Takeaways from Consumer Identity World USA 2018
The so-called password-less authentication, if implemented literally, would lead us to a world where we are deprived of the chances and means to get our volition confirmed in having our identity authenticated. It would be a 1984-like world. The values of democratic societies are not compatible.
At this year's Sohn Investment Conference, Dan Sundheim, the founder and CIO of D1 Capital Partners, spoke with John Collison, the co-founder of Stripe. Q1 2021 hedge fund letters, conferences and more D1 manages $20 billion. Of this, $10 billion is invested in fast-growing private businesses such as Stripe. Stripe is currently valued at around Read More
Some people allege that passwords can and will be eliminated by biometrics or PIN. But logic tells that it can never happen because the former requires a password/PIN as a fallback means and the latter is no more than the weakest form of numbers-only password.
Various debates over ‘password-less’ or ‘beyond-password’ authentications only make it clear that the solution to the password predicament could be found only inside the family of broadly-defined passwords.
Four Puzzling Issues
In our earlier article we referred to Consumer Identity World USA 2018, which the writer participated as both a speaker and a panel, making the presentation of ‘Identity Assurance by Our Own Volition and Memory’..
There we noticed that there were strong voices of proposing
- Password-less Authentication
- Use of PIN to eliminate passwords
- Biometrics in two/multi-factor authentication for better security
- Advantage of physical tokens as against onetime codes by SMS
What puzzle us are
- Doesn’t ‘Password-less’ mean ‘Volition-less’?
- Isn’t ‘PIN’ the weakest form of numbers-only passwords?
- Isn’t biometrics deployed with a fallback password ‘in parallel’, not ‘in series’?
- What if we have dozens of accounts to protect?
Below are our observations.
- Password-less Authentication: The term of ‘password’ is poly-semantic and context-dependent. So is ‘password-less’. If ‘password-less authentication’ means ‘authentication without depending solely on hard-to-manage text passwords, we would be generally agreeable.
If, however, it means ‘authentication without what we remember altogether’, we must be against it. If implemented literally, it would lead us to a world where we are no longer allowed to get our volition confirmed in our own identity assurance. We call such a world ‘Dystopia’
- PIN as against Passwords: If PIN or PINCODE, which is the weakest form of numbers-only password, had the power to kill the password, a small sedan should be able to kill the automobile.
Advocates of this idea seem to claim that a PIN is stronger than passwords when it is linked to a device while the password is not linked to the device. Then we would have to ask “What would happen if we linked the password to the device?
- Biometrics in two/multi-factor authentications: All the factors of multi-factor schemes must be deployed ‘in-series’, not ‘in-parallel’. When two factors are deployed in-parallel, what is achieved is better convenience whereas security is brought down.
In reality biometrics is usually deployed with a password as a fallback means against false rejection, and biometrics and fallback passwords are used in-parallel, not in-series. This means that biometrics brings down the security that the password has provided. It is wrong to recommend biometrics for higher security.
- Advantage of physical tokens: It is said that using physical tokens is more secure than using phones for receiving onetime code by SMS. If it is the case, the use of physical tokens brings its own headache. What shall we do if we have dozens of accounts that require the protection by two/multi-factor schemes?
Carrying around a bunch of dozens of physical tokens? Re-using the same tokens across dozens of accounts? The former would be too cumbersome and too easily attract attentions of bad guys, while the latter would be very convenient but bring the likes of a single point of failure.
What can we do?
- Password-less Authentication: A secure and yet stress-free means of democracy-compatible identity authentication is proposed. It is the Expanded Password System that accepts both images and characters. It is now acknowledged as ‘Draft Proposal’ for OASIS Open Projects.
- PIN to eliminate passwords: We could simply forget it.
- Biometrics in two/multi-factor authentication: Biometrics could be recommended for better convenience, but must not be recommended where security matters.
- Advantage of physical tokens: We could think of two new possibilities – one for better convenience and one for better security.
The former handles two different types of passwords, one recalled volitionally and the one physically possessed.
