SlideShare una empresa de Scribd logo

Presentation with Scripts at CIWEU2018

Descargar como DOCX, PDF
Hitoshi Kokumai
Hitoshi Kokumai

The volitional password is absolutely necessary(where the democratic values matter *1). whereas the conventional password is hated (as everybody agrees). This observations lead us to conclude that we should agree that we have to find the sort of password system that is not hated. Logic tells that there can be no other choice. We came up with the way out. It is Expanded Password System that accepts images as well as texts/characters. This slide was used for the presentation on 30/Oct/2018 at KuppingerCole's Consumer Identity World Europe 2018 in Amsterdam *2 *1 Where authentication of our identity happens without our knowledge or against our will, it is a 1984-like Dystopia. *2 https://www.kuppingercole.com/events/ciweu2018/agenda_overview <Link to Videos > 80-second video https://www.youtube.com/watch?v=ypOnKTTwRJg&feature=youtu.be 30-second video https://www.youtube.com/watch?v=7UAgtPtmUbk&feature=youtu.be

Tecnología
1 de 22
スライド 1 Identity Assurance by Our Own Volition and Memory The safety of our cyber life depends on identity assurance which in turn relies on remembered passwords Hitoshi Kokumai President, Mnemonic Security, Inc. kokumai@mneme.co.jp Enabling Self-Sovereign Identity 30/Oct/2018 Our identity as human being is made of our autobiographic memory Hello, I am Hitoshi Kokumai, advocate of ‘Identity Assurance by Our Own Volition and Memory’. I’ve been promoting this principle for 17 years now. And, this principle now makes the foundation for the emerging concept of Self-Sovereign Identity. However, this principle would be a pipe dream if it is not supported by a practicable means of identity authentication that is secure and yet stress-free, desirably giving us joy and fun.
スライド 2 The problem: passwords could work – but they need help Passwords are Hard to manage And yet, absolutely necessary Identity theft and security breaches are proliferating A critical problem requiring urgent practical solutions 30/Oct/2018 2 We have a big headache. Passwords are hard to manage, and yet, the passwords are absolutely necessary. Why? That’s because democracy would be lost where the password was lost and we were deprived of the chances and means of getting our own volition confirmed in having our identity authenticated. When authentication happens without our knowledge or against our will, it is a 1984-like Dystopia. It seems that the word ‘password’ is poly-semantic and context-dependent. Sometimes it’s narrowly interpreted as ‘remembered text password’ and sometimes it’s taken broadly as ‘whatever we remember for authentication’. Please interpret this word ‘password’ from the context in my presentation as well. Identity theft and security breaches are proliferating. This critical problem requires urgent practical solutions.•@•@
スライド 3 There are several known pictures in the matrix I can easily find all of them right away Only I can select all of them correctly Expanded Password System Broader choices: images AND characters Torturous login is history. Login is now comfortable, relaxing and healing. Easy to manage relations between accounts and corresponding passwords. There are several known pictures in the matrix I can easily find all of them right away Only I can select all of them correctly Expanded Password System Broader choices: images AND characters Torturous login is history. Login is now comfortable and even fun. Easy to manage relations between accounts and corresponding passwords. 30/Oct/2018 3 Our proposition is Expanded Password System. In the matrix, there are several KNOWN images.•@I can easily find all of them right away. Or, rather, the KNOWN images jump into my eye. And, only I can select all of them correctly. We can use both images and characters. It’s easy to manage the relation between accounts and the corresponding passwords. Torturous login is history. It’s now comfortable and even fun. I’ll talk more about these points later.
スライド 4 A Fun Way to Enhance Your Passwords A fun first step • Get the images in your password matrix registered. It’s easy. Huge Improvement • Password fatigue alleviated for all • Better security for password-managers and SSO services • Even better security for two/multi-factor authentications • Less vulnerable security for biometric products Backward-Compatible • Nothing lost for users who wish to keep using text passwords. 30/Oct/2018 4 Indispensable though unloved. Passwords could be both secure and stress-free. It’s a fun way to enhance your passwords. Get the images in your matrix registered. It’s easy. People who enjoy handling images will gain both better security and better convenience. The only extra effort required is to get these images registered; but people already do that across social media platforms and seem to love it.•@ Then, huge improvement. Password fatigue would be alleviated for all. Better security for password mangers and single-sign-on services. Even better security for multi-factor authentications. Less vulnerable security for biometrics. And, It’s backward-compatible. Nothing would be lost for the people who wish to keep using text passwords.
スライド 5 We Need a Broader Choice If only text and # are OK It’s a steep climb … to memorize text/number passwords to lighten the load of text passwords to make use of memorized images 3UVB9KUW 【Text Mode】 【Graphics Mode】 【Original Picture Mode】 Recall the remembered password Recognize the pictures remembered in stories Recognize the unforgettable pictures of episodic memories Think of all those ladders you have to climb in Donkey Kong ;-) Low memory ceiling Very high memory ceilingHigh memory ceiling + + 30/Oct/2018 5 Shall we have a bit closer look at what it offers? So far, only texts have been accepted. It was, as it were, we have no choice but to walk up a long steep staircase. With Expanded Password System, we could imagine a situation that escalators and elevators are provided along with the staircase. Or, some of us could think of all those ladders we have for climbing in Donkey Kong. Where we want to continue to use textual passwords, we could opt to recall the remembered passwords, although the memory ceiling is very low,. Most of us can manage only up to several of them. We could opt to recognize the pictures remembered in stories where we want to reduce the burden of textual passwords. The memory ceiling is high, say, we would be able to manage more and more of them. Where we choose to make use of episodic image memory, we would only need to recognize the unforgettable images, say, KNOWN images. There is virtually no memory ceiling, that is, we would be able to manage as many passwords as we like, without any extra efforts.
スライド 6 Volition and Memory (1) Volition of the User – with Self-Determination (2) Practicability of the Means – for Use by Homo sapiens (3) Confidentiality of the Credentials – by ‘Secret’ as against ‘Unique’ 30/Oct/2018 6 We are of the belief that there must be three prerequisites for identity assurance. First of all, identity assurance with NO confirmation of the user’s volition would lead to a world where criminals and tyrants dominate citizens. Democracy would be dead where our volition was not involved in our identity assurance.•@We must be against any attempts to do without what we remember, recall , recognize and feed to login volitionally. Secondly, mathematical strength of a security means makes sense so long as the means is practicable for us Homo sapiens. A big cake could be appreciated only if it’s edible. Thirdly, being ‘unique’ is different from being ‘secret’. ‘Passwords’ must not be displaced by the likes of ‘User ID’. I mean, we should be very careful when using biometrics for the purpose of identity authentication, although we don’t see so big a problem when using biometrics for the purpose of personal identification. Identification is to give an answer to the question of “Who are they?”, whereas authentication is to give the answer to the question of “Are they the persons who claim to be?” Authentication and identification belong to totally different domains.
