again cost you $60. And once you get the loan you need to shell out another $60 to freeze the account again.
But WAIT!!! IT GETS BETTER!!!
When you freeze your credit you are give a PIN number that will allow you to unfreeze your credit.
If somehow you lose the PIN you can request a new PIN by furnishing them information.
AND GUESS WHAT INFORMATION THAT IS?????
THE SAME FUCKING INFORMATION THAT WAS STOLEN IN THE BREACH.
So theorectically you could pay $60 to freeze your account and some low life can request a new PIN to unfreeze your account by using the same information that was stolen.
FUCK.
There is a silver lining. Hope this shit show FINALLY brings an end to relying so heavily on stupid ass information like SSN and DOB. We need 2 factor authorization or some other biometric identity standard for opening up new accounts or loans.
The cheapest solution is placing a fraud alert on your credit report. Doing that is free. A fraud alert is placed for 90 days, but you can extend that. With a fraud alert, if someone tries to open an account in your name, the business has to take more steps to verify your identity.
One thing I've heard happen is with all of the information the thieves have at their disposal, they can call up your phone company or cell phone provider and have the account transferred to them, then they change the phone number. With your phone number "gone", they can spend all the time they want to then get into your bank accounts, brokerage, and so on.
One suggestion I read that made sense, but would make life VERY inconvenient: Put a lock on all of your credit card and bank accounts, then unlock as needed, then re-lock. You'd be protected, but you'd be unable to do anything but monitor and take care of problems all day long.
And it's not like they won't have all your lifelong personal data forever. Am I suppose to keep this locked for a year, 5 years, 20 years?
I have monitoring services for free via CCs, AA, and some other source that I think I'm covered if anything odd comes up. I can check my score and other values affecting my score at will (updated monthly), and I get emails each month that usually say nothing has changed. Additionally, I do an annual free credit report download from all three bureaus—as allowed by law—which I keep in a PDF form when I get to the Print option in the Safari browser and I store in a protected folder after looking it over for anything that stands out. This is a calendar entry that reminds to check this each year, otherwise I'd forget.
I have the same thing with my CC as well. I set it up so I receive notifications if there are changes to my credit report. With this huge data breach, I will monitor everything closely for a while. I have notifications set up for my CC's to know anytime it's being used. It's pretty pathetic one of the top credit reporting agencies dropped the ball on security. It can take someone years to fix everything from identity theft.
One of the 'best' ways to counter this attack is to put a freeze on your credit. You would need to do this with the 3 agencies. And for most states that will cost you between $5-$10 per agency. So a couple would have to pay $60 to freeze their credit because of the stupidity and gross negligence of Equifucks.
But it gets better. With your credit frozen you can't apply for any loans or new accounts. To do so you need to unfreeze your credit. Which will again cost you $60. And once you get the loan you need to shell out another $60 to freeze the account again.
But WAIT!!! IT GETS BETTER!!!
When you freeze your credit you are give a PIN number that will allow you to unfreeze your credit.
If somehow you lose the PIN you can request a new PIN by furnishing them information.
AND GUESS WHAT INFORMATION THAT IS?????
THE SAME FUCKING INFORMATION THAT WAS STOLEN IN THE BREACH.
So theorectically you could pay $60 to freeze your account and some low life can request a new PIN to unfreeze your account by using the same information that was stolen.
FUCK.
There is a silver lining. Hope this shit show FINALLY brings an end to relying so heavily on stupid ass information like SSN and DOB. We need 2 factor authorization or some other biometric identity standard for opening up new accounts or loans.
The cheapest solution is placing a fraud alert on your credit report. Doing that is free. A fraud alert is placed for 90 days, but you can extend that. With a fraud alert, if someone tries to open an account in your name, the business has to take more steps to verify your identity.
One thing I've heard happen is with all of the information the thieves have at their disposal, they can call up your phone company or cell phone provider and have the account transferred to them, then they change the phone number. With your phone number "gone", they can spend all the time they want to then get into your bank accounts, brokerage, and so on.
