Passwords are unmanageable. Password-free life is a criminals' Utopia. Biometrics makes the matter worse. ID federations create a single point of failure Then what else?
1. Intuitive Passwords
- Passwords succeeding passwords –
-
Introduction
Security of the real/cyber-fused society hinges on the trusted Identity Assurance, which
hinges on the reliable Shared Secrets in cyberspace. Passwords have been the Shared
Secrets for many decades.
The password has also been a target of resentment. It is so easy to break if easy to recall,
while so hard to recall if hard to break. Sieged by an ever increasing number of
password-requiring accounts, not a few people are crying that the password should be killed
dead.
The password could be killed altogether, however, only where there is a valid alternative.
To displace passwords would not be easy
Some say “PIN can”. This observation would, however, only lead us to the entrance to Alice’s
Wonderland. If a PIN that is a weak form of numbers-only password could displace the
password, a puppy should be able to displace the dog, a kitten the cat, a cub the lion.
“Passphrase” is also no more than a variation of passwords, having its merits and demerits.
It may be longer and yet easier to remember but it does not necessarily mean a higher entropy
despite the troubles of tiresome typing since it is generally made of known words that are just
vulnerable to automated dictionary attacks.
Some people might say that multi-factor authentications or ID federations such as password
managers and single-sign-on services could do it. It is not easy, however, to conceive that the
password could be displaced by the multi-factor schemes, for which one of the factors is a
password or the ID federations, which require the most reliable password as the
master-password.
Misused biometrics
Some say “Biometrics will”. This observation would lead us to another entrance to Alice’s
Wonderland. Biometric solutions used in cyberspace need a password (fallback password as
a recovery mechanism) registered in case of false rejection. If “something” which has to rely
on “the other thing” could displace “the other thing”, your foot should be able to displace your
leg for walking. Alice’s Wonderland might receive it, but we have huge difficulties in
imagining what it could look like in this 4D Space-Time universe.
2. There are a lot of people who take it for granted that the password can be displaced by the
biometrics operated in cyberspace together with a fallback password. How could such a
misconception happen?
Blind Spot in Our Mind: Let us imagine that we are watching two models of smart phones -
Model A with Pincode and Model B with Pincode & Fingerprint Scan.
Which of the two models do you think is securer?
- when you hear that Model A is protected by Pincode while Model B is protected by both
Pincode and Fingerprints
- when you hear that Model A can be unlocked by Pincode while Model B can be unlocked by
both Pincode and Fingerprints
- when you hear that Model A can be attacked only by Pincode while Model B can be attacked
by both Pincode and Fingerprints
Is your observation the same for all the 3 situations?
Eye-Opening Experience: Now let us imagine that there are two houses – (1) with one
entrance and (2) with two entrances placed in parallel.
Which house is safer against burglars?
Every one of us will no doubt agree that the answer is plainly (1). Nobody would dare to
allege that (2) is safer because it is protected by two entrances. Similarly, the login by a
pincode alone is securer than the login by a biometric sensor backed up by a fallback pincode
(*1). That is, a smartphone equipped with biometrics authentication and a fallback pincode
authentication is obviously less secure than a smartphone with a pincode-alone
authentication.
The above observation is backed up by the latest draft digital authentication guidelines of
National Institute of Standards and Technology (*2), which require in Clause 5.2.3 Use of
Biometrics that, due to its inherent vulnerabilities, biometrics should be used with another
authentication factor and it needs to depend on passwords as a recovery mechanism where
practicality matters even if it means lower security due to the “larger attack surface” to
borrow NIST’s words..
Remark: Due respect should be paid to the value of the biometric solutions as an effective
identification tool for physical security like forensic and border control. Biometrics is a good
tool for individual identification although it is wrong to use it for identity authentication.
(1) (2)
3. What about a password-less life?
Some might say “Not using any password altogether is the way to kill the password dead”. Yes,
the password could then be killed dead entirely, but it would be criminals rather than us that
will be the beneficiaries of such password-free cyberspace.