スライド 7 What’s New? The idea of using pictures has been around for two decades. New is encouraging people to make use of episodic image memories. 80-second video YouTube Keyword – Smallest Interference of Memory 30/Oct/2018 7 The idea of using pictures for passwords is not new. It’s been around for more than two decades but the simple forms of pictorial passwords were not as useful as had been expected. UNKNOWN pictures we manage to remember afresh are still easy to forget or get confused, if not as badly as random alphanumeric characters. Expanded Password System is new in that it offers a choice to make use of KNOWN images that are associated with our autobiographic/ episodic memories. Please have a look at this 80-second video? Since these images are the least subject to the INTERFERENCE of MEMORY, it enables us to manage dozens of unique strong passwords without reusing the same password across many accounts or carrying around a memo with passwords on it. And, handling memorable images makes us feel comfortable, relaxed and even healed.
スライド 8 Isn’t Episodic Memory Changeable? We know that episodic memories can change easily. … But that doesn’t matter for authentication. It could even help. 30/Oct/2018 8 It’s known that episodic memories are easily changeable. What we remember as our experience may have been transformed and not objectively factual. But it would not matter for Expanded Password System. What we subjectively remember as our episodic memory could suffice. From confidentiality’s point of view,•@ it could be even better than objectively factual memories since no clues are given to attackers.
スライド 9 What about Entropy? A PASSWORD LIKE ‘CBA123’ IS ABSURDLY WEAK. WHAT IF ‘C’ AS AN IMAGE GETS PRESENTED BY SOMETHING LIKE ‘X4S&EI0W’ ? WHAT IF ‘X4S&EIWDOEX7RVB%9UB3MJVK’ INSTEAD OF ‘CBA123’ GETS HASHED? 30/Oct/2018 9 Generally speaking, hard-to-break passwords are hard-to-remember. But it’s not the fate of what we remember. It would be easily possible to safely manage many of high-entropy passwords with Expanded Password System that handles characters as images. Each image or character is presented by the image identifier data which can be of any length. Assume that your password is “CBA123” and that the image ‘C’ is identified as X4s& eI0w, and so on. When you input CBA123, the authentication data that the server receives is not the easy-to-break “CBA123”, but something like “X4s&eI0wdoex7RVb%9Ub3mJvk”, which could be automatically altered periodically or at each access where desired.
スライド 10 Relation of Accounts & Passwords Account A Account B Account C Account D Account E, F, G, H, I, J, K, L----------- • Unique matrices of images allocated to different accounts. • At a glance you will immediately realize what images you should pick up as your passwords for this or that account. 30/Oct/2018 10 Being able to recall strong passwords is one thing. Being able to recall the relation between accounts and the corresponding passwords is another. When unique matrices of images are allocated to different accounts, those unique image matrices will be telling you what images you should pick up as your password for this or that account. When using images of our episodic memories, the Expanded Password System will thus free us from the burden of managing the relation between accounts and the corresponding passwords.
スライド 11 In the Field Practicable with both hands busy ? In panic? With injuries? Seizure of memos, devices, tokens Seizure of body features With protection gear on? Disaster Recovery Cards and tokens possessed? Biometrics practicable? Even in severe panic, we can quickly recognize unforgettable images of episodic memories. Identity Assurance in Emergencies 30/Oct/2018 11 How can we login reliably in a panicky situation? Do we assume that people never forget to possess cards and tokens? Do we assume that biometrics is practicable for injured or panicked people? Do we assume that panicked people can recall strong text passwords right away? It’s the obligation of the democratic societies to provide the citizens with identity authentication measures that are practicable in these emergencies. Using unforgettable images WILL help.
スライド 12 Competition or Opportunity Biometrics? Passwords required as a backup means: Opportunity. Password-managers, single-sign-on service? Two/multi-factor authentication? Passwords required as one of the factors: Opportunity. Pattern-on-grid, emoji, conventional picture passwords? Deployable on our platform: Opportunity. Passwords required as the master-password: Opportunity. 30/Oct/2018 12 What can be thought of as competition to Expanded Password System? Biometrics requires passwords as a fallback means. Password-managers and single-sign-on services require passwords as the master-password. Multi-factor authentications require passwords as one of the factors. Pattern-on-grid, conventional picture passwords and emoji-passwords can all be deployed on our platform. So, competition could be thinkable only among the different products of Expanded Password System. By the way, some people claimthat PIN can eliminate passwords, but logic dictates that it can never happen since PIN is no more than the weakest form of numbers-only password. Neither can Passphrase, which is no more than a long password. There are also some people who talk about the likes of PKI and onetime passwords as an alternative to passwords. But it is like talking about a weak door and proposing to enhance the door panel as an alternative to enhancing the lock and key.
スライド 13 Client Software for Device Login Applications Login Image-to-Code Conversion Server Software for Online-Access 2-Factor Scheme Open ID Compatible Data Encryption Software with on-the-fly key generation Single & Distributed Authority Unlimited Use Cases 30/Oct/2018 13 Applications of Expanded Password System will be found Wherever people have been using the text passwords and numerical PINS, Wherever people need a means of identity authentication even if we still do not know what it will be.
スライド 14 OASIS Open Projects • Proposition of Expanded Password System at ‘Draft Proposal’ stage • With 56 individual participants • Going to secure some more participants • Corporate members in particular 30/Oct/2018 14 The proposition of Expanded Password System that drastically alleviates the password fatigue is now acknowledged as a ‘Draft Proposal’ for OASIS Open Projects that OASIS has recently launched as a new standardization program. We have publicized a draft specification of Expanded Password System there. We are going to secure some more participants, corporate members in particular, who are looking for blue-ocean business opportunities in the expanding domain of identity assurance in cyberspace.
スライド 15 How We Position Our Proposition We make identity authentication schemes better by leveraging the time-honored tradition of seals and autographs The underpinning principle of Expanded Password System will not go away so long as people want our own volition and memory to remain involved in identity authentication. 30/Oct/2018 15 Starting with the perception that our continuous identity as human being is made of our autobiographic memory, we are making identity authentication schemes better by leveraging the time-honored tradition of seals and autographs The underpinning principle of Expanded Password System shall not go away so long as people want our own volition and memory to remain involved in identity assurance.