The latter involves the images to which random numbers or characters are allocated and shown to the users through a mobile device. Users who recognize the registered images will feed the numbers or characters given to those images on a main device. We do not depend on the vulnerable onetime code sent through SMS and a phone copes with dozens of accounts
Other Issues related to Identity Authentication
Caveats about ‘Password’
Sometimes the word ‘Password’ is narrowly interpreted as ‘remembered text password’ and sometimes it’s taken broadly as ‘whatever we remember for authentication’.
We are of the view that it would be desirable to define ‘Password’ broadly enough. As a denotational definition, it could be ‘Whatever we remember and recall volitionally for identity authentication.
As a connotation, it could be “A shared secret known only by two consenting parties. The secret will be submitted by one party to the other on request. It is used to verify legitimate access to an asset of shared interest.” (This is suggested by my British friend.)
By the way, password-like texts written on a memo or stored in a physical device should desirably be given other names than ‘Password’. For now I would like to call it ‘physically possessed password’ as against ‘password’ or ‘remembered password’.
Physically possessed high-entropy passwords have a potential merit of being strong against brute force attacks but it is as vulnerable to physical theft as other physically possessed objects like cards and tokens.
We do not see any difference against wiretapping between the remembered and physically possessed passwords.
Caveats about Biometrics
Biometrics is a useful tool for forensic and other purposes of personal identification in physical space. As for identity authentication in cyber space, it brings not just better convenience but also some protection, which is better than nothing although lower than a password-only protection. .
We would reiterate that biometrics could be recommended where convenience matters, but must not be recommended where security matters.
Caveats about ID federations
ID federations such as single-sign-on services and password managers indeed help us mitigate the burden of managing so many passwords. On the other hand, ID federations create a single point of failure like putting all the eggs in a single basket. It manages all my passwords when un-hacked and loses all my passwords to criminals when hacked.
ID federations should be operated in a decentralized formation or should be considered mainly for relatively lower-security accounts, not for the highest-security business accounts which should desirably be protected by all different strong passwords unique to each account. Needless to say, the strength of the master-password is crucially important in any case.
Caveats about Two/multi-factor authentication
It certainly could have a big merit for better security. It should, however, be operated with caveats.
Firstly, ‘2’ and ‘3’ are indeed larger than ‘1’ on paper, but we should not forget that two or three weak children may well be much weaker than a single tough guy. Secondly, physical tokens, cards, phones and memos are easily left behind, lost, stolen and abused. Then the remembered password would be the last resort.
The two/multi-factor authentication could be reliable only when it comes with a reliable password. A truly reliable two/multi-factor solution desired for most important accounts requires the use of the most reliable password.
Incidentally, we would like to repeatedly emphasize that all the factors of two/multi-factor authentications must be deployed ‘in series’, not ‘in parallel’. Biometrics deployed ‘in parallel’ instead of ‘in series’ must not be counted as a factor of the two/multi-factor authentications. We need to harbor a serious doubt when we hear of a two/multi-factor authentication that is claimed to have a biometrics as a factor of it.
Outstanding Features of Expanded Password System
People who enjoy handling images will gain better security and convenience. The only extra effort required is to get the images registered. But people already do that across social media platforms and seem to love it.
So far, only texts have been accepted. It was, as it were, we have no choice but to walk up a long steep staircase. With Expanded Password System, we could imagine a situation that escalators and elevators are provided along with the staircase. Or, some of us could think of all those ladders we have for climbing in Donkey Kong.
Where we want to continue to use textual passwords, we could opt to recall the remembered passwords, although the memory ceiling is very low, Most of us can manage only up to several of them.
We could opt to recognize the pictures remembered in stories where we want to reduce the burden of textual passwords. The memory ceiling is high, say, we would be able to manage more and more of them.
Where we choose to make use of episodic image memory, we would only need to recognize the unforgettable images, say, KNOWN images. There is virtually no memory ceiling, that is, we would be able to manage as many passwords as we like, without any extra efforts.
The role of episodic memory
It is known that the episodic memory is the cognitive core of our continuous identity. It ensures the continuity of our perception of our self.
It is obvious that our bone, flesh, fat or skin does not make our identity as a citizen living in societies. We could be more rational in defining our identity as a social being.
