Sequel 1
20th April, 2020
Hitoshi Kokumai
I had ‘Democracy and Digital Identity’ published on 30th January, 2020, in which we discussed the huge merits of making use of our own episodic image memory as the secret credential for digital identity with respect to Expanded Password System that we advocate.
The theory of expanded password system is not a hypothesis. The versatile practicability is demonstrated by the 5-year use by 140, 000 online shoppers, the 6-year use by 1,200 employees for a corporate network and the trouble-free military use by army soldiers.
The solid theory is also endorsed by OASIS recognition as a standard candidate, publishing by Taylor & Francis, selection as a finalist by Finance Data and Technology Association for ‘FDATA Open Finance Summit and Awards 2019’ and adoption by AFCEA for ‘2020 Solution Review Problem Sets’.
Below are the subjects further discussed in this sequel –
Rapid Increase in Military Use
Proposition to AFCEA
What can ‘probabilistic authenticators’ achieve in cyberspace?
Two Ways of Deploying Two-Factor Authentication
Pandemic-resistant Teleworking
Meaningless Comparison of Different Authenticators
‘Easy-to-Remember’ is one thing. ‘Hard-to-Forget’ is another.
Expanded Password System for High-Security Accounts
Secret Credential and Computing Power
Rapid Increase in Military Use
As for the versatile practicability of Expanded Password System, we now can refer to the trouble-free military use in the most demanding environment, with the users having increased 10-fold over the 7-year period from 2013 to 2020 and predicted to increase further; Images of toys, dolls, dogs and cats, for example, that our children used to love for years would jump into our eye even when we are placed in heavy pressure and caught in severe panic.
What is practicable in the most demanding environment for the most demanding application can be easily practiced in everyday environments for everyday applications; the reverse is not true, though.
Such an authentication system that copes with the panicky situations can be operated for all the everyday applications, too, as a stand-alone authenticator, as a factor of multi-factor schemes and as the master password of ID federation schemes.
Armed Forces Communications and Electronics Association (AFCEA) called for propositions for ‘2020 Solution Review Problem Sets’ which was intended to answer to U.S. Army Chief Information Officer who is seeking solutions to emerging or existing challenges.
We submitted an abstract of our proposition for Item #3 and were notified in early March 2020 that our abstract is kept on-file as a backup and will be included in the compendium of the abstracts that is made available to CIO/G6 leadership.
What can ‘probabilistic authenticators’ achieve in cyberspace?
A big question is often missing in the discussions about the deterministic authenticators (passwords and tokens) and probabilistic authenticators (biometrics); Are the users to blame when the login fails?’
When the user fails to feed a correct password or present a correct token, the user would be to blame. Well, when the sensor fails to get the user’s body features and behaviors authenticated, would the user be to blame?
Where the rejected users are solely to blame, their login would be justifiably denied. On the other hand, where the rejected users are not solely to blame, they should be given a fallback measure with which they can access what they must be able to access. In cyberspace, passwords/PINs are the fallback measures for the self-rescue in most cases.
Where biometrics is used together with a default/fallback password/PIN in a ‘two-entrance’ deployment, we will see the security getting brought down to the level lower than a password/PIN-only authentication. It is, as it were, a below-one factor authentication.
This is what the probabilistic biometrics achieves in cyber space. Criminals will benefit.
Two Ways of Deploying Two-Factor Authentication
Using two factors together does not always bring higher security.
Higher security is obtained when two factors are used in ‘two-layer’ deployment at the sacrifice of convenience, while better convenience is obtained when two factors are used in ‘two-entrance’ deployment at the sacrifice of security.
We must be careful not to mix up these two ways of deployments that have the exactly opposite security effects lest a serious false sense of security should be created and spread.
Pandemic-resistant Teleworking
Pandemic-resistant Teleworking – We started to use this phrase five years ago as a use case of the expanded password system that provides ‘hard-to-forget’, ‘hard-to-break’ and ‘panic-proof’ digital identity authentication platform, though it was no more than a hypothetical statement at that time.