スライド 16 Some More Topics about Identity • Isn’t Biometrics killing Passwords? • Brain-Machine-Interface • 2-Factor Expanded Password System • No-Cost 2-Factor Authentication 30/Oct/2018 16 Well, let me talk about some more topics related to digital identity. They are Biometrics supposed to kill passwords Two-factor authentication built on 2 kinds of passwords And, the concept of Expanded Password System applied to BMI.
スライド 17 Isn’t Biometrics killing Passwords? Fact 1: Biometrics used with a fallback password brings down the security that the password has provided. 30-second Video YouTube Specifically, old iPhones with PINCODE only were safer than newer iPhones featuring TouchID and FaceID. What has improved is convenience, not security. Fact 2: Biometrics dependent on a password as a fallback means cannot kill the password dead. Fact 3: A false acceptance rate does not make sense unless it comes with the corresponding false rejection rate. 30/Oct/2018 17 Every time I speak about Expanded Password System, I am flooded with this question. My answer is. Biometrics used with a fallback password brings down the security that the password has so far provided as outlined in this 30-second video. Specifically, old iPhones with PINCODE only were safer than newer iPhones featuring TouchID and FaceID. What has improved is convenience obtained at the sacrifice of security. In any case, biometrics that is dependent on a password as a fallback measures can by NO means kill the password. It’s logically obvious. By the way, a false acceptance rate makes sense only when it comes with the corresponding false rejection rate. I don’t understand why biometrics vendors don’t publicize both of the two simultaneously.
スライド 18 Brain-Machine-Interface Random numbers or characters allocated to the images. Ask the users to focus their attention on the numbers or characters given to the registered images. A simple brain-monitoring is vulnerable to wiretapping. The monitoring system will then collect the brain-generated onetime signal corresponding to these numbers or characters. 30/Oct/2018 18 A simple brain-monitoring has a problem in terms of security. The data, if wiretapped by criminals, can be replayed for impersonation straight away. •@Therefore the data should be randomized as the onetime disposable ones. An idea is that the authentication systemallocates random numbers or characters to the images shown to the users. The users focus their attention on the numbers or characters given to the images•@they had registered. The monitoring systemwill collect the brain-generated onetime signals corresponding to the registered images. Incidentally, the channel for showing the pictures is supposed to be separate from the channel for brain-monitoring. If intercepting successfully, criminals would be unable to impersonate the users because the intercepted data are onetime and disposable.
スライド 19 30/Oct/2018 19 2-Factor Expanded Password System Conventional 2-factor authentication systems are effective only against abuse of the device/phone. 2-factor Expanded Password System enables the user to produce a onetime identity authentication data, i.e., a real onetime password. Some people say that using physical tokens is more secure than using phones for receiving onetime code by SMS. If it is the case, the use of physical tokens brings its own headache. What shall we do if we have dozens of accounts that require the protection by two/multi-factor schemes? Carrying around a bunch of dozens of physical tokens? Or, re-using the same tokens across dozens of accounts? The former would be too cumbersome and too easily attract attention of bad guys, while the latter would be very convenient but brings the likes of a single point of failure. We have a third proposition. A matrix of the images, to which random onetime numbers or characters are allocated , are shown to the users through a mobile device, as in the use case of BMI mentioned a minute ago. Users who recognize the registered images will feed the numbers or characters given to those images on a main device. From those onetime data, the authentication server will tell the images that user had registered. What is needed at the users’ end is only a browser soft. Then, we do not depend on the vulnerable onetime code sent through SMS and a single phone can readily cope with dozens of accounts.
スライド 20 No-Cost 2-Factor Authentication Factor 1 – Password Remembered (what we know/remember) Factor 2 – Password Written Down or Physically Stored (what we have/possess) Effect - A ‘boring legacy password system’ turning into a no-cost light-duty two-factor authentication system made of ‘what we know’ and ‘what we have’. 30/Oct/2018 20 A very strong password supposed to not be remembered and written down on a memo should be viewed as 'what we have', definitely not 'what we remember', so it could be used as one of the two factors along with a remembered password. We could then turn a boring legacy password system into a two factor authentication system at no cost, just by verifying two passwords at a time, one volitionally recalled and the other one physically possessed. When those two different passwords are used as two factors, we could rely on the strength of a remembered password against physical theft and the strength of a physically possessed long password against brute force attack, although it is not as strong against wiretapping as token-based solutions armed with PKI or Onetime Password. This could be viewed just as a thought experiment or could actually be considered for practical application in between a single factor authentication and a costly heavily-armored 2-factor scheme, or, as a transition from the former to the latter. It goes without saying that Expanded Password System could be brought in for a good remembered password.
スライド 21 Wrap-Up Expanded Password System that drfastically alleviates the password fatigue is supportive of - Biometrics that require passwords as a fallback means against false rejection - Two/multi-factor authentications that require passwords as one of the factors - ID federations such as password managers and single-sign-on services that require passwords as the master-password Simple pictorial/emoji-passwords and patterns-on-grid that can all be deployed on our platform * All with the effects that handling memorable images makes us feel pleasant and relaxed Furthermore, - Nothing would be lost for the people who want to keep using textual passwords - It enables us to turn a low-entropy password into a high-entropy authentication data - It is easy to manage the relation between accounts and the corresponding passwords - Lastly but not the least, it is democracy-compatible by way of providing the chances and means to get our own volition confirmed in our identity assurance. * It is the obligation of democratic societies to provide citizens with the choice to adopt a secure and yet stress-free identity authentication means that is practicable in any circumstances, panicky situations in emergencies in particular .
スライド 22 As such, there exists a secure and yet stress- free means of democracy-compatible identity authentication. That is Expanded Password System. Thank You Hitoshi Kokumai President, Mnemonic Security, Inc. kokumai@mneme.co.jp 30/Oct/2018 22 As such, there exists a secure and yet stress free means of democracy-compatible identity authentication. That is Expanded Password System I would be happy if you will keep this in mind as one of the takeaways from this conference. ----------------------- If you have questions, feel free to catch me whenever you find me. Thank you very much for your time.

