Some security people are advocating that the password should be killed dead. I wonder if they are aware of what they mean by what they say. A society where login without users’ volition is allowed would be the society where democracy is dead. It’s a tyrant’s utopia.
We know that biometrics, which relies on a fallback password, can by no means be an alternative to the password, that the password is an indispensable factor for multi-factor schemes and that the security of password managers and single-sign-on schemes needs to hinge on the reliability of the password.
The password (memorized secret) is absolutely necessary. Don’t let it be killed. Don’t accept any form of passwordless login.
Intuitive Passwords – Passwords Succeeding Passwords
Security of the real/cyber-fused society hinges on the trusted Identity Assurance, which hinges on the reliable Shared Secrets in cyberspace. Passwords have been the Shared Secrets for many decades.
The password has also been a target of resentment. It is so easy to break if easy to recall, while so hard to recall if hard to break. Sieged by an ever increasing number of password-requiring accounts, not a few people are crying that the password should be killed dead.
The password could be killed altogether, however, only where there is a valid alternative.
To displace passwords would not be easy
Some say “PIN can”. This observation would, however, only lead us to the entrance to Alice’s Wonderland. If a PIN that is a weak form of numbers-only password could displace the password, a puppy should be able to displace the dog, a kitten the cat, a cub the lion.
“Passphrase” is also no more than a variation of passwords, having its merits and demerits. It may be longer and yet easier to remember but it does not necessarily mean a higher entropy despite the troubles of tiresome typing since it is generally made of known words that are just vulnerable to automated dictionary attacks.
Some people might say that multi-factor authentications or ID federations such as password managers and single-sign-on services could do it. It is not easy, however, to conceive that the password could be displaced by the multi-factor schemes, for which one of the factors is a password or the ID federations, which require the most reliable password as the master-password.
Some say “Biometrics will”. This observation would lead us to another entrance to Alice’s Wonderland. Biometric solutions used in cyberspace need a password (fallback password as a recovery mechanism) registered in case of false rejection. If “something” which has to rely on “the other thing” could displace “the other thing”, your foot should be able to displace your leg for walking. Alice’s Wonderland might receive it, but we have huge difficulties in imagining what it could look like in this 4D Space-Time universe.
There are a lot of people who take it for granted that the password can be displaced by the biometrics operated in cyberspace together with a fallback password. How could such a misconception happen?
Blind Spot in Our Mind: Let us imagine that we are watching two models of smart phones – Model A with Pincode and Model B with Pincode & Fingerprint Scan.
Which of the two models do you think is securer?
- when you hear that Model A is protected by Pincode while Model B is protected by both Pincode and Fingerprints
- when you hear that Model A can be unlocked by Pincode while Model B can be unlocked by both Pincode and Fingerprints
- when you hear that Model A can be attacked only by Pincode while Model B can be attacked by both Pincode and Fingerprints
Is your observation the same for all the 3 situations?
Eye-Opening Experience: Now let us imagine that there are two houses – (1) with one entrance and (2) with two entrances placed in parallel.
Which house is safer against burglars?
Every one of us will no doubt agree that the answer is plainly (1). Nobody would dare to allege that (2) is safer because it is protected by two entrances. Similarly, the login by a pincode alone is securer than the login by a biometric sensor backed up by a fallback pincode (*1). That is, a smartphone equipped with biometrics authentication and a fallback pincode authentication is obviously less secure than a smartphone with a pincode-alone authentication.
The above observation is backed up by the latest draft digital authentication guidelines of National Institute of Standards and Technology (*2), which require in Clause 5.2.3 Use of Biometrics that, due to its inherent vulnerabilities, biometrics should be used with another authentication factor and it needs to depend on passwords as a recovery mechanism where practicality matters even if it means lower security due to the “larger attack surface” to borrow NIST’s words..
Remark: Due respect should be paid to the value of the biometric solutions as an effective identification tool for physical security like forensic and border control. Biometrics is a good tool for individual identification although it is wrong to use it for identity authentication.
What about a password-less life?
Some might say “Not using any password altogether is the way to kill the password dead”. Yes, the password could then be killed dead entirely, but it would be criminals rather than us that will be the beneficiaries of such password-free cyberspace.
In a world where we live without passwords to recall, i.e., where our identity is established without our volitional participation, we would be able to have a safe sleep only when we are alone in a firmly locked room (*3). It would be a Utopia for criminals but a Dystopia for most of us.
However disliked, passwords as shared secrets are absolutely indispensable
In view of such situations stated above, intuitive password propositions are becoming the focus of attentions as an alternative to the unmanageable old passwords.
Well, how intuitive, secure and practicable are they?
Group 1 – Intuitive but insecure: With this group of solutions, the authentication would be completed when we have picked up the mugshots of friends that had been registered as the shared secrets.
Comment: Using friends’ mugshots IMPLICITLY is good, but using friends’ mugshots EXPLICITLY is no good. It would only please criminals.
Group 2 – Not as intuitive as it appears: With this group of solutions, the authentication would be completed when you have picked up the mugshots of people that you had remembered as the shared secrets.
Comment: Using faces as one of the objects is no bad but using ONLY faces is no good. And remembering people’s faces is generally easier than remembering other static objects, but not so much when those people are unknown to us. Actual trials tell how easy it is to get lost or confused.
The same applies to dozens of simple pictorial/graphic/emoji passwords proposed here and there, now and then.
Group 3 – Either insecure or impracticable: Patterns-on-Grid belongs to this group, with which authentication would be completed when we have reproduced the patterns that we had registered on a grid.
Comment: Easy-to-remember patterns such as L, N, V, X, Z and their variants are known to criminals, while actual trials of hard-to-crack complicated patterns demonstrate that we get lost or confused so easily.
Then what else?
We are proposing “Expanded Password System” (*4) that is designed to be both intuitive