Death To Password?

No! It Is Given New Life

Many people shout that the password is dead or should be killed dead. The password could be killed, however, only when there is an alternative to the password.

Something belonging to the password (PIN, passphrase, etc) and something dependent on the password (ID federations, 2/multi-factor, etc) cannot be the alternative to the password.

For biometrics to displace the password, it must first stop depending on a password registered in case of false rejection.

A new life is given to the password by Expanded Password System (EPS).

22nd April, 2015

Mnemonic Security, Inc., Japan/UK

2

What is EPS? 1/3

Only texts are accepted As it were, we have no choice but to walk up a long steep staircase　　

Where we want to continue to use

textual passwords

Where we want to reduce the burden oftextual passwords

Where we want tomake use of

episodic image memory

３ＵＶＢ９ＫＵＷ

【 Text Mode】 【 Graphics Mode】 【 Original Picture Mode】Recall the remembered password

Recognize the pictures remembered in stories

Recognize the unforgettable pictures of episodic memories

Free choices from, as it were, among staircases, escalators and lifts/elevators

Low memory ceiling Very high memory ceilingHigh memory ceiling

+ +

There are several known pictures.

I can easily find all of them right away.

Only I can select all of them correctly.

Practicable even in panic when images of episodic memory are registered

Incorporating the function of generating high-entropy online passwords from hard-to-forget images and texts.

Security of real/cyber-fused society hinges on online identity assurance

Online identity assurance hinges on shared secrets, i.e. what we remember

Video: http://www.youtube.com/watch?v=Q8kGNeIS2Lc

What is EPS? 2/3

Technical details available at http://www.slideshare.net/HitoshiKokumai/expanded-password-system

4

What is EPS? 3/3

When unique matrices of images are allocated to different accounts with the EPS, those unique matrices of images will be telling you what images you could pick up as your passwords.

Being able to recall strong passwords is one thing. Being able to recall the relations between accounts and the corresponding passwords is another.

EPS frees us from the burden of managing the relations between accounts and the corresponding passwords.

Account A Account B Account C Account D

Account E, F, G, H, I, J, K, L-----------

5

Why EPS?

Biometric products operated in cyber space require the password called a backup/fallback password to be registered in case of false rejection (footnoted on the next page).

Action patterns are too difficult to replay accurately and also require the fallback password in case of false rejection.

Multi-factor authentications require the password as one of the factors..

ID federations (single-sign-on services and password management tools) are operated with the password called “master-password”.

PIN and passphrases belong to the password.

As such we are unable to live without the password and yet it is obvious that the conventional character password no longer suffices.

Here enter the EPS, a password system expanded to accept images on top of characters, which is expected to play a very significant role.　

Password-dependent password-killer - Widely spread nonsensical false sense of security -

Media seem busy spreading the hyped stories of “password-killing” biometric products. For biometrics to displace the password for better security, however, it must stop depending on a fallback password registered in case of false rejection.

Further details are available at http://www.slideshare.net/HitoshiKokumai/password-dependent-passwordkiller-46151802

FOOTNOTE

7

What can EPS achieve?

EPS can be viewed as an enhanced successor to text-only password systems on its own.

Furthermore EPS enables us to see truly powerful multi-factor authentications with a strong unique password being used as one of the factors for all different accounts, whether indoor or outdoor.

With EPS used for fallback passwords in case of false rejection, biometric solutions will offer good convenience without much sacrificing the confidentiality.

We would also be able to see truly reliable decentralized ID federations with a strong unique password being used as the master-password for each of single-sign-on services and password management tools.

The outcome will be the most highly assured identity achieved through the most reliable “shared secrets”, which is indispensable for the coming age of

Electronic Healthcare, Pandemic-resistant Teleworking, ICT-assisted Disaster Prevention, Rescue & Recovery, Hands-Free Operation of Wearable Computing, Hands-Free Payment & Empty-Handed Shopping, Humanoid Robots, Internet of Things and, needless to say, Cyber Defence & Law Enforcement along with the basic need of real/cyber-fused social life.

8

In Conclusion

Security of the real/cyber-fused society hinges on “Assured Identity”, which hinges on “Shared Secrets” in cyberspace. The text password has been the shared secrets for many decades. We now need a successor to the text password.

We are in the middle of the decades-long game of having the finalist candidates chosen for the legitimate successors not just to the decades-old character passwords but to the centuries or millennia-old seals and signatures, which will make the basic foundation for the real/cyber-fused society that may well last for more than generations or even centuries for the whole global population.

Among the most promising candidates is the Expanded Password System (EPS) which accepts images as well as characters and which generates a high-entropy password from a hard-to-forget images and texts.

More information available at

http://www.slideshare.net/HitoshiKokumai/identity-assurance-expanded-password-system