Recomendados

Updated: Presentation with Scripts at CIW2018
Updated: Presentation with Scripts at CIW2018Updated: Presentation with Scripts at CIW2018
Updated: Presentation with Scripts at CIW2018
Hitoshi Kokumai
 
Fend Off Cybercrime with Episodic Memory
Fend Off Cybercrime with Episodic MemoryFend Off Cybercrime with Episodic Memory
Fend Off Cybercrime with Episodic Memory
Hitoshi Kokumai
 
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022
Hitoshi Kokumai
 
Fend Off Cyberattack with Episodic Memory (24Feb2023)
Fend Off Cyberattack with Episodic Memory (24Feb2023)Fend Off Cyberattack with Episodic Memory (24Feb2023)
Fend Off Cyberattack with Episodic Memory (24Feb2023)
Hitoshi Kokumai
 
Updated: Identity Assurance by Our Own Volition and Memory
Updated: Identity Assurance by Our Own Volition and MemoryUpdated: Identity Assurance by Our Own Volition and Memory
Updated: Identity Assurance by Our Own Volition and Memory
Hitoshi Kokumai
 
Bring healthy second life to legacy password system
Bring healthy second life to legacy password systemBring healthy second life to legacy password system
Bring healthy second life to legacy password system
Hitoshi Kokumai
 
Expanded password system - Reliable Identity Assurance
Expanded password system - Reliable Identity AssuranceExpanded password system - Reliable Identity Assurance
Expanded password system - Reliable Identity Assurance
Hitoshi Kokumai
 
More Issues on Digital Identity (24Feb2023)
More Issues on Digital Identity (24Feb2023)More Issues on Digital Identity (24Feb2023)
More Issues on Digital Identity (24Feb2023)
Hitoshi Kokumai
 

Recomendados

Updated: Presentation with Scripts at CIW2018
Updated: Presentation with Scripts at CIW2018Updated: Presentation with Scripts at CIW2018
Updated: Presentation with Scripts at CIW2018
Hitoshi Kokumai
 
Fend Off Cybercrime with Episodic Memory
Fend Off Cybercrime with Episodic MemoryFend Off Cybercrime with Episodic Memory
Fend Off Cybercrime with Episodic Memory
Hitoshi Kokumai
 
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022
Hitoshi Kokumai
 
Fend Off Cyberattack with Episodic Memory (24Feb2023)
Fend Off Cyberattack with Episodic Memory (24Feb2023)Fend Off Cyberattack with Episodic Memory (24Feb2023)
Fend Off Cyberattack with Episodic Memory (24Feb2023)
Hitoshi Kokumai
 
Updated: Identity Assurance by Our Own Volition and Memory
Updated: Identity Assurance by Our Own Volition and MemoryUpdated: Identity Assurance by Our Own Volition and Memory
Updated: Identity Assurance by Our Own Volition and Memory
Hitoshi Kokumai
 
Bring healthy second life to legacy password system
Bring healthy second life to legacy password systemBring healthy second life to legacy password system
Bring healthy second life to legacy password system
Hitoshi Kokumai
 
Expanded password system - Reliable Identity Assurance
Expanded password system - Reliable Identity AssuranceExpanded password system - Reliable Identity Assurance
Expanded password system - Reliable Identity Assurance
Hitoshi Kokumai
 
More Issues on Digital Identity (24Feb2023)
More Issues on Digital Identity (24Feb2023)More Issues on Digital Identity (24Feb2023)
More Issues on Digital Identity (24Feb2023)
Hitoshi Kokumai
 
Business Dimension of Expanded Password System
Business Dimension of Expanded Password SystemBusiness Dimension of Expanded Password System
Business Dimension of Expanded Password System
Hitoshi Kokumai
 
issue15
issue15issue15
issue15
Christine Trujillo
 
Cyber Predicament by Text-Only Password Systems
Cyber Predicament by Text-Only Password SystemsCyber Predicament by Text-Only Password Systems
Cyber Predicament by Text-Only Password Systems
Hitoshi Kokumai
 
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
Hitoshi Kokumai
 
Sept 2014 cloud security presentation
Sept 2014 cloud security presentationSept 2014 cloud security presentation
Sept 2014 cloud security presentation
Joan Dembowski
 
Computer Privacy:Passwords-Mike B.
Computer Privacy:Passwords-Mike B.Computer Privacy:Passwords-Mike B.
Computer Privacy:Passwords-Mike B.
Mike Barker
 
Artificial intelligence teacher
Artificial intelligence teacherArtificial intelligence teacher
Artificial intelligence teacher
Rekha Verma
 