If I have to end up putting a fraud alert on my credit report, I'm going to get one of those cheap prepaid phones. I will use the number from the prepaid phone for the fraud alert. Thieves wouldn't be able to find out you have a prepaid phone with the information that was leaked.
Would be nice if our government would issue Letters of Marque and Reprisal for large-scale data hackers. Whoever did this should be hunted down and killed.
Who knows... if the iPhone 8 turns out to be THE blockbuster secure device, Apple can offer to sell one to every single American as a replacement for the Social Security number. Let the entire economy run on ApplePay, Touch ID and Look ID.
If I have to end up putting a fraud alert on my credit report, I'm going to get one of those cheap prepaid phones. I will use the number from the prepaid phone for the fraud alert. Thieves wouldn't be able to find out you have a prepaid phone with the information that was leaked.
I think that now, after this breach, there must be created... another way to verify identity when requesting a replacement for a 'forgotten' password. Not everyone can get a 'cheap prepaid phone.' How, I don't know, but there are a lot of us vulnerable now.
Well that's pretty bogus...you need to wait for an "enrollment date" to enroll for their identity theft protection. Im guessing they hope you forget to do so.
Pretty ironic that a company that few, if any of us actually do business with and charged with telling the banks that we're "credit worthy" is involved in such an enormous screw up. You're absolutely right though. They DO hope you'll forget. They even tell you to make a note to sign up, because you won't get another notice reminding you to do so.
Then on top of that, as SoundJudgment points out, all you get is a "yup, you're screwed" without any additional information and a year of monitoring, is ridiculous. You're data is out there forever. This is way worse than Target, Home Depot, etc.
It would be nice if there was...I don't know...a lawsuit from 10-20M "clients".
Now, wouldn't that be fun!? I'm not a litigious guy and generally dislike the idea of class action suits (where only the lawyers actually get anything), but if ever there was a case . . . ;-)
I started a new thread here which includes the nuts and bolts of protecting your credit information in this post-hacked Equifax era. This is the best, most accurate information I have been able to assemble thus far. If you have additional helpful information, add it to the thread.
Who knows... if the iPhone 8 turns out to be THE blockbuster secure device, Apple can offer to sell one to every single American as a replacement for the Social Security number. Let the entire economy run on ApplePay, Touch ID and Look ID.
That's the system that should be implemented for ID, same with online logins to eliminate passwords. People would get an encryption key pair and only public keys are stored. Only the person with the private key can decrypt messages encoded by the public key. They can check for duplicate keys so that everyone has a unique key and, as in the case for Estonia, it can be used in place of a written signature so that electronic forms and parcel deliveries can be digitally signed. This is how Apple signs software to identify developers. Social security agencies using the numbers for ID need to start implementing this system right now, follow Estonia's lead.
It doesn't have to be restricted to iPhones, the private keys would be encrypted on devices using local passwords and biometrics and accessed with custom software.
On top of this, there needs to be some government regulation over the storage of bulk personal data. Someone has to store data at some point so there needs to be a security standard, possibly with certified hardware and practises for backups and data transfer. The hardware should almost prevent this kind of thing being possible using isolated components. People will move houses and change contact info over time and if the social security id is invalidated for a new system, the info becomes worthless.
The tech companies can step up here and build a system together and use the same system for their own authentication with separate keys: Facebook, Google, Apple, Microsoft. No more passwords and no more publicly held data for direct authentication, all encryption keys stored behind local security. When you sign up to a new service, you send them your public key and that's it.
Who knows... if the iPhone 8 turns out to be THE blockbuster secure device, Apple can offer to sell one to every single American as a replacement for the Social Security number. Let the entire economy run on ApplePay, Touch ID and Look ID.
That's the system that should be implemented for ID, same with online logins to eliminate passwords. People would get an encryption key pair and only public keys are stored. Only the person with the private key can decrypt messages encoded by the public key. They can check for duplicate keys so that everyone has a unique key and, as in the case for Estonia, it can be used in place of a written signature so that electronic forms and parcel deliveries can be digitally signed. This is how Apple signs software to identify developers. Social security agencies using the numbers for ID need to start implementing this system right now, follow Estonia's lead.
