identity assurance & expanded password system
TRANSCRIPT
Identity Assurance & Expanded Password System
Summary: Security of the real/cyber-fused society hinges on “Assured Identity”, which hinges on “Shared
Secrets” in cyberspace. The text password has been the shared secrets for many decades. We now need a
successor to the text password. There exists a promising candidate, an Expanded Password System which
accepts images as well as characters and which generates a high-entropy password from a hard-to-forget
password.
Multi-factor authentications and ID federations (single-sign-on services and password management tools)
are operated with the password. The password is indispensable for the biometric products operated in
cyber space. As such we are unable to live without the password and yet it is obvious that the conventional
character password no longer suffices. Expanded Password System that accepts images on top of
characters is expected to play a very significant role.
The problem to be addressed by our solution is huge, with billions of people suffering the same big headache.
Substantial revenues will be expected for the business of providing the most practicable solutions.
We already have several products developed for the Japanese market. Therefore we will not have to start
the development from scratch, but will only have to re-write the software in the English language with the
latest cryptography and anti-hacking measures for the global market with a relatively small budget.
(1) Introduction
It is well known that digital currencies would not exist without cryptography, but not many people are
aware that digital identity assurance, say, the issue relating to passwords is also crucial: Assume that a
digital currency be protected by an encryption key of 256-bit entropy and the program to manage the digital
currency system be protected by a manager’s password such as P@$$WoRd1234 or a PIN like 3485, the
chances may well be that the currency management system will have been taken over by the criminals who
broke the password/PIN rather than those who tried to attack the 256-bit encryption key.
Without the reliable digital identity assurance, such emerging industries and critical infrastructures as
below would also be infeasible.
- Electronic Healthcare
- Pandemic-resistant Teleworking
- ICT-assisted Disaster Prevention, Rescue & Recovery
- Hands-Free Operation of Wearable Computing
- Hands-Free Payment & Empty-Handed Shopping
- Humanoid Robots
- Internet of Things
and, needless to say, Cyber Defence & Law Enforcement
The passwords to be registered have to satisfy following requirements:
- The password should be strong enough.
- The same password should not be reused across multiple accounts.
- The memo on which passwords are written could be used indoor but should not be brought outdoor.
It is possible to satisfy one of them. But it is not possible to satisfy all of them. It is not what average
humans can do.
It is known that humans can firmly remember and correctly recall only 5 text passwords on average, whilst
the number of services requiring password protection is now thought to be over 20 and ever increasing for
most of us, with urges to change them more frequently in the aftermath of recurring password leakage
incidents.
(2). Alternative password systems?
In response to this perplexing situation, biometrics, multi-factor solutions and ID federations (single-sign-on
services & password management tools) are often advocated as an alternative to the password.
Some people even shout that the password is dead or should be killed dead. However, the password could
be killed only when there is an alternative to the password. Something belonging to the password(PIN,
passphrase, etc)and something dependent on the password (ID federations, 2/multi-factor, etc) cannot be the
alternative to the password. Neither can be something that has to be used together with the password
(biometrics, auto-login, etc).
If wisely operated all those solutions could certainly help alleviate the pains of difficult-to-manage passwords,
either by the better convenience obtained by sacrificing the confidentiality (biometrics & ID federations) or
by the enhanced confidentiality obtained by sacrificing the convenience (2/multi-factors).
But it would be inappropriate to call them an alternative to the password - biometric solutions are generally
operated together with a password for self-rescue in case of false rejection, one of the multi-factors is a
password and the ID federations require the password called a master-password. The password cannot be
killed until there is a true alternative to it. (To be more closely discussed in the appendix.)
It is too obvious, anyway, that the conventional text password alone can no longer sustain the need of the age
and we urgently require a successor to it, which should be found from among the broader family of the
passwords and the likes.
Textual passwords, with PIN (numbers-only password) included, could suffice two decades ago when
computing powers were still limited, but the ever accelerating computing powers have now made the textual
passwords too vulnerable for many of the cyber activities. The same computing powers are, however, now
enabling us to handle images and pictures, providing us with the alternative to the vulnerable textual
passwords. Now its successor is wanted beyond texts.