Winter Border Writing Paper. Winter Page Borders. 201
Winter Border Writing Paper. Winter Page Borders. 201Winter Border Writing Paper. Winter Page Borders. 201
Winter Border Writing Paper. Winter Page Borders. 201
Julie May
 
Lesson Presentation Powerful Passwords.pptx
Lesson Presentation Powerful Passwords.pptxLesson Presentation Powerful Passwords.pptx
Lesson Presentation Powerful Passwords.pptx
AllanGuevarra1
 
Deepak 3 dpassword (2)
Deepak 3 dpassword (2)Deepak 3 dpassword (2)
Deepak 3 dpassword (2)
Deepak Choudhary
 
Graphical authintication
Graphical authinticationGraphical authintication
Graphical authintication
Tapesh Chalisgaonkar
 
One Time Pad Journal
One Time Pad JournalOne Time Pad Journal
One Time Pad Journal
Amirul Wiramuda
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
STO STRATEGY
 
A Novel Revolutionary highly secured Object authentication schema
A Novel Revolutionary highly secured Object authentication schemaA Novel Revolutionary highly secured Object authentication schema
A Novel Revolutionary highly secured Object authentication schema
IOSR Journals
 
Libby naylor tech 2k14
Libby naylor tech 2k14Libby naylor tech 2k14
Libby naylor tech 2k14
Marq2014
 
The Untold Benefits of Ethical Design - Web Directions Summit 2018, Sydney
The Untold Benefits of Ethical Design - Web Directions Summit 2018, SydneyThe Untold Benefits of Ethical Design - Web Directions Summit 2018, Sydney
The Untold Benefits of Ethical Design - Web Directions Summit 2018, Sydney
Holger Bartel
 
3D password
3D password3D password
3D password
anuradha srivastava
 
C0361419
C0361419C0361419
C0361419
iosrjournals
 
Protect Your Business With Web Security
Protect Your Business With Web SecurityProtect Your Business With Web Security
Protect Your Business With Web Security
Harrison Kenyon Marketing
 
View Formal Essay Examples For High Schoo
View Formal Essay Examples For High SchooView Formal Essay Examples For High Schoo
View Formal Essay Examples For High Schoo
Monica Waters
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
The Digital Insurer
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Más contenido relacionado

Similar a Presentation with Scripts at CIWEU2018

Artificial intelligence teacher
Artificial intelligence teacherArtificial intelligence teacher
Artificial intelligence teacher
Rekha Verma
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
STO STRATEGY
 
Libby naylor tech 2k14
Libby naylor tech 2k14Libby naylor tech 2k14
Libby naylor tech 2k14
Marq2014
 

Similar a Presentation with Scripts at CIWEU2018 (20)

Business Dimension of Expanded Password System
Business Dimension of Expanded Password SystemBusiness Dimension of Expanded Password System
Business Dimension of Expanded Password System
 
issue15
issue15issue15
issue15
 
Cyber Predicament by Text-Only Password Systems
Cyber Predicament by Text-Only Password SystemsCyber Predicament by Text-Only Password Systems
Cyber Predicament by Text-Only Password Systems
 
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
 
Sept 2014 cloud security presentation
Sept 2014 cloud security presentationSept 2014 cloud security presentation
Sept 2014 cloud security presentation
 
Computer Privacy:Passwords-Mike B.
Computer Privacy:Passwords-Mike B.Computer Privacy:Passwords-Mike B.
Computer Privacy:Passwords-Mike B.
 
Artificial intelligence teacher
Artificial intelligence teacherArtificial intelligence teacher
Artificial intelligence teacher
 
Winter Border Writing Paper. Winter Page Borders. 201
Winter Border Writing Paper. Winter Page Borders. 201Winter Border Writing Paper. Winter Page Borders. 201
Winter Border Writing Paper. Winter Page Borders. 201
 
Lesson Presentation Powerful Passwords.pptx
Lesson Presentation Powerful Passwords.pptxLesson Presentation Powerful Passwords.pptx
Lesson Presentation Powerful Passwords.pptx
 
Deepak 3 dpassword (2)
Deepak 3 dpassword (2)Deepak 3 dpassword (2)
Deepak 3 dpassword (2)
 
Graphical authintication
Graphical authinticationGraphical authintication
Graphical authintication
 
One Time Pad Journal
One Time Pad JournalOne Time Pad Journal
One Time Pad Journal
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
 
A Novel Revolutionary highly secured Object authentication schema
A Novel Revolutionary highly secured Object authentication schemaA Novel Revolutionary highly secured Object authentication schema
A Novel Revolutionary highly secured Object authentication schema
 
Libby naylor tech 2k14
Libby naylor tech 2k14Libby naylor tech 2k14
Libby naylor tech 2k14
 
The Untold Benefits of Ethical Design - Web Directions Summit 2018, Sydney
The Untold Benefits of Ethical Design - Web Directions Summit 2018, SydneyThe Untold Benefits of Ethical Design - Web Directions Summit 2018, Sydney
The Untold Benefits of Ethical Design - Web Directions Summit 2018, Sydney
 
3D password
3D password3D password
3D password
 
C0361419
C0361419C0361419
C0361419
 
Protect Your Business With Web Security
Protect Your Business With Web SecurityProtect Your Business With Web Security
Protect Your Business With Web Security
 
View Formal Essay Examples For High Schoo
View Formal Essay Examples For High SchooView Formal Essay Examples For High Schoo
View Formal Essay Examples For High Schoo
 

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 

Último (20)

Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 

Presentation with Scripts at CIWEU2018

  • 1. スライド 1 Identity Assurance by Our Own Volition and Memory The safety of our cyber life depends on identity assurance which in turn relies on remembered passwords Hitoshi Kokumai President, Mnemonic Security, Inc. kokumai@mneme.co.jp Enabling Self-Sovereign Identity 30/Oct/2018 Our identity as human being is made of our autobiographic memory Hello, I am Hitoshi Kokumai, advocate of ‘Identity Assurance by Our Own Volition and Memory’. I’ve been promoting this principle for 17 years now. And, this principle now makes the foundation for the emerging concept of Self-Sovereign Identity. However, this principle would be a pipe dream if it is not supported by a practicable means of identity authentication that is secure and yet stress-free, desirably giving us joy and fun.
  • 2. スライド 2 The problem: passwords could work – but they need help Passwords are Hard to manage And yet, absolutely necessary Identity theft and security breaches are proliferating A critical problem requiring urgent practical solutions 30/Oct/2018 2 We have a big headache. Passwords are hard to manage, and yet, the passwords are absolutely necessary. Why? That’s because democracy would be lost where the password was lost and we were deprived of the chances and means of getting our own volition confirmed in having our identity authenticated. When authentication happens without our knowledge or against our will, it is a 1984-like Dystopia. It seems that the word ‘password’ is poly-semantic and context-dependent. Sometimes it’s narrowly interpreted as ‘remembered text password’ and sometimes it’s taken broadly as ‘whatever we remember for authentication’. Please interpret this word ‘password’ from the context in my presentation as well. Identity theft and security breaches are proliferating. This critical problem requires urgent practical solutions.•@•@
  • 3. スライド 3 There are several known pictures in the matrix I can easily find all of them right away Only I can select all of them correctly Expanded Password System Broader choices: images AND characters Torturous login is history. Login is now comfortable, relaxing and healing. Easy to manage relations between accounts and corresponding passwords. There are several known pictures in the matrix I can easily find all of them right away Only I can select all of them correctly Expanded Password System Broader choices: images AND characters Torturous login is history. Login is now comfortable and even fun. Easy to manage relations between accounts and corresponding passwords. 30/Oct/2018 3 Our proposition is Expanded Password System. In the matrix, there are several KNOWN images.•@I can easily find all of them right away. Or, rather, the KNOWN images jump into my eye. And, only I can select all of them correctly. We can use both images and characters. It’s easy to manage the relation between accounts and the corresponding passwords. Torturous login is history. It’s now comfortable and even fun. I’ll talk more about these points later.
  • 4. スライド 4 A Fun Way to Enhance Your Passwords A fun first step • Get the images in your password matrix registered. It’s easy. Huge Improvement • Password fatigue alleviated for all • Better security for password-managers and SSO services • Even better security for two/multi-factor authentications • Less vulnerable security for biometric products Backward-Compatible • Nothing lost for users who wish to keep using text passwords. 30/Oct/2018 4 Indispensable though unloved. Passwords could be both secure and stress-free. It’s a fun way to enhance your passwords. Get the images in your matrix registered. It’s easy. People who enjoy handling images will gain both better security and better convenience. The only extra effort required is to get these images registered; but people already do that across social media platforms and seem to love it.•@ Then, huge improvement. Password fatigue would be alleviated for all. Better security for password mangers and single-sign-on services. Even better security for multi-factor authentications. Less vulnerable security for biometrics. And, It’s backward-compatible. Nothing would be lost for the people who wish to keep using text passwords.
  • 5. スライド 5 We Need a Broader Choice If only text and # are OK It’s a steep climb … to memorize text/number passwords to lighten the load of text passwords to make use of memorized images 3UVB9KUW 【Text Mode】 【Graphics Mode】 【Original Picture Mode】 Recall the remembered password Recognize the pictures remembered in stories Recognize the unforgettable pictures of episodic memories Think of all those ladders you have to climb in Donkey Kong ;-) Low memory ceiling Very high memory ceilingHigh memory ceiling + + 30/Oct/2018 5 Shall we have a bit closer look at what it offers? So far, only texts have been accepted. It was, as it were, we have no choice but to walk up a long steep staircase. With Expanded Password System, we could imagine a situation that escalators and elevators are provided along with the staircase. Or, some of us could think of all those ladders we have for climbing in Donkey Kong. Where we want to continue to use textual passwords, we could opt to recall the remembered passwords, although the memory ceiling is very low,. Most of us can manage only up to several of them. We could opt to recognize the pictures remembered in stories where we want to reduce the burden of textual passwords. The memory ceiling is high, say, we would be able to manage more and more of them. Where we choose to make use of episodic image memory, we would only need to recognize the unforgettable images, say, KNOWN images. There is virtually no memory ceiling, that is, we would be able to manage as many passwords as we like, without any extra efforts.
  • 6. スライド 6 Volition and Memory (1) Volition of the User – with Self-Determination (2) Practicability of the Means – for Use by Homo sapiens (3) Confidentiality of the Credentials – by ‘Secret’ as against ‘Unique’ 30/Oct/2018 6 We are of the belief that there must be three prerequisites for identity assurance. First of all, identity assurance with NO confirmation of the user’s volition would lead to a world where criminals and tyrants dominate citizens. Democracy would be dead where our volition was not involved in our identity assurance.•@We must be against any attempts to do without what we remember, recall , recognize and feed to login volitionally. Secondly, mathematical strength of a security means makes sense so long as the means is practicable for us Homo sapiens. A big cake could be appreciated only if it’s edible. Thirdly, being ‘unique’ is different from being ‘secret’. ‘Passwords’ must not be displaced by the likes of ‘User ID’. I mean, we should be very careful when using biometrics for the purpose of identity authentication, although we don’t see so big a problem when using biometrics for the purpose of personal identification. Identification is to give an answer to the question of “Who are they?”, whereas authentication is to give the answer to the question of “Are they the persons who claim to be?” Authentication and identification belong to totally different domains.
