‘Weak DOOR’ is made of ‘Weak PANEL’ and ‘Weak LOCK/KEY System’. Enhancing the former does not enhance the latter, but too many people are mixing them up. A huge number of solution providers are crowding ‘Weak Panel’, but few actually tackle the ‘Weak Lock/Key’ issue. Expanded Password System that accepts both images/pictures and texts/characters is the pioneer in this sphere.
Expanded Password System – Summary Updated
The conventional password is hated as everybody agrees, whereas the volitional password is absolutely necessary, since it would be a 1984-like Dystopia when authentication of our identity happens without our knowledge or against our will. These observations lead us to one conclusion, that is, we have to find the sort of password system that is not hated. Logic tells that there can be no other choice.
Expanded Password System that we propose has the following features.
- It is not only stress-free but offers joy and fun
- It enables us to turn a low-entropy password into a high-entropy authentication data
- It relieves us from the burden of managing the relation between accounts and the corresponding passwords
- It deters phishing attacks that have so far been very hard to defend
- It can be deployed in panicky situations
- It is supportive of
- Biometrics that require passwords as a fallback means against false rejection
- Two/multi-factor authentications that require passwords as one of the factors
- ID federations such as password managers and single-sign-on services that require passwords as the master-password
- Simple pictorial/emoji-passwords and patterns-on-grids that can all be deployed on our platform
- Its applications can be found wherever people have been using text passwords and numerical PINs
- And, nothing would be lost for the people who want to keep using textual passwords
- Lastly but not the least, it is democracy-compatible by way of providing the chances and means to get our own volition confirmed in our identity assurance.
When we say 'The door is weak', it could mean two things - 'The door panel is weak' and 'The lock/key system is weak.' Enhancing the former does not make an alternative to enhancing the latter, and vice versa. And, needless to say, throwing away the weak lock/key is not an alternative to solving the problem of weak lock/key system. Our proposition is meant to provide a solution to the equivalent of the weak lock/key problem in the sphere of digital identity.
Security of the real/cyber-fused society hinges on “Assured Identity”, which hinges on “Shared Secrets” in cyberspace. Expanded Password System is expected to provide the “Shared Secrets” in the most reliable way and thereby makes the basic and comprehensive platform of identity assurance on which all the security structures and digital services can be sustainably maintained.
Related Topics - Takeaways from Amsterdam Conference
I was given good chances to have a lot of meaningful discussions in Amsterdam at KuppingerCole’s Consumer Identity World 2018. These topics are the takeaways from there.
Conflicts between Security and Privacy
Many people reckon that security and privacy are mutually exclusive unconditionally. But we need to be aware that all depend on the context.
Security for authoritarian regimes may well be mutually exclusive to privacy of citizens to a very large extent or completely. Even in democratic countries, security for society and privacy of citizens are often mutually exclusive as found in the case of disputes between FBI and Apple. But, when this theme is discussed in terms of GDPR, it cannot be mutually exclusive, since the subject is always ‘Citizen’. The security for citizens and the privacy of citizens must be mutually inclusive.
On-the-fly Generation of Cryptographic Keys from Our Episodic Memory
When decryption keys are suspected to have been stolen together with the encrypted data, we cannot rely on the data protection by encryption. I announced in Amsterdam that we had come up with a proposition for this problem 14 years ago.
Sensible Use Case of Behavioral Biometrics for Identity Authentication
The idea of deploying the behavioral biometrics as an early warning system seems very sensible. After the login by a password, the user will be placed under the constant monitoring of their unconscious behavior like typing patterns, mouse-moving patters and so on. When any irregular patterns get detected, the system requires the user to feed their password. It will be effective to prevent the hijacking of the device after the login by the legitimate user.
* It should be noted that the behavioral biometrics is expected to work as an enhancement of password protection, not as an alternative to the password.
Three-Factor Authentication Weaker Than Two-Factor Authentication
There is a voice to claim that deploying biometrics with a fallback password on a mobile device makes a 3-factor authentication (biometrics as ‘what your body features are’, password as ‘what you know’ and device as ‘what you have’). Even when the user gets falsely rejected by biometrics and required to use the password as the fallback means, the user is still protected by the two factors of ‘password’ and ‘device’, so the failure of biometrics does not mean the decrease of security. This is their voice.
My view is that a straightforward 2-factor authentication made of ‘device’ and ‘password’ would have been less expensive, less difficult to implement and more secure. Multi-Entrance solutions cannot displace Multi-Layer solutions.
* The difference between ‘in-series’ and ‘in-parallel’ (multi-layer and multi-entrance) deployments of two/multi factors is plainly demonstrated here
** Relations among False Acceptance, False Rejection and Threshold are explained here with graphs.
Informed, Misinformed and Disinformed Consent
It goes without saying that obtaining the informed consent from consumers is very important when collecting their personal information. Perhaps more important is trying to not obtain the misinformed consent. Disinformed consent, if obtained, could be viewed as a crime issue.
* Some of you might notice that I am raising this issue with respect to the broad adoption among consumers of security-lowering face and finger scans due to the informed, misinformed or disinformed consent.
