External Body Features Viewed as ‘What We Are’

Body features are no more than body features

Can you be happy to see your external body features declared to be ‘what you are’?

 Quite a few security experts have long asserted that there are three components for identity authentication – ‘What We Remember’ (Secret Credential), ‘What We Have’ (Tokens and Cards) and ‘What We Are (Body Features).

 Feeding a correct secret credential is under our control. So is presenting a correct token or card to some extent. But our body features are just beyond our control. Wouldn’t it be more appropriate to call it ‘What Our Body Features Are’?

 Furthermore, whether the secret credential is correct or not is ‘Yes or No’, in other words, it is deterministic. So are the token and card. But measurements of our body features give us the answer as X% probable and Y% improbable. It has to be inevitably probabilistic due to the inherent nature of body features of living animals that we can by no means put under our control.

 ‘What we remember’ and ‘What we have’, which are both deterministic, can be used together in a security-enhancing ‘two-layer’ deployment, whereas probabilistic ‘what our body features are’ can actually be used with another factor only in a security-lowering ‘two-entrance’ deployment.

 As such we have now come to observe that we actually have two factors of ‘what we remember’ and ‘what we have’ as valid authenticators for identity assurance, with ‘what our body features are’ to be counted in cyberspace as an optional tool to increase convenience at the sacrifice of security.

 It might sound a bit outrageous to the old school who have long taken it for granted that ‘what we are’ is made of our external body features. But we are confident that the public will agree with us at the end of the day.

What makes ‘What We Are’?

 Cognitive science supports the observation that our sense of self is made of our memory, especially a part of our autobiographic memory named episodic memory. This observation of our identity is also supported by a number of philosophers. We can rely on these observations for stating that what makes ‘what we are’ is ‘what we remember’.

 We may be a minority in the domain of cyber security and identity management at present, but it does not affect what is correct and what is wrong.

 On Digital Identity

 Meaningless Comparison of Different Authenticators

 It makes no sense to compare the security of a strong or silly password with that of a poorly or wisely deployed physical token. Nobody can have the criteria for a meaningful comparison of the merits between ‘knife, fork and spoon’.

 All that can be said about different authenticators are

 1.  Secret credentials, say, the likes of passwords, are absolutely indispensable, without which identity assurance would be a disaster

 2.   Two-factor authentication made of passwords and tokens provides a higher security than a single-factor authentication of passwords or tokens.

 3.   Two-factor authentication made of biometrics and a password brings down the security to the level lower than a password-alone authentication.

 4.   Passwords are the last resort in such emergencies where we are naked and injured

 5.   We could consider expanding the password system to accept both images and texts to drastically expand the scope of secret credentials.

 Anything used correctly is helpful and so are UV, disinfectant and biometrics.

 Identification in physical space of personnel at critical facilities could be a correct use of biometrics. Another correct use is detection of suspicious guys who try to take over the logged-in device while the user is away. Behavioral biometrics could help here; suspicious behavior detected, the guy handling the device would be asked to feed a password for fresh login.

 If the biometrics used in cyber space are explicitly declared to bring down security in return for increased convenience, it would be a correct use case. On the other hand, it is definitely wrong and unethical to declare that biometrics used with a default/fallback password/PIN will increases security. 

 Mixing up the security-lowering 'multi-entrance' deployment of two factors with the security-enhancing 'multi-layer' deployment would bring a serious false sense of security that is worse than a lack of security. Proponents of biometrics are expected to behave as such.

Anything used wrongly is harmful and so are