  • 7. スライド 7 What’s New? The idea of using pictures has been around for two decades. New is encouraging people to make use of episodic image memories. 80-second video YouTube Keyword – Smallest Interference of Memory 30/Oct/2018 7 The idea of using pictures for passwords is not new. It’s been around for more than two decades but the simple forms of pictorial passwords were not as useful as had been expected. UNKNOWN pictures we manage to remember afresh are still easy to forget or get confused, if not as badly as random alphanumeric characters. Expanded Password System is new in that it offers a choice to make use of KNOWN images that are associated with our autobiographic/ episodic memories. Please have a look at this 80-second video? Since these images are the least subject to the INTERFERENCE of MEMORY, it enables us to manage dozens of unique strong passwords without reusing the same password across many accounts or carrying around a memo with passwords on it. And, handling memorable images makes us feel comfortable, relaxed and even healed.
  • 8. スライド 8 Isn’t Episodic Memory Changeable? We know that episodic memories can change easily. … But that doesn’t matter for authentication. It could even help. 30/Oct/2018 8 It’s known that episodic memories are easily changeable. What we remember as our experience may have been transformed and not objectively factual. But it would not matter for Expanded Password System. What we subjectively remember as our episodic memory could suffice. From confidentiality’s point of view,•@ it could be even better than objectively factual memories since no clues are given to attackers.
  • 9. スライド 9 What about Entropy? A PASSWORD LIKE ‘CBA123’ IS ABSURDLY WEAK. WHAT IF ‘C’ AS AN IMAGE GETS PRESENTED BY SOMETHING LIKE ‘X4S&EI0W’ ? WHAT IF ‘X4S&EIWDOEX7RVB%9UB3MJVK’ INSTEAD OF ‘CBA123’ GETS HASHED? 30/Oct/2018 9 Generally speaking, hard-to-break passwords are hard-to-remember. But it’s not the fate of what we remember. It would be easily possible to safely manage many of high-entropy passwords with Expanded Password System that handles characters as images. Each image or character is presented by the image identifier data which can be of any length. Assume that your password is “CBA123” and that the image ‘C’ is identified as X4s& eI0w, and so on. When you input CBA123, the authentication data that the server receives is not the easy-to-break “CBA123”, but something like “X4s&eI0wdoex7RVb%9Ub3mJvk”, which could be automatically altered periodically or at each access where desired.
  • 10. スライド 10 Relation of Accounts & Passwords Account A Account B Account C Account D Account E, F, G, H, I, J, K, L----------- • Unique matrices of images allocated to different accounts. • At a glance you will immediately realize what images you should pick up as your passwords for this or that account. 30/Oct/2018 10 Being able to recall strong passwords is one thing. Being able to recall the relation between accounts and the corresponding passwords is another. When unique matrices of images are allocated to different accounts, those unique image matrices will be telling you what images you should pick up as your password for this or that account. When using images of our episodic memories, the Expanded Password System will thus free us from the burden of managing the relation between accounts and the corresponding passwords.
  • 11. スライド 11 In the Field Practicable with both hands busy ? In panic? With injuries? Seizure of memos, devices, tokens Seizure of body features With protection gear on? Disaster Recovery Cards and tokens possessed? Biometrics practicable? Even in severe panic, we can quickly recognize unforgettable images of episodic memories. Identity Assurance in Emergencies 30/Oct/2018 11 How can we login reliably in a panicky situation? Do we assume that people never forget to possess cards and tokens? Do we assume that biometrics is practicable for injured or panicked people? Do we assume that panicked people can recall strong text passwords right away? It’s the obligation of the democratic societies to provide the citizens with identity authentication measures that are practicable in these emergencies. Using unforgettable images WILL help.
  • 12. スライド 12 Competition or Opportunity Biometrics? Passwords required as a backup means: Opportunity. Password-managers, single-sign-on service? Two/multi-factor authentication? Passwords required as one of the factors: Opportunity. Pattern-on-grid, emoji, conventional picture passwords? Deployable on our platform: Opportunity. Passwords required as the master-password: Opportunity. 30/Oct/2018 12 What can be thought of as competition to Expanded Password System? Biometrics requires passwords as a fallback means. Password-managers and single-sign-on services require passwords as the master-password. Multi-factor authentications require passwords as one of the factors. Pattern-on-grid, conventional picture passwords and emoji-passwords can all be deployed on our platform. So, competition could be thinkable only among the different products of Expanded Password System. By the way, some people claimthat PIN can eliminate passwords, but logic dictates that it can never happen since PIN is no more than the weakest form of numbers-only password. Neither can Passphrase, which is no more than a long password. There are also some people who talk about the likes of PKI and onetime passwords as an alternative to passwords. But it is like talking about a weak door and proposing to enhance the door panel as an alternative to enhancing the lock and key.
  • 13. スライド 13 Client Software for Device Login Applications Login Image-to-Code Conversion Server Software for Online-Access 2-Factor Scheme Open ID Compatible Data Encryption Software with on-the-fly key generation Single & Distributed Authority Unlimited Use Cases 30/Oct/2018 13 Applications of Expanded Password System will be found Wherever people have been using the text passwords and numerical PINS, Wherever people need a means of identity authentication even if we still do not know what it will be.
  • 14. スライド 14 OASIS Open Projects • Proposition of Expanded Password System at ‘Draft Proposal’ stage • With 56 individual participants • Going to secure some more participants • Corporate members in particular 30/Oct/2018 14 The proposition of Expanded Password System that drastically alleviates the password fatigue is now acknowledged as a ‘Draft Proposal’ for OASIS Open Projects that OASIS has recently launched as a new standardization program. We have publicized a draft specification of Expanded Password System there. We are going to secure some more participants, corporate members in particular, who are looking for blue-ocean business opportunities in the expanding domain of identity assurance in cyberspace.
  • 15. スライド 15 How We Position Our Proposition We make identity authentication schemes better by leveraging the time-honored tradition of seals and autographs The underpinning principle of Expanded Password System will not go away so long as people want our own volition and memory to remain involved in identity authentication. 30/Oct/2018 15 Starting with the perception that our continuous identity as human being is made of our autobiographic memory, we are making identity authentication schemes better by leveraging the time-honored tradition of seals and autographs The underpinning principle of Expanded Password System shall not go away so long as people want our own volition and memory to remain involved in identity assurance.