We can remember and recall only 5 text passwords on average, not due to our silliness or laziness, but due to
the cognitive phenomenon called "Interference of Memory". Memories of numbers and alphabets, which
contain very limited information, are subject to the severe interference of memory which causes terrible
confusions in what we remember, whereas the memories of images and pictures, particularly those of
episodic/autobiographic memories that contain a great deal of information with emotional feeling, are not.
This indicates that we can easily manage passwords well beyond 5 or 10 when we make good use of the
episodic image memories. It could thus make the optimal alternative to the textual passwords when we
make sure that confidentiality is not lost.
Most of the humans are thousands times better at dealing with image memories than text memories. The
former has the history of hundreds of millions of years while the latter is still very new to us. I wonder
what merits we have in confining ourselves in the narrow corridor of text memories when CPUs are fast
enough, bandwidth broad enough, memory storage cheap enough, and cameras built in mobile devices.
(3) Expanded Password System
The Expanded Password System “Mnemonic Guard” that we advocate, which makes use of episodic image
memory in addition to textual memory, can be viewed as an enhanced successor to text-only password
systems on its own. Furthermore, the Expanded Password System will enable us to see truly powerful
multi-factor authentications with a strong unique password being used as one of the factors for all different
accounts, whether indoor or outdoor.
With the Expanded Password System used as a rescue-password in case of false rejection, biometric
solutions will offer good convenience without much sacrificing the confidentiality. We would also be able to
see truly reliable decentralized ID federations with a strong unique password being used as the
master-password for each of single-sign-on services and password management tools. The outcome will be
the most highly assured identity achieved through the most reliable “shared secrets”
Identity verification which has been represented by seals and handwritten signatures is not just one of the
many factors for cyber security, but is the very foundation of the social infrastructure without which no social
life can exist. This relation between the society and the identity verification will not change so long as
humans live social lives. Mnemonic Guard, pioneer of the Expanded Password System., can well be a
legitimate successor to seals and handwritten signatures so long as humans need cyberspace.
As the successor to seals, handwritten-signatures and text passwords, the Expanded Password System is
expected to help support the cyber society so long as humans need it.
Remark 1: “Assured Identity”, “shared secrets” and “IPV” are defined in “Good Practice Guide No.45
Identity Proofing and Verification of an Individual” issued by UK Cabinet Office.
Remark 2: The idea of using pictures for passwords is not new. It has been around for more than two
decades but the simple forms of pictorial passwords were not as useful as had been expected. For the
UNKNOWN pictures that we manage to remember afresh are still easy to forget or get confused, if not as
badly as random alphanumeric characters.
Mnemonic Guard is new in that we make good use of KNOWN images that are associated with our
episodic/autobiographic memory. Since these pictures are the least subject to the interference of memory, it
enables us to manage dozens of unique strong passwords without reusing the same password across many
accounts or carrying around a memo with passwords on it. Furthermore, we no longer need to manage to
remember the relations betweens accounts and passwords because each account shows its own unique
picture matrix.
The Expanded Password System is inclusive of textual as well as non-textual passwords. Users can retain
the textual passwords as before while they expand their password memory to include the non-textual
passwords without being impeded by the cognitive effect of “interference of memory”. It is extremely
difficult to imagine the users who would suffer disadvantage or inconvenience by taking up the expanded
password system.
Remark 3: High-entropy passwords generated from low-entropy passwords
Generally speaking, hard-to-break passwords are hard-to-remember. But it is not the fate. It would be
easily possible to safely manage many of high-entropy passwords with the Expanded Password System that
handles images as well as characters.
Each image/character is identified by the image identifier data which can be any long. Assume that your
password is “CBA123” and that those characters are identified as X4s&, eI0w, and so on. When you input
CBA123, the authentication data that the server receives is not the easy-to-break “CBA123”, but something
like “X4s&eIwdoex7RVb%9Ub3mJvk”, which might be automatically altered periodically or at each access if
required.
When such high-entropy data are hashed, it would be next to impossible to quickly crack the hashed data
back to the original password. Give different sets of identifier data to “CBA123” and the different servers will
receive all different high-entropy authentication data. Brute-force attacking of “CBA123” and other similarly
silly passwords would perhaps take less than a few seconds with dictionary and automatic attack programs
but it could be an exhausting job when criminals have to manually touch/click on the display with their
fingers. This function of managing strong passwords by weak text passwords is one of the secondary merits
of the Expanded Password System.