We now witness the pandemic assaulting us before we get ready. We were unfortunately late for the current Covid-19. When, not if, the next one hits us in 5, 10 or 20 years ahead, humans will probably be yet more heavily dependent on Digital Identity. We or our successors will hopefully be able to make a meaningful contribution to the safe and resilient cyber life.
While waiting to see what will be happening in the pandemic-overwhelmed cyberspace, we will be steadily progressing the expanded password system in order to make it readily available to all the global citizens.
Meaningless Comparison of Different Authenticators
It makes no sense to compare the security of a strong or silly password with that of a poorly or wisely deployed physical token. Nobody can have the criteria for a meaningful comparison of the merits between ‘knife, fork and spoon’.
All that can be said about different authenticators are
- Secret credentials, say, the likes of passwords, are absolutely indispensable, without which identity assurance would be a disaster
- Two-factor authentication made of passwords and tokens provides a higher security than a single-factor authentication of passwords or tokens.
- Two-factor authentication made of biometrics and a password brings down the security to the level lower than a password-alone authentication.
- Passwords are the last resort in such emergencies where we are naked and injured
- We could consider expanding the password system to accept both images and texts to drastically broaden the scope of secret credentials.
‘Easy-to-Remember’ is one thing. ‘Hard-to-Forget’ is another.
Images are easy to remember – This observation has been known for many decades. It is not what we discuss.
What we discuss is that ‘images of our emotion-colored episodic memory’ is ‘Hard to Forget’ to the extent that it is ‘Panic-Proof’.
This feature makes the expanded password system deployable in any demanding environments for any demanding use cases, with teleworking in stressful situations included.
Expanded Password System for High-Security Accounts
Data-separation, with which images stay in the user’s device while the hashed credentials of extremely high entropy is stored on the authentication server, will help.
Bad guys would have to steal the user’s device and find the correct images quickly before the accounts get blocked. It would be next to impossible with the high-security version of Expanded Password System that comes with such functions as follows.
- Distinguishing certain errors that we are unlikely to commit from the errors that we are apt to make often. This function is expected to screen out bad guys accurately and quickly, while largely mitigating the user’s stress.
- Quietly sending a duress code/signal that is practicable in a panicky situation. There have been a number of suggestions of duress code, but the earlier ones have all been no more than a pipe dream because they are not practicable when we are caught in panic, in such a situation as at gun/knife point. Only the memorable images associated with our unforgettable episodic memory enables the practicable duress code.
Secret Credential and Computing Power
When the computing power was very limited, we were only able to use texts, namely, characters and numbers, as the secret credential for identity authentication. Now that the computing power is no longer so limited, we could accept non-text credentials such as visual images, audio sounds and tactile sensations where they contribute to better security and/or better usability.
Humans acquired the ability of reading, writing and remembering texts quite recently – a few hundred years ago for the majority of our ancestors. On the other hand, our ability of seeing, watching, finding, distinguishing and remembering visual objects dates back to 5 hundred million years ago. This ability is solidly inscribed at the deep layer of the brains for all of us.
Separately, we know that cognitive science supports that our episodic memory, much of which is visual, is the core of humans’ internal identity.
Would it be possible to not make use of our episodic image memory for our identity assurance?
Hitoshi Kokumai – Advocate of ‘Identity Assurance by Our Own Volition and Memory’, Hitoshi Kokumai is the inventor of Expanded Password System that enables people to make use of episodic image memories for intuitive and secure identity authentication. He has kept raising the issue of wrong usage of biometrics and the false sense of security it brings for 18 years. Mnemonic Security Inc. was founded in 2001 by Hitoshi Kokumai for promoting Expanded Password System. Following the pilot-scale operations in Japan, it is seeking to set up the global headquarters in UK.