The Conundrum Over NIST Guideline May Have Been Unraveled by Hitoshi Kokumai
I posted an article titled “Help unravel the conundrum over NIST’s Guideline” (*1), in which I wrote “I am unable to follow their logic for justifying the closure of this thread. I wonder if some of you can help unravel this conundrum for me.”
I did not notice it quickly at that time, but a clue had been given in the remark of a NIST person over my newer suggestion #221 as quoted in my newer post “Another Tragic Comedy Played on NIST Guideline” (*2).
In it the NIST person tried to teach me “From a purely theoretical standpoint, you are correct that being able to use either of two authenticators is less secure than only having one because of the larger attack surface. But at present, account recovery (forgotten password, lost physical authenticator, etc.) is typically handled much less securely than standard authentication, email password resets being a prime example. And it isn’t necessary for the attacker to actually lose an authenticator; all they need to do is assert that they did. The issuance of multiple authenticators is expected to make account recovery much less commonplace, so that the recovery process can be made more secure (even though that may make it more expensive and time consuming).”
It is just wrong to try to apply this discussion of “account recovery” to the cases of biometrics and fallback passwords used by OR/Disjunction (we need only to go through either of the two) because we would otherwise have to demonstrate that “either of passwords or rejection-prone biometrics” contributes notably more to fewer cases of account recovery than “password-only authentication” does. It is logically an impossible mission.
However, the same discussion of “account recovery” seems to make sense when it is applied to the cases of biometrics and passwords used by AND/Conjunction (we need to go through both of the two), which could well result in notably frequent cases of account recovery offering criminals a lot of chances to exploit.
Well, this observation that the reasoning of account recovery leads to REJECTION of the operation of biometrics and passwords by AND/Conjunction may well have misled
NIST to wrongly assume that the same story leads to ACCEPTANCE of the operation of biometrics and passwords by OR/Disjunction. And, perhaps, the outcome of this confusion is NIST contributing a lot to the gigantically widespread misconception and false sense of security that got so many people trapped in it.
I am now very curious to know whether this mixing-up was invented by NIST or it has just been imported into NIST from somewhere else.