I am a new comer to this forum. I was the interviewee for Risk Roundup #222 titled ‘Expanded Password System’.
I talked about the huge merits of making use of our episodic image memory for digital identity. Specifically, Expanded Password System (EPS), which accepts unforgettable images as well as texts, is practicable for the elderly and the panicked people, which explains why it is practiced by soldiers in the field.
And, what is practicable in the most demanding environment for the most demanding application can be easily practiced in everyday environment for everyday applications; the reverse is not true, though.
More on Expanded Password System
Here is a 3-minute video outlining what EPS is.
Should you be interested to see the overall picture of Expanded Password System, please have a look at this article – “Proposition on How to Build Sustainable Digital Identity Platform”
Hearing that EPS accepts non-text memory objects such as visual images as well as texts., some people are led to suppose that they need to consider a big investment to replace or re-build the existing text password systems.
It is not the case. All that they need to do is ensure that the password system accepts very long passwords, desirably hundreds of characters, for obtaining very high-entropy hashed values that can stand fierce brute force attacks.
Then, they would be free to opt to
- recommend the security-conscious users to try a simple two factor authentication made of a remembered password (what we remember) and a memo/storage with a long password written/stored on (what we possess), which they can use right away at no cost.
- recommend the users who want both higher security and better convenience to consider the ‘Image-to-Text Converter cum Entropy Amplifier’ software when EPS becomes readily available to all the citizens. The ‘Image-to-Text Converter cum Entropy Amplifier’ software can be offered as a plug-in module either for the server or the user’s device.
Democracy and Digital Identity
Passwords are so hard to manage that some people are urging the removal of passwords from digital identity altogether. They loudly advocate “Higher security achieved by removal of passwords.
I wonder if they are aware of what they mean by what they say. A society where identity authentication is allowed without users’ volition would be the society where democracy is dead. It’s a tyrant’s utopia.
Democracy must require the individuals to have the rights not to get their identity authenticated without their knowingly confirming it. This volitional process can be achieved only with volitional identity authentication made possible by memorized secrets, i.e., passwords.
Incidentally we are also witnessing such funny phenomena as quoted below.
‘PIN’ is an abbreviation of ‘Personal Identification Number’, which is unexceptionally used as an authenticator, not an identifier.
‘Password’ is defined by the central police agency as ‘Personal Identification Code’ in a country where I was grown up.
Quite a few people utter such a word as ‘Password Identification’ here and there.
These awkward phenomena are found not only in the general public but among the ‘professionals’ of cyber security and identity management, although the difference between ‘identification’ and ‘authentication is unmistakably clear; ‘Identification’ is to give an answer to the question of ‘Who is he/she?’, while ‘Authentication’ is to answer ‘Is he/she the person who claims to be?’ How on earth would it be possible to mix them up?
Our hypothesis is that the field of cyber security and identity management is too heavily populated by single-mindedly technology-obsessed people. This also makes the foundation for the wide spread myth that a higher security will be achieved by removing the password from digital identity. The value of democracy is obviously out of their sight.
We have to conclude that we wish to see the people in security and identity management to be more interested in liberal arts and common sense; digital identity is a problem of philosophy as well as technology.
Hitoshi Kokumai
PS Below are parodies that occurred to me with respect to the upended concept of ‘higher security achieved by removal of passwords.
———————–
Current foot brakes are far from sufficient in the slip distance. This means that the foot brake system is dangerous. We have now removed the dangerous foot brake system from the cars we sell. We instead offer the safer cars that are equipped with better steering wheels, better acceleration pedals and better hand brakes.
Physical keys are often stolen, copied and abused. This means that the lock/key system is dangerous. We have now removed the dangerous lock/key system from the houses that we sell. We instead protect our houses by making the door panels thicker and heavier
Passwords are often stolen, leaked and abused. This means that the password system is dangerous. We have now removed the dangerous password system from digital identity. We now protect the digital identity of our clients by offering the safer combinations of ‘physical tokens and biometrics’ instead of the dangerous combinations of ‘passwords’, ‘physical tokens’ and ‘biometrics’.
Understanding AI Industry Trends 