  • 16. スライド 16 Some More Topics about Identity • Isn’t Biometrics killing Passwords? • Brain-Machine-Interface • 2-Factor Expanded Password System • No-Cost 2-Factor Authentication 30/Oct/2018 16 Well, let me talk about some more topics related to digital identity. They are Biometrics supposed to kill passwords Two-factor authentication built on 2 kinds of passwords And, the concept of Expanded Password System applied to BMI.
  • 17. スライド 17 Isn’t Biometrics killing Passwords? Fact 1: Biometrics used with a fallback password brings down the security that the password has provided. 30-second Video YouTube Specifically, old iPhones with PINCODE only were safer than newer iPhones featuring TouchID and FaceID. What has improved is convenience, not security. Fact 2: Biometrics dependent on a password as a fallback means cannot kill the password dead. Fact 3: A false acceptance rate does not make sense unless it comes with the corresponding false rejection rate. 30/Oct/2018 17 Every time I speak about Expanded Password System, I am flooded with this question. My answer is. Biometrics used with a fallback password brings down the security that the password has so far provided as outlined in this 30-second video. Specifically, old iPhones with PINCODE only were safer than newer iPhones featuring TouchID and FaceID. What has improved is convenience obtained at the sacrifice of security. In any case, biometrics that is dependent on a password as a fallback measures can by NO means kill the password. It’s logically obvious. By the way, a false acceptance rate makes sense only when it comes with the corresponding false rejection rate. I don’t understand why biometrics vendors don’t publicize both of the two simultaneously.
  • 18. スライド 18 Brain-Machine-Interface Random numbers or characters allocated to the images. Ask the users to focus their attention on the numbers or characters given to the registered images. A simple brain-monitoring is vulnerable to wiretapping. The monitoring system will then collect the brain-generated onetime signal corresponding to these numbers or characters. 30/Oct/2018 18 A simple brain-monitoring has a problem in terms of security. The data, if wiretapped by criminals, can be replayed for impersonation straight away. •@Therefore the data should be randomized as the onetime disposable ones. An idea is that the authentication systemallocates random numbers or characters to the images shown to the users. The users focus their attention on the numbers or characters given to the images•@they had registered. The monitoring systemwill collect the brain-generated onetime signals corresponding to the registered images. Incidentally, the channel for showing the pictures is supposed to be separate from the channel for brain-monitoring. If intercepting successfully, criminals would be unable to impersonate the users because the intercepted data are onetime and disposable.
  • 19. スライド 19 30/Oct/2018 19 2-Factor Expanded Password System Conventional 2-factor authentication systems are effective only against abuse of the device/phone. 2-factor Expanded Password System enables the user to produce a onetime identity authentication data, i.e., a real onetime password. Some people say that using physical tokens is more secure than using phones for receiving onetime code by SMS. If it is the case, the use of physical tokens brings its own headache. What shall we do if we have dozens of accounts that require the protection by two/multi-factor schemes? Carrying around a bunch of dozens of physical tokens? Or, re-using the same tokens across dozens of accounts? The former would be too cumbersome and too easily attract attention of bad guys, while the latter would be very convenient but brings the likes of a single point of failure. We have a third proposition. A matrix of the images, to which random onetime numbers or characters are allocated , are shown to the users through a mobile device, as in the use case of BMI mentioned a minute ago. Users who recognize the registered images will feed the numbers or characters given to those images on a main device. From those onetime data, the authentication server will tell the images that user had registered. What is needed at the users’ end is only a browser soft. Then, we do not depend on the vulnerable onetime code sent through SMS and a single phone can readily cope with dozens of accounts.
  • 20. スライド 20 No-Cost 2-Factor Authentication Factor 1 – Password Remembered (what we know/remember) Factor 2 – Password Written Down or Physically Stored (what we have/possess) Effect - A ‘boring legacy password system’ turning into a no-cost light-duty two-factor authentication system made of ‘what we know’ and ‘what we have’. 30/Oct/2018 20 A very strong password supposed to not be remembered and written down on a memo should be viewed as 'what we have', definitely not 'what we remember', so it could be used as one of the two factors along with a remembered password. We could then turn a boring legacy password system into a two factor authentication system at no cost, just by verifying two passwords at a time, one volitionally recalled and the other one physically possessed. When those two different passwords are used as two factors, we could rely on the strength of a remembered password against physical theft and the strength of a physically possessed long password against brute force attack, although it is not as strong against wiretapping as token-based solutions armed with PKI or Onetime Password. This could be viewed just as a thought experiment or could actually be considered for practical application in between a single factor authentication and a costly heavily-armored 2-factor scheme, or, as a transition from the former to the latter. It goes without saying that Expanded Password System could be brought in for a good remembered password.
  • 21. スライド 21 Wrap-Up Expanded Password System that drfastically alleviates the password fatigue is supportive of - Biometrics that require passwords as a fallback means against false rejection - Two/multi-factor authentications that require passwords as one of the factors - ID federations such as password managers and single-sign-on services that require passwords as the master-password Simple pictorial/emoji-passwords and patterns-on-grid that can all be deployed on our platform * All with the effects that handling memorable images makes us feel pleasant and relaxed Furthermore, - Nothing would be lost for the people who want to keep using textual passwords - It enables us to turn a low-entropy password into a high-entropy authentication data - It is easy to manage the relation between accounts and the corresponding passwords - Lastly but not the least, it is democracy-compatible by way of providing the chances and means to get our own volition confirmed in our identity assurance. * It is the obligation of democratic societies to provide citizens with the choice to adopt a secure and yet stress-free identity authentication means that is practicable in any circumstances, panicky situations in emergencies in particular .
  • 22. スライド 22 As such, there exists a secure and yet stress- free means of democracy-compatible identity authentication. That is Expanded Password System. Thank You Hitoshi Kokumai President, Mnemonic Security, Inc. kokumai@mneme.co.jp 30/Oct/2018 22 As such, there exists a secure and yet stress free means of democracy-compatible identity authentication. That is Expanded Password System I would be happy if you will keep this in mind as one of the takeaways from this conference. ----------------------- If you have questions, feel free to catch me whenever you find me. Thank you very much for your time.