Changeability of Episodic Memory
It’s known that episodic memories are easily changeable. What we remember as our experience may have been transformed and not objectively factual. But it would not matter for Expanded Password System. What we subjectively remember as our episodic memory could suffice. From confidentiality’s point of view, it could be even better than objectively factual memories since no clues are given to attackers.
Competition to Expanded Password System
Competition could be thinkable only among the different products of Expanded Password System since
- Biometrics requires passwords as a backup means.
- Password-managers and single-sign-on services require passwords as the master-password.
- Multi-factor authentications require passwords as one of the factors.
- Pattern-on-grid and conventional/emoji-passwords can all be deployed on our platform.
Position of Our Proposition
We make identity authentication schemes better by leveraging the time-honored tradition of seals and autographs. The underpinning principle of Expanded Password System shall not go away so long as people want our own volition and memory to remain involved in our identity assurance.
Why have people been sticking to characters for password authentication?
Frankly, we have no answer. It is now broadly known that human beings are far better at remembering and recalling visual memories than doing the same for texts. We have hundreds of millions of years of history for the visual memory whereas the history of our text memories is no more than hundreds of years for most of us.
It is also known that CPUs are now fast enough, connection band broad enough, data storage cheap enough and digital cameras affordable enough. There is absolutely no reason to hesitate to use images for identity authentication.
And yet, people apparently think only about texts when they talk about passwords. We could only think of ‘momentum’, ‘sheer force of habit’ or cognitive bases like ‘normalcy bias’. We may need to ask for the help of researchers of cognitive science and behavioral economics
Q: Why has Expanded Password System been so unknown for as long as 17 years?
People who were carried away by the hyped attractiveness of biometrics and the inflated hi-tech image of password-less solutions would not listen to us.
Actually, over the period of 2003 to 2008 we were successful in Japan. We saw several commercial adoptions amounting to some US$1 million, even though the CPU was slow, the band narrow and the storage expensive in those days.
It then ceased to grow as people were more and more carried away by the biometrics and password-less solutions which the advocates alleged would kill the likes of passwords altogether, even though we knew that biometrics have to depend on the password as a fallback measure against false rejection and that a real password-less society would only mean Dystopia.
After struggling in vain to fight back for several years, we chose to get out of Japan where biometrics vendors were overpoweringly dominant, and started to look for bigger chances worldwide. We now have a lot of friends and supporters globally. Expanded Password System is now acknowledged as ‘Draft Proposal’ for OASIS Open Projects, with us given the chances to speak in front of the professional audience of Consumer Identity World 2018.
Why have so many security professionals tried not to listen for so long?
Our view is that those professionals, who had loudly advocated, promoted and endorsed biometrics and password-less authentications, might well suspect that listening to us could throw them into an awkward psychological situation that is extremely inconvenient and embarrassing to them.
We could think of ‘cognitive dissonance’ coupled with such cognitive biases as ‘sunk-cost bias’, ‘confirmation bias’ and ‘normalcy bias’. It could well provide a very good research theme for sociology, psychology, cognitive science and behavioral economics.
More topics are discussed here.
Expanded Password System that we advocate is supportive of
- Biometrics that require passwords as a fallback means against false rejection
- Two/multi-factor authentications that require passwords as one of the factors
- ID federations such as password managers and single-sign-on services that require passwords as the master-password.
- Simple pictorial/emoji-passwords and patterns-on-grid that can all be deployed on our platform
All with the effects that handling memorable images make us feel pleasant and relaxed and that it enables us to easily manage the relation between accounts and the corresponding passwords
- And, nothing would be lost for the people who want to keep using textual passwords.
- Lastly but not the least, it is democracy-compatible by way of providing the chances and means to get our volition confirmed in having our identity authenticated.
President, Mnemonic Security, Inc.
Hitoshi Kokuman is the inventor of Expanded Password System that enables people to make use of episodic image memories for intuitive and secure identity authentication. He has kept raising the issue of wrong usage of biometrics with passwords and the false sense of security it brings for 17 years.
Mnemonic Security Inc. was founded in 2001 by Hitoshi Kokumai for promoting Expanded Password System. Following the pilotscale operations in Japan, it is seeking to set up the global headquarters.
Other articles from this author.
For confirmation of URLs