Remark 4: Passwords & Corresponding Accounts
Being able to recall strong passwords is one thing. Being able to recall the relations between accounts and
the corresponding passwords is another. When unique matrices of images are allocated to different
accounts with the Expanded Password System, those unique matrices of images will be telling you what
images you could pick up as your passwords.
The Expanded Password System thus frees us from the burden of managing the relations between accounts
and the corresponding passwords.
The merits of Expanded Password System are closely discussed at
http://mneme.blog.eonet.jp/default/files/proposition_of_expanded_password_system.pdf
The outline of Mnemonic Guard is available at
http://mneme.blog.eonet.jp/default/files/outline_of_mnemonic_security.pdf
< Appendix> More discussions on related themes
(I) Volitional Participation
We naturally wish to retain the volitional participation in all the critical aspects of our life whether in the
real world or in the cyber space.
Account A Account B Account C Account D
Account E,
F, G, H, I, J,
K, L-----------
The likes of passwords, which cannot be practiced without users’ volition, must stay with us for good in the
cyber space because the volitional participation in proofing and verification of users’ identity cannot be
ensured otherwise. What are desirable from this view point are (a) a firmly remembered password on its
own. (b) password management tools and single-sign-on services that are managed by a firmly remembered
master password, (c) multi-factor authentications with a firmly remembered password as one of the factors
and (d) biometric products that are operated together with a firmly remembered password by
AND/Conjunction (we need to go through both passwords and biometrics)
What are NOT desirable from the view point of volitional participation are (e) so-called auto-login solutions,
which allow us to sleep peacefully or drink much only when we are on our own in a securely locked room and
(f) biometrics products operated without a password altogether or operated together with a password by
OR/Disjunction (we need only to go through either passwords or biometrics) as in the cases of Touch ID and
most of the products now on the market, which could bring such awkward situations as
http://mashable.com/2013/09/11/girl-fingerprint-scanner/
(II) Identity Assurance FOR mobile devices as against Identity Assurance BY mobile devices
Should we apply the operation models of “Identity assurance BY mobile devices” to “Identity Assurance FOR
mobiles devices”, we would need to carry around two mobiles devices all the time.
It may be recommended for the types of cyber activities that require the best possible security practices.
For most of the cyber activities, for which carrying around 2 mobile devices all the time is too heavy a burden,
however, the best security practices may well be using just a high-entropy password, which can possibly
stand the dictionary attacks and brute-force attacks, possibly with some Q&A based on the MNO-held
real-time information where desirable.
(III) Convenience versus Security
The themes discussed here are (1) ID federations,, (2) PKI, (3) Two/multi-factor authentication, (4)
Biometrics, (5) Auto-login and (6) PIN.
(1) ID federations
ID federations (single-sign-on services and password managers) create a single point of failure, not unlike
putting all the eggs in a basket. It remembers all my passwords when un-hacked and loses all my
passwords to criminals when hacked. It should be operated in a decentralized formation or should be
considered mainly for low-security accounts, not for high-security business. It would also be desirable to
require multiple security levels for different levels of services. The most important accounts should desirably
be protected by the strongest possible passwords unique to each account.
Needless to say, the strength of the master-password for ID federations is crucially important.
(2) PKI
The PKI software and the private key stored on a token or phone can effectively proves the identity of the
token or phone, but not the identity of a person who is holding the token or phone. The tokens and phones
are easily left behind, lost, stolen and abused. Then the password would be the last resort.
(3) Two/Multi-factor authentications
Two is larger than one on paper, but two weak boys in the real world may well be far weaker than a
toughened guy. Physical tokens and phones are easily left behind, lost, stolen and abused. Then the
password would be the last resort. A truly reliable 2-factor solution required for important accounts needs
the use of the most reliable password.
(4) Biometrics
Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2)
by OR/disjunction. Biometric products operated by (1) are not known. The users of such products must
have been notified that, when falsely rejected by the biometric sensor with the devices finally locked, they
would have to see the device reset.
Biometric products like Apple's Touch ID are generally operated by (2) so that users can unlock the devices
by passwords when falsely rejected by the biometric sensors. This means that the overall vulnerability of
the product is the sum of the vulnerability of biometrics (x) and that of a password (y). The sum (x + y - xy)
is necessarily larger than the vulnerability of a password (y), say, the devices with Touch ID and other
biometric sensors are less secure than the devices protected only by a password. It is very worrying to see
so many ICT people being indifferent to the difference between AND/conjunction and OR/disjunction when
talking about “using two factors together”.