It doesn't have to be restricted to iPhones, the private keys would be encrypted on devices using local passwords and biometrics and accessed with custom software.
On top of this, there needs to be some government regulation over the storage of bulk personal data. Someone has to store data at some point so there needs to be a security standard, possibly with certified hardware and practises for backups and data transfer. The hardware should almost prevent this kind of thing being possible using isolated components. People will move houses and change contact info over time and if the social security id is invalidated for a new system, the info becomes worthless.
The tech companies can step up here and build a system together and use the same system for their own authentication with separate keys: Facebook, Google, Apple, Microsoft. No more passwords and no more publicly held data for direct authentication, all encryption keys stored behind local security. When you sign up to a new service, you send them your public key and that's it.
Who knows... if the iPhone 8 turns out to be THE blockbuster secure device, Apple can offer to sell one to every single American as a replacement for the Social Security number. Let the entire economy run on ApplePay, Touch ID and Look ID.
That's the system that should be implemented for ID, same with online logins to eliminate passwords. People would get an encryption key pair and only public keys are stored. Only the person with the private key can decrypt messages encoded by the public key. They can check for duplicate keys so that everyone has a unique key and, as in the case for Estonia, it can be used in place of a written signature so that electronic forms and parcel deliveries can be digitally signed. This is how Apple signs software to identify developers. Social security agencies using the numbers for ID need to start implementing this system right now, follow Estonia's lead.
It doesn't have to be restricted to iPhones, the private keys would be encrypted on devices using local passwords and biometrics and accessed with custom software.
On top of this, there needs to be some government regulation over the storage of bulk personal data. Someone has to store data at some point so there needs to be a security standard, possibly with certified hardware and practises for backups and data transfer. The hardware should almost prevent this kind of thing being possible using isolated components. People will move houses and change contact info over time and if the social security id is invalidated for a new system, the info becomes worthless.
The tech companies can step up here and build a system together and use the same system for their own authentication with separate keys: Facebook, Google, Apple, Microsoft. No more passwords and no more publicly held data for direct authentication, all encryption keys stored behind local security. When you sign up to a new service, you send them your public key and that's it.
Here's one system similar to what you're endorsing, and with the benefit of being open-source so that anyone could implement it. Facebook, Google, Apple and Microsoft could all be on the same page and help fast-track it.
If this issue isn't addressed immediately by industry or in concert with the "idiots in charge" (Congress) the economic results could be catastrophic. As damaging as a bomb dropped on us by Korea.
I'm in no hurry to give anymore confidential information to equifax, is anyone else? I purchased my iPhone outright, and signed up with T-mobile as my carrier, I was fed up with AT&T and their poor service and high prices, I wonder if I'm still at risk because of this security breach?
I'm in no hurry to give anymore confidential information to equifax, is anyone else? I purchased my iPhone outright, and signed up with T-mobile as my carrier, I was fed up with AT&T and their poor service and high prices, I wonder if I'm still at risk because of this security breach?
Signing up for their credit monitoring "service" isn't really being recommended. Why would you want to give additional information to these morons? However, you should strongly consider what's called a "credit freeze". I created a thread for people unclear what should be done about this. I read a lot of information online, then double-, then triple-checked it, and even threw in a NY Times article that backed up what I had discovered. See it all here: https://forums.appleinsider.com/discussion/201682/steps-you-can-take-now-if-you-were-part-of-the-equifax-hack#latest
I created that thread because I was incensed by the sloppy and confusing reporting coming from the media. I still think it's being woefully underreported and people are absolutely unclear about the imminent threat to their credit rating, Social Security number, their "digital identity" and the potential for misuse of your personal data has been extended for the rest of your life! In addition to reading the info I collected, you should also do your own homework on the matter.
I'm in no hurry to give anymore confidential information to equifax, is anyone else? I purchased my iPhone outright, and signed up with T-mobile as my carrier, I was fed up with AT&T and their poor service and high prices, I wonder if I'm still at risk because of this security breach?
