Ellison & Schneier point out in their PKI paper that to verify a person, you need shared information which isn't public --unlike most of the data the credit companies keep. Your mother's maiden name really doesn't cut it any more. This is right on the mark. In conversation where natural voice biometrics aren't used (e.g., email) you can verify that a person is who they claim by using shared meatspace history as your shared secret. "Hey, remember that time..." But many people document their lives on line; the blooming of narcissism or expression, take your pick. Imagine spoofing an identity by using inferences made from say, their Burning Man (tm) or family online photos and stories or images autoretrieved from the zillions of public-area webcams coming soon to an area near you. "Yeah, my Joe Jr. went to 2nd grade with your Jane in '98.. are her braces off yet?" (Of course, if a mutant spoofs a normal, this self-documentation could be self-protective disinformation; info-mimicry. It would act as a 'honeypot' to catch the casual faux-familiar.)