Incidentally, it is not possible to compare the strength of biometrics operated on its own with that of a
password operated on its own. There are no objective data about the overall vulnerability of biometric
solutions (not just false acceptance rate when false rejection is near-zero but also the risk of forgery of body
features and the risk of use when the user is unconscious) and that of the passwords (not only that it may be
as low as 10 bits or as high as 100 bits but also that it can be stolen and leaked.)
(5) Auto-login
Auto-login is what we cannot achieve with the passwords but we can so easily achieve with the likes of
electronic tattoos and swallowed chips.
We know that the function of having someone else login to our phone/tablet/PC on our behalf while we are
unconscious is already realized by biometrics as shown again in
http://mashable.com/2013/09/11/girl-fingerprint-scanner/
But with the likes of electronic tattoos and hypodermic or swallowed microchips, we can expect the third
persons to login to our accounts on our behalf a bit more gently and silently. The third persons would not
have to behave very carefully not to wake us up. All that they have to do is just placing our PC/tablet/phone
in the vicinity of our unconscious bodies. Then they would have a freehand over our accounts on our behalf.
Some people, for whom convenience is the top priority, might regard this as a proof that the passwords have
the fatal drawbacks. We are, however, of the view that this tells us how critical it is to involve the
confirmation of the users’ volition to make the login for identity authentication.
(6) PIN
Many people take it for granted that PIN is easier to remember than an alphanumeric password because it
is simpler. The fact is, however, that PIN, a numbers-only short password, is even more subject to the
interference of memory exactly because it is simpler, say, it contains less information, which gets the user
confused more easily and more badly than a longer alphanumeric password. It is, therefore, more difficult
for us to eliminate the reuse across many accounts. You could listen to yourself for your own experience.
(IV) Statistics on Rampant False Sense of Security:
Two university researchers in Japan carried out a brief survey in November 2014 about how the security of
(1) PKI, (2) fingerprint scan and (3) onetime password are perceived by 49 university students in science and
technology sectors. Below is the result. (In the brackets are the numbers of students who are learning
information security.)
(1.) Do you know PKI? Yes 34 (31), No 15 (0)
(To those who answered Yes) Do you think that a PKI-loaded IC card provides higher security than a
password? Yes 12 (12), No 1 (1), No change 4 (4), Do not know 12 (9), Depends 4 (4), No Answer 1 (1)
(2) Do you know of the fingerprint scanners loaded on smart devices? Yes 44 (28), No 5 (3)
(To those who answered Yes) Do you think that a fingerprint scanner provides higher security than a
password? Yes 16 (11), No 7 (5), No change 4 (2), Do not know 12 (8), Depends 5 (2)
(3) Do you know OTP (onetime password)? Yes 39 (30), No 10 (1)
(To those who answered Yes) Do you think that a onetime password provides higher security than a
remembered password? Yes 17 (5), No 1 (1), No change 3 (2), Do not know 10 (8), Depends 7 (6), No Answer
1 (1)
The answer we expected were either “Do not know” or “Depends” for all the 3 questions, preferably followed
by “because there are no objective data that enable us to directly compare the security of
PKI/OTP/Finger-Scan operated on its own and that of the password operated on its own. And,
PKI/OTP/Finger-Scan operated with a password by AND/Conjunction (we need to go through both the
former and the latter) is securer than the same password only, but PKI/OTP/Finger-Scan operated together
with a password by OR/Disjunction (we need only to go through either the former or the latter) is less secure
than the same password only.”
That many students gave (Yes) to (1) and (3) is somehow understandable because PKI and OTP are
generally operated with a password by AND/Conjunction . But it is very worrying that so many students
learning information security (11 out of 28) gave (Yes) to (2) For Apple’s Touch ID and most other
finger-scanners on the market are operated together with a backup/fallback password by OR/Disjunction in
case of the false rejection. False sense of security about a threat could be even worse than the threat itself.
This survey is not large enough to extract a decisive conclusion, but we could well imagine that this chilling
false sense of security is even more rampant among the people who have not learnt or are not learning
information security as a major subject.
<End>