Introduction for business people of Expanded Password System

Security of the real/cyber-fused society hinges on “Assured Identity”, which hinges on “Shared Secrets” in cyberspace.

The text password has been the shared secrets for many decades. We now need a successor to the text password.

There exists a promising candidate, an Expanded Password System (EPS) which accepts images as well as characters and which generates a high-entropy password from a hard-to-forget images and texts.　

20th April, 2015

Mnemonic Security, Inc., Japan/UK

2

What is EPS? 1/3

Only texts are accepted As it were, we have no choice but to walk up a long steep staircase　　

Where we want to continue to use

textual passwords

Where we want to reduce the burden oftextual passwords

Where we want tomake use of

episodic image memory

３ＵＶＢ９ＫＵＷ

【 Text Mode】 【 Graphics Mode】 【 Original Picture Mode】Recall the remembered password

Recognize the pictures remembered in stories

Recognize the unforgettable pictures of episodic memories

Free choices from, as it were, among staircases, escalators and lifts/elevators

Low memory ceiling Very high memory ceilingHigh memory ceiling

+ +

There are several known pictures.

I can easily find all of them right away.

Only I can select all of them correctly.

Practicable even in panic when images of episodic memory are registered

Incorporating the function of generating high-entropy online passwords from hard-to-forget images and texts.

Security of real/cyber-fused society hinges on online identity assurance

Online identity assurance hinges on shared secrets, i.e. what we remember

Video: http://www.youtube.com/watch?v=Q8kGNeIS2Lc

What is EPS? 2/3

Technical details available at http://www.slideshare.net/HitoshiKokumai/expanded-password-system

4

What is EPS? 3/3

When unique matrices of images are allocated to different accounts with the EPS, those unique matrices of images will be telling you what images you could pick up as your passwords.

Being able to recall strong passwords is one thing. Being able to recall the relations between accounts and the corresponding passwords is another.

EPS frees us from the burden of managing the relations between accounts and the corresponding passwords.

Account A Account B Account C Account D

Account E, F, G, H, I, J, K, L-----------

5

What problems is EPS expected to solve?

- White House cyber czar's goal: 'Kill the password dead'http://www.federalnewsradio.com/241/3646015/White-House-cyber-czars-goal-Kill-the-password-dead

“He cited studies showing as much as 80 percent of cyber intrusions — "some ridiculously high number," he said — are caused by exploiting weak or stolen passwords.”

- Cybercrime and espionage costs $445 billion annuallyhttp://www.washingtonpost.com/world/national-security/report-cybercrime-and-espionage-costs-445-billion-annually/2014/06/09/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.html

“CSIS used several methods to arrive at a range of estimates, from $375 billion to as much as $575 billion.”

- Passwords Still Pose Big Security Riskshttp://www.paymentssource.com/news/passwords-still-pose-big-security-risks-3018257-1.html

“Many “advanced data stealing attacks” happen simply from poor password practices.”

- Soon Hackers May Topple Global Economyhttp://i-hls.com/2014/05/report-soon-hackers-may-topple-global-economy/?utm_source=rss&utm_medium=rss&utm_campaign=report-soon-hackers-may-topple-global-economy&utm_source=Meital&utm_medium=Meital&utm_campaign=RSS

“Within the next five to seven years, as much as $21 trillion in global economic-value creation depends on robust cyber security”.

6

Why EPS?

Biometric products operated in cyber space require the password called a backup/fallback password to be registered in case of false rejection (footnoted on the next page).

Action patterns are too difficult to replay accurately and also require the fallback password in case of false rejection.

Multi-factor authentications require the password as one of the factors..

ID federations (single-sign-on services and password management tools) are operated with the password called “master-password”.

PIN and passphrases belong to the password.

As such we are unable to live without the password and yet it is obvious that the conventional character password no longer suffices.

Here enter the EPS, a password system expanded to accept images on top of characters, which is expected to play a very significant role.　

Password-dependent password-killer - Widely spread nonsensical false sense of security -

Media seem busy spreading the hyped stories of “password-killing” biometric products. For biometrics to displace the password for better security, however, it must stop depending on a fallback password registered in case of false rejection.

Further details are available at http://www.slideshare.net/HitoshiKokumai/password-dependent-passwordkiller-46151802

FOOTNOTE

8

What are our competitions?

Setting aside the hyped stories of “password-dependent password-killer” solutions that are causing nonsensical false sense of security, among the broader password family are

1. Pattern-on-grid: The drawbacks of this method are (1) complicated patterns could have a very high entropy but humans cannot remember multiple numbers of such complicated patterns and (2) simple patterns like alphabets are easy to remember but are fully known to criminals as well.

2. Simple pictorial password: Not all the pictures are good for passwords. Pictures or outstanding features on pictures that we manage to remember afresh are subject to the cognitive phenomenon called “interference of memory” if not as badly as meaningless random characters. So it is still easy-to-break if it is easy-to-remember and hard-to-remember if it is hard-to-break.

