Ok, but no way to handle the case where it is comprimised? Why use the device id, why not just generate a uuid the first time the app is run? It seems like there are some issues to work out with this scheme, it may be slightly premature to declare logins dead.