Yes, Equifax almost certainly knows (and sells access to) your credit card and banking information, your entire employment history, what you currently earn, the size of your home and it's value, what vehicles you own, any other properties you might have, how many in your family and extended family along with names and addresses and ages, what schools you attended, SS number, mother and father's names (including the common security questions answered like maiden and middle names), and a plethora of other detailed personal information ranging from social and professional organizations, religious affiliation and reportedly even sexual persuasion.
...So yeah whether you paid cash for your iPhone doesn't matter.
Perhaps we can all pivot from worrying about ads and focus more on the real data marketers and the dangers they present to our personal privacy. IMHO this whole laser focus on targeted ads as scapegoats for the most horrid privacy dangers imaginable is an intentional misdirection effort promoted by both competitors and the data aggregation industry who don't want eyes looking at them. They ain't making their living on anonymized ads.
Who knows... if the iPhone 8 turns out to be THE blockbuster secure device, Apple can offer to sell one to every single American as a replacement for the Social Security number. Let the entire economy run on ApplePay, Touch ID and Look ID.
That's the system that should be implemented for ID, same with online logins to eliminate passwords. People would get an encryption key pair and only public keys are stored. Only the person with the private key can decrypt messages encoded by the public key. They can check for duplicate keys so that everyone has a unique key and, as in the case for Estonia, it can be used in place of a written signature so that electronic forms and parcel deliveries can be digitally signed. This is how Apple signs software to identify developers. Social security agencies using the numbers for ID need to start implementing this system right now, follow Estonia's lead.
It doesn't have to be restricted to iPhones, the private keys would be encrypted on devices using local passwords and biometrics and accessed with custom software.
On top of this, there needs to be some government regulation over the storage of bulk personal data. Someone has to store data at some point so there needs to be a security standard, possibly with certified hardware and practises for backups and data transfer. The hardware should almost prevent this kind of thing being possible using isolated components. People will move houses and change contact info over time and if the social security id is invalidated for a new system, the info becomes worthless.
The tech companies can step up here and build a system together and use the same system for their own authentication with separate keys: Facebook, Google, Apple, Microsoft. No more passwords and no more publicly held data for direct authentication, all encryption keys stored behind local security. When you sign up to a new service, you send them your public key and that's it.
For domains, you have multiple certificate authorities able to issue keys for domain names to verify their identity but compromising an authority can allow interception. Same goes for things like WhatsApp where the messages are sent from one person to another via the intermediate WhatsApp server.
The above solutions are to ensure key consistency while maintaining privacy. Consistency checks can be done using a blockchain but that may not be private enough.
For authentication directly with a provider, this isn't needed and you wouldn't want a public register of links between IDs and keys. The desired system would be a trivial replacement for a password/ID system and can be built in a matter of days.
In Estonia, the central authority makes key pairs, which are put into an ID card (or phone SIM) and protected by a PIN code:
This means the government has both the private and public keys initially and they need to be sent to the users. Ideally the users would generate the key pairs and this would be done by the government sending them a one-time session code, which they use inside an app. The app then generates the key pairs and sends the public key to the authority to be linked with the user's ID profile. The private key is encrypted locally behind biometric ID and passcode.
When a service needs to authenticate a user, the service encrypts a message using the public key. The device would send that message to the software, which asks for a local ID (password/biometrics) to allow the software to decrypt the private key and then decrypt the message. The message that is sent back can be encrypted using a provider session key and it would be verified.
The difficulties include making the software for every platform, distributing it, making sure the keys are secure and can be synced securely across devices. When the private key is decrypted, it's in memory and other apps can read from memory. This is where key cards are more secure as the keys aren't accessible to other software but it means snail mail for issuing and the government having all the keys. This is ok for Social Security though and additionally ensures every user has a unique pair, which is essential although this can be done with multiple codes.
For online services, the tech companies can protect the keys well enough. Every service provider can issue their own keys, they'd just have to come together on the authentication software and they can build it into the OS if they wanted so that it works on a higher permission level and can be isolated from other processes.