3. Facelock: Researchers at York University who specialize in cognitive psychology came up with a competitive approach by using friends’ faces as the hard-to-forget passwords, which is far less subject to “interference of memory” and therefore users can manage many of them at a time, though it is not sufficiently hard-to-break. We have now teamed up with them.

Remark: It is possible to deploy all the above on the EPS platform as the variations. 　

9

What can EPS achieve?

EPS can be viewed as an enhanced successor to text-only password systems on its own.

Furthermore EPS enables us to see truly powerful multi-factor authentications with a strong unique password being used as one of the factors for all different accounts, whether indoor or outdoor.

With EPS used for fallback passwords in case of false rejection, biometric solutions will offer good convenience without much sacrificing the confidentiality.

We would also be able to see truly reliable decentralized ID federations with a strong unique password being used as the master-password for each of single-sign-on services and password management tools.

The outcome will be the most highly assured identity achieved through the most reliable “shared secrets”, which is indispensable for the coming age of

Electronic Healthcare, Pandemic-resistant Teleworking, ICT-assisted Disaster Prevention, Rescue & Recovery, Hands-Free Operation of Wearable Computing, Hands-Free Payment & Empty-Handed Shopping, Humanoid Robots, Internet of Things and, needless to say, Cyber Defence & Law Enforcement along with the basic need of real/cyber-fused social life.

10

What market potential does EPS have?

With billions of people suffering the same big headache, the problem to be addressed by our solution is huge, Substantial revenues will be expected for the business of providing the most practicable solution.

Global sales forecasts are difficult to figure out at this stage. The number of some US$1 million over the past non-turbulent 10 years that we experienced in Japan probably does not make a good clue to the figures for the globally turbulent future.

The vacuum for comprehensive and practicable solutions will probably be just vast that will come up in front of us when the hyped misleading stories of "password-killer" solutions have evaporated. The sales in 3 - 5 years' time could be in the order of $10m or $100m or $1bn.

How quickly we can reach $100m sales will largely hinge on how quickly the false sense of security about the "password-dependent password-killer" biometric products gets killed dead. For people who take it for granted that the password problem will eventually be solved by the dazzling “password-killer” solutions would find it difficult to agree with us that our products will have a sizeable share on the market for the solutions to the password problem.

11

What EPS products are available?

a. Server software for online-access 　　　b. Server software for onetime password generationc. Server software for single sign on with OpenID protocol d. Client software for Windows PC logon 　　　e. Client software for smart devices logonf. Client software for “image”-to-”text password” conversion 　　　　　g. Library for general purpose

h. Client CryptoMnemo software with data encryption function i. Client Authority-distributed CryptoMnemo for prevention of insiders’ crimej. Server-Client extension for (i).

* Some four million dollars, half of which from the Japanese government, have been invested into the research and development of the above product lineup.

** All the above products were developed in Japanese for Japanese customers. With the algorithm fully completed, all of them can be put on the global market straight away when re-written in English.

12

What sectors should be first taken up?

Among such new frontiers as Electronic Healthcare, Pandemic-resistant Teleworking, ICT-assisted Disaster Prevention, Rescue & Recovery, Hands-Free Operation of Wearable Computing, Hands-Free Payment & Empty-Handed Shopping, Humanoid Robots, Internet of Things, Cyber Defence & Law Enforcement along with the basic need of real/cyber-fused social life,

the sectors that should be looked at first are

1. Where secure identity assurance is needed for elderly people for whom character passwords are too difficult.

2. Where people have to get their identity proven securely even when they are caught in panic

3. Where people have to safely manage many numbers of accounts each of which requires a unique strong password.

13

Who are we?

Hitoshi Kokumai, Inventor of Mnemonic Guard, pioneer of Expanded Password System, and Founder of Mnemonic Security, Inc.

He used to work for a UK company whose original name was Nairn International Limited, a part of Unilever in 1984, as a contract business development coordinator. Over the 22 years of service until 2006 he contributed to UK’s export of some 100 million Pounds through 60 trips between UK and Japan. He was graduated from Economics Faculty of Kyoto University in 1971.

Ryuhei Masuno, Co-Founder of Mnemonic Security, Inc.

Before joining Hitoshi Kokumai for this business, he used to be a member of the board of Asahipen, a paints and home products manufacturer listed at Osaka Stock Exchange where he was responsible for accounting and general corporate management. He was graduated from the Law Faculty of Kyoto University in 1972.

14

In Conclusion

We are in the middle of the decades-long game of having the finalist

candidates chosen for the legitimate successors not just to the decades-old

character passwords but to the centuries or millennia-old seals and

signatures, which will make the basic foundation for the real/cyber-fused

society that may well last for more than generations or even centuries for the

whole global population. Please join us and support us for this nice exciting

enterprise.

For any further information, please feel free to contact

Hitoshi Kokumai at

Mail: kokumai@mneme.co.jp

Skype: kokumaiskype

Tel: 81 – 90 – 5460 – 7350 (when staying in Japan)

44 – 7738 – 905032 (when staying in UK)