Let's rewind for a second here. A Boarding Pass' purpose is to enable a passenger to be identified and boarded by the airline. As such, it has to contain specific information. Both readable by humans and machines, and the contents are coded by IATA (for those airlines who are part of it). If you check out the riveting document that is IATA's Bar Coded Boarding Pass Implementation Guide, you'll see that a barcode can contain name, surname, PNR and e-ticket number of up to four flights (and more!) for a normal 2D barcode, and those can be read by a relatively cheap barcode scanner that you or I can buy on Amazon.

The fact that the Prem in question has been absent-minded with his BP, that car hire company hasn't cleaned the car and that the OP has been nosy shouldn't come at a detriment to the main purpose of the boarding pass. Maybe BA ought to do what websites like Twitter or Instagram do and send an email "we've detected a new access from an unknown system" to highlight that the OP has done a bit of stalking but to I wouldn't bet on IATA jumping on some sort of two-factor authentication process for boarding passes. Firstly because it'd be impossible (IATA is still trying to convince airlines of the need for XML as the baggage messaging language!) secondly because... can you imagine boarding?