The software should: - generate asymmetric key pairs using a strong encryption standard - store the private keys with strong encryption with passcodes and biometrics - allow encrypting messages using public keys - allow decrypting messages securely using the private keys - allow securely syncing the keys between devices
The same software would run server-side, it can be in any language. Public keys can be stored in databases or files. Reissuing keys if a device is stolen is easy.
Who knows... if the iPhone 8 turns out to be THE blockbuster secure device, Apple can offer to sell one to every single American as a replacement for the Social Security number. Let the entire economy run on ApplePay, Touch ID and Look ID.
Social security agencies using the numbers for ID need to start implementing this system right now, follow Estonia's lead.
The above solutions are to ensure key consistency while maintaining privacy. Consistency checks can be done using a blockchain but that may not be private enough.
For authentication directly with a provider, this isn't needed and you wouldn't want a public register of links between IDs and keys. The desired system would be a trivial replacement for a password/ID system and can be built in a matter of days.
In Estonia, the central authority makes key pairs, which are put into an ID card (or phone SIM) and protected by a PIN code:
This means the government has both the private and public keys initially and they need to be sent to the users. Ideally the users would generate the key pairs and this would be done by the government sending them a one-time session code, which they use inside an app. The app then generates the key pairs and sends the public key to the authority to be linked with the user's ID profile. The private key is encrypted locally behind biometric ID and passcode.
The difficulties include making the software for every platform, distributing it, making sure the keys are secure and can be synced securely across devices. When the private key is decrypted, it's in memory and other apps can read from memory. This is where key cards are more secure as the keys aren't accessible to other software but it means snail mail for issuing and the government having all the keys. This is ok for Social Security though and additionally ensures every user has a unique pair, which is essential although this can be done with multiple codes.
For online services, the tech companies can protect the keys well enough. Every service provider can issue their own keys, they'd just have to come together on the authentication software and they can build it into the OS if they wanted so that it works on a higher permission level and can be isolated from other processes.
The software should: - generate asymmetric key pairs using a strong encryption standard - store the private keys with strong encryption with passcodes and biometrics - allow encrypting messages using public keys - allow decrypting messages securely using the private keys - allow securely syncing the keys between devices
The same software would run server-side, it can be in any language. Public keys can be stored in databases or files. Reissuing keys if a device is stolen is easy.
Thanks for the in-depth explanation Marvin. Excellent as usual and very helpful.
I think Brits and Canadians are affected by this as well? I'm a long term BT (British Telecom) customer and they use Equifax. Any idea if us Europeans can get any info on if we are affected?
Comments
I was going to sign up for the credit protection program, stopped, then asked myself, "why am I signing up with the idiots who just allowed this hack?"
I've read of one state that is moving forward with a lawsuit against them and I assume most of the states will do this. Might be worth waiting a day or two to see what happens at your individual state level.
Also, one suggestion I read that made sense, but would make life VERY inconvenient: Put a lock on all of your credit card and bank accounts, then unlock as needed, then re-lock. You'd be protected, but you'd be unable to do anything but monitor and take care of problems all day long.
I have monitoring services for free via CCs, AA, and some other source that I think I'm covered if anything odd comes up. I can check my score and other values affecting my score at will (updated monthly), and I get emails each month that usually say nothing has changed. Additionally, I do an annual free credit report download from all three bureaus—as allowed by law—which I keep in a PDF form when I get to the Print option in the Safari browser and I store in a protected folder after looking it over for anything that stands out. This is a calendar entry that reminds to check this each year, otherwise I'd forget.
If I have to end up putting a fraud alert on my credit report, I'm going to get one of those cheap prepaid phones. I will use the number from the prepaid phone for the fraud alert. Thieves wouldn't be able to find out you have a prepaid phone with the information that was leaked.
https://www.bloomberg.com/view/articles/2017-09-08/the-equifax-hack-didn-t-have-to-be-this-bad
Who knows... if the iPhone 8 turns out to be THE blockbuster secure device, Apple can offer to sell one to every single American as a replacement for the Social Security number. Let the entire economy run on ApplePay, Touch ID and Look ID.