In a world where we live without passwords to recall, i.e., where our identity is established
without our volitional participation, we would be able to have a safe sleep only when we are
alone in a firmly locked room (*3). It would be a Utopia for criminals but a Dystopia for most
of us.
However disliked, passwords as shared secrets are absolutely indispensable
Intuitive passwords
In view of such situations stated above, intuitive password propositions are becoming the
focus of attentions as an alternative to the unmanageable old passwords.
Well, how intuitive, secure and practicable are they?
Group 1 - Intuitive but insecure: With this group of solutions, the authentication would be
completed when we have picked up the mugshots of friends that had been registered as the
shared secrets.
Comment: Using friends’ mugshots IMPLICITLY is good, but using friends’ mugshots
EXPLICITLY is no good. It would only please criminals.
Group 2 - Not as intuitive as it appears: With this group of solutions, the authentication
would be completed when you have picked up the mugshots of people that you had
remembered as the shared secrets.
Comment: Using faces as one of the objects is no bad but using ONLY faces is no good. And
remembering people’s faces is generally easier than remembering other static objects, but not
so much when those people are unknown to us. Actual trials tell how easy it is to get lost or
confused.
The same applies to dozens of simple pictorial/graphic/emoji passwords proposed here and
there, now and then.
Group 3 - Either insecure or impracticable: Patterns-on-Grid belongs to this group, with
which authentication would be completed when we have reproduced the patterns that we had
registered on a grid.
4. Comment: Easy-to-remember patterns such as L, N, V, X, Z and their variants are known to
criminals, while actual trials of hard-to-crack complicated patterns demonstrate that we get
lost or confused so easily.
Then what else?
We are proposing “Expanded Password System” (*4) that is designed to be both intuitive and
secure at the same time by making the best use of our long-term memories called
episodic/autobiographic memories and by elaborate design consideration on confidentiality.
Such approaches as quoted above can all be deployed on the same platform as extra variations
if we so want.
We can remember and recall only 5 text passwords on average, not due to our silliness or
laziness, but due to the cognitive phenomenon called "Interference of Memory".
Memories of numbers and alphabets, which contain very limited information, are subject to
the severe interference of memory which causes terrible confusions in what we remember,
whereas the memories of images and pictures, particularly those of episodic/autobiographic
memories that contain a great deal of information with emotional feeling, are not.
This indicates that we can easily manage passwords well beyond 5 or 10 when we make good
use of the episodic image memories. It could thus make the optimal alternative to the
textual passwords when we make sure that confidentiality is not lost.
5. Most of the humans are thousands times better at dealing with image memories than text
memories. The former has the history of hundreds of millions of years while the latter is still
very new to us. I wonder what merits we have in confining ourselves in the narrow corridor
of text memories when CPUs are fast enough, bandwidth broad enough, memory storage
cheap enough, and cameras built in mobile devices.
The Expanded Password System is inclusive of textual as well as non-textual passwords.
Users can retain the textual passwords as before while they expand their password memory
to include the non-textual passwords without being impeded by the cognitive effect of
“interference of memory”. It is extremely difficult to imagine the users who would suffer
disadvantage or inconvenience by taking up the Expanded Password System.
Being able to recall strong passwords is one thing. Being able to recall the relations between
accounts and the corresponding passwords is another. When unique matrices of images are
allocated to different accounts with the Expanded Password System, those unique matrices of
images will be telling you what images you could pick up as your passwords. The Expanded
Password System thus frees us from the burden of managing the relations between accounts
and the corresponding passwords.
