Is It Time To Insist On Mobile Authentication Beyond PIN?

Is it time to insist that mobile devices have some type of authentication beyond PIN? The frightening scenario: A thief watches a shopper making a mobile purchase at the mall and shoulder surfs his 4-digit PIN. The thief steals the phone, walks into a store, buys a $5,000 necklace with that phone and that PIN and then dumps the phone into a trashcan.

That authentication might be biometrics (the phone can scan the buyer's facial shape, match a voiceprint or do a retinal scan, although preferably not a fingerprint) or a onetime-password fob or even—for the ultimate simplicity—a rotating series of personal questions, so that shoulder-surfing wouldn't work. Even Square and SMB PayPal trials are using customer photos for verification. But with in-store mobile purchases now going into widespread retail trials, it may be time for some real security. Or is the absurdity of signature verification not enough to motivate anymore?