Steps You Can Take Now If You Were Part Of The Equifax Hack
It doesn't have to be restricted to iPhones, the private keys would be encrypted on devices using local passwords and biometrics and accessed with custom software.
On top of this, there needs to be some government regulation over the storage of bulk personal data. Someone has to store data at some point so there needs to be a security standard, possibly with certified hardware and practises for backups and data transfer. The hardware should almost prevent this kind of thing being possible using isolated components. People will move houses and change contact info over time and if the social security id is invalidated for a new system, the info becomes worthless.
The tech companies can step up here and build a system together and use the same system for their own authentication with separate keys: Facebook, Google, Apple, Microsoft. No more passwords and no more publicly held data for direct authentication, all encryption keys stored behind local security. When you sign up to a new service, you send them your public key and that's it.
https://threatpost.com/googles-key-transparency-simplifies-public-key-lookups/123073/
If the developer bothers you there's also CONIKS.
https://coniks.cs.princeton.edu/
I created that thread because I was incensed by the sloppy and confusing reporting coming from the media. I still think it's being woefully underreported and people are absolutely unclear about the imminent threat to their credit rating, Social Security number, their "digital identity" and the potential for misuse of your personal data has been extended for the rest of your life! In addition to reading the info I collected, you should also do your own homework on the matter.
...So yeah whether you paid cash for your iPhone doesn't matter.
Here's an eye-opener. For a reference to the types of reports and data that can be purchased from Equifax:
http://www.equifax.com/business/all-products
Perhaps we can all pivot from worrying about ads and focus more on the real data marketers and the dangers they present to our personal privacy. IMHO this whole laser focus on targeted ads as scapegoats for the most horrid privacy dangers imaginable is an intentional misdirection effort promoted by both competitors and the data aggregation industry who don't want eyes looking at them. They ain't making their living on anonymized ads.
https://www.theregister.co.uk/2013/12/10/french_gov_dodgy_ssl_cert_reprimand/
For domains, you have multiple certificate authorities able to issue keys for domain names to verify their identity but compromising an authority can allow interception. Same goes for things like WhatsApp where the messages are sent from one person to another via the intermediate WhatsApp server.
The above solutions are to ensure key consistency while maintaining privacy. Consistency checks can be done using a blockchain but that may not be private enough.
For authentication directly with a provider, this isn't needed and you wouldn't want a public register of links between IDs and keys. The desired system would be a trivial replacement for a password/ID system and can be built in a matter of days.
In Estonia, the central authority makes key pairs, which are put into an ID card (or phone SIM) and protected by a PIN code:
https://en.wikipedia.org/wiki/Estonian_ID_card
This means the government has both the private and public keys initially and they need to be sent to the users. Ideally the users would generate the key pairs and this would be done by the government sending them a one-time session code, which they use inside an app. The app then generates the key pairs and sends the public key to the authority to be linked with the user's ID profile. The private key is encrypted locally behind biometric ID and passcode.
When a service needs to authenticate a user, the service encrypts a message using the public key. The device would send that message to the software, which asks for a local ID (password/biometrics) to allow the software to decrypt the private key and then decrypt the message. The message that is sent back can be encrypted using a provider session key and it would be verified.
The difficulties include making the software for every platform, distributing it, making sure the keys are secure and can be synced securely across devices. When the private key is decrypted, it's in memory and other apps can read from memory. This is where key cards are more secure as the keys aren't accessible to other software but it means snail mail for issuing and the government having all the keys. This is ok for Social Security though and additionally ensures every user has a unique pair, which is essential although this can be done with multiple codes.
For online services, the tech companies can protect the keys well enough. Every service provider can issue their own keys, they'd just have to come together on the authentication software and they can build it into the OS if they wanted so that it works on a higher permission level and can be isolated from other processes.
The software should:
- generate asymmetric key pairs using a strong encryption standard
- store the private keys with strong encryption with passcodes and biometrics
- allow encrypting messages using public keys
- allow decrypting messages securely using the private keys
- allow securely syncing the keys between devices
The same software would run server-side, it can be in any language. Public keys can be stored in databases or files. Reissuing keys if a device is stolen is easy.