** The insurance industry is expected to help mitigate the damages brought by the consequences of misinformed or disinformed consent by way of providing economic incentives or penalties.
Coupled with the earlier takeaways (*) from the Seattle conference, we may now have a much more comprehensive understanding of all those enigmatic problems around cybersecurity and identity management.
Appendix - Deterrent to Hard-to-Defend Phishing Attacks
It is known that targeted/spear phishing attacks often bring grave damages as the consequences. Implementation of Expanded Password System is expected to deter the indiscriminate mass phishing attacks to a large extent.
However, all the passwords, whether texts, patterns or images, are vulnerable to Spear/Targeted Phishing, whatever tricks we may incorporate into them and that effective deterrence could be expected only when we involve 2-channels or 2-steps or both.
Incidentally, that the password is vulnerable to spear/targeted phishing does not mean that removing the password makes a solution. It is the same as removing a lock/key and enhancing the door panel does not make a solution to the vulnerability of the lock/key.
- Against Indiscriminate Mass Phishing
Where the users are encouraged to create their own unique image matrices with Expanded Password System, we could assume that criminals feel discouraged about the indiscriminate mass phishing.
It would be a costly job, if technically possible, to capture thousands, millions or billions of image matrices unique to all the different userIDs from the genuine authentication servers, copy them on the criminals' fake servers, get them activated for detecting tapping and clicking on the screen and then try to lure the target people into disclosing their credential (the registered images) on the criminals' fake servers by sending phishing mails, etc.
Effective against indiscriminate mass phishing, though not effective against the spear/targeted phishing.
- Against Spear/Targeted Phishing
2-Channel Expanded Password System (implemented as Onetime MnemonicGuard) could discourage criminals because the criminals would need to place both of the two channels under their control simultaneously before starting the phishing trial.
Alternatively, where 2-factor/channel system is not implemented but Expanded Password System (EPS hereafter) is deployed, we could think of adding a second step of EPS making the system 'Selective 2-step EPS' for the users who opt for it.
With the 2-step EPS, the image matrix for the 2nd step is supposed to be shown to the user/criminal only when they have gone through the 1st step EPS.
The optional 2-step EPS could discourage criminals by way of making it hard for the criminals, who have somehow obtained the credentials (the registered images) of the target persons for the 1st step EPS, to prepare the image matrices of the 2nd step EPS on the criminals' fake servers quickly enough.
Specifically speaking, a criminal who knows the userID of the target person can capture the image matrix of the 1st step EPS from the genuine server without the target's knowledge, prepare the image matrix of the target and lure the target into disclosing the credential (the registered images).
However, the criminal would then have a huge difficulty in obtaining the credential (the registered images) for the 2nd step EPS unless the criminal has a magical power of completing the following process in a matter of seconds -
Having successfully stolen the credential for the 1st step, the criminal needs to
- access the target's account with the target's UserID and get the target's image matrix shown,
- visually locate and manually tap/click the images of the target's selection on the screen of the genuine server,
- successfully going through it, capture the target's image matrix for the 2nd step EPS,
- activate the image matrix on the criminal's fake server so that it can detect tapping/clicking by the target,
- show the image matrix and urge the target to select the credential (the registered images) for the 2nd step EPS.
Users, who had been informed that they should suspect the act of phishing if they are kept waiting for more than a few seconds after the clearance of the 1st step, would be advised to cut off the connection without moving to the 2nd step and re-create the different image matrix for the 2nd step EPS.
As such, the burden forced upon criminals is very heavy, whereas the burdens on the authentication server and the users are relatively lighter.
The authentication server is required to add another step of EPS to the default EPS for the users who opt for an additional protection against spear/targeted phishing.
The users who opt for the 2-step EPS are required to create two sets of image matrices and remember the advice that they should cut off the connection without moving to the 2nd step when they are kept waiting for more than a few seconds after clearing the 1st step and re-create a new image matrix for the 2nd step, desirably the one for the 1st step as well.
Whether or not this is too heavy a burden for the users may well be dependent on the value of the information asset that they have access to. Managers of classified and highly sensitive information in large volume probably do not view it as too much a burden in view of the grave damages as the consequences of spear/targeted phishing attacks.
- Against Persistent Spear/Targeted Phishing
Criminals who persistently chase really valuable information assets could be discouraged if we deploy the 2-step EPS coupled with the 2-Channel method.
* I had not referred to ‘Phishing’ in any earlier writings, but it is not because I was ignorant of this problem. Some 12 years ago when I was a member of Japan’s Anti-Phishing Association organized by the government, I put forward a proposition of Expanded Password System as a deterrent to phishing attacks.
It went nowhere, however, at the association that was heavily dominated by biometrics, PKI and anti-virus people. I got dissatisfied with the association, quit it and have since focused on other tasks. A reader of my earlier articles recently asked me whether/what Expanded Password System can do against phishing attacks that are wreaking havoc here and there these days. That inquiry encouraged me to recall my earlier proposition and re-configure it with the latest technical resources.