Further Development – BCI, Blockchain & Quantum computing
BCI: We have been pondering over the theme of Brain-Computer-Interface for our Expanded
Password System for many years. We already can rely on
- clicking and tapping on the images randomly positioned
- typing the characters randomly allocated to images
We will easily be able to rely on
- eye-tracking the images randomly positioned
- voice-recognizing the characters randomly allocated to images
- voiceless-voice-recognizing the same
&
- tapping secret signals on a pad when hearing the sounds that the users had registered (for
the blind people)
- tapping signals when feeling the tactile sensation that the users had registered (for the blind
& deaf people)
All the above can be achieved by deploying the off-the-shelf technologies. The next task is the
interfaces for the people who cannot rely on any of the above. Here enters the possibility of
BCI/BMI.
A simple brain-monitoring of the user's eye-tracking has a problem in terms of security. The
data, if eavesdropped by criminals, can be replayed for impersonation straight away.
Therefore the data should be randomized as the disposable onetime ones.
6. Our idea is that the authentication system allocates random characters to the images. The
users focus their attention on the characters given to the registered images. The monitoring
system will collect the brain-generated onetime signal/data responding to these characters. If
intercepted, criminals would be unable to impersonate the users because the bugged data are
onetime and disposable. We are looking for the researchers of BCI/BMI who may be interested
in establishing that this idea is actually feasible in the real world.
Blockchain: Also among the agenda is a scheme of designing the Expanded Password
System deployed on the platform of blockchain or something similar to it for single-sign-on
services and online password management services. As a matter of fact this concept has
been around with us for 13 years. It was in 2003 that we first talked about the possibility of
online authentication on a PKI-based P2P platform.
Quantum computing: The effect of encryption cannot be above the level of identity verification
of the people who handle the encrypted data. Neither can the effect of the identity
verification be above the level of the encryption that protects the identity verification process.
The arrival of quantum computing could be a very serious threat not only to the encryption
itself but also to the identity assurance. We are keen to get in touch with the people who are
trying to come up with technologies related to Quantum-Resistant encryption.
In Conclusion
Users of biometric products are advised that, if you are security-conscious, you should turn off
the biometrics when a password login is provided as a fallback means. The password-only
authentication is securer. You could keep the biometrics with a fallback password activated
only where you are happy with "below-password-only" security for better convenience.
Instead you could look to the intuitive password solution offered in our Expanded Password
System. Use of images of beloved people, pets and various familiar objects could help make
you feel comfortable, relaxed and healed.
Torturous login that we have had to suffer for many decades will be history. And this bonus
comes on top of the better balance of security and convenience made possible by the Expanded
Password System (*5).
Hitoshi Kokumai
President, Mnemonic Security, Inc.
7. - Hitoshi Kokuman is the inventor of Expanded Password System that enables people to
make use of episodic image memories for intuitive and secure identity authentication.
He has kept raising the issue of wrong usage of biometrics with passwords and the false
sense of security it brings since 15 years ago.
- Mnemonic Security Inc. was founded in 2001 by Hitoshi Kokumai for promoting
Expanded Password System. "Mnemonic" and "Mneme" used in the company name and
logo imply that our identity must be protected with our own memory. Following the
pilotscale operations in Japan, it is currently searching for the location to set up the global
headquarters.
<Reference>
*1 Video: Apple vs FBI over Backdoor
https://youtu.be/5e2oHZccMe4 (2m40s)
*2 Draft: NIST Special Publication 800-63B Digital Identity Guidelines
https://pages.nist.gov/800-63-3/sp800-63b.html
*3 Picture: Little Girl Finds Security Flaw in iPhone 5S Fingerprint Scanner
http://mashable.com/2013/09/11/girl-fingerprint-scanner/
*4 Slide: Expanded Password System (10pages)
https://www.slideshare.net/HitoshiKokumai/password-fatigue-and-expanded-password-syste
m?qid=2c528aa5-bd4c-4ac9-a64b-029562962b78&v=&b=&from_search=2
*5 Whitepaper - Identity Assurance & Expanded Password System
https://www.linkedin.com/pulse/identity-assurance-expanded-password-system-v4-hitoshi-ko
kumai?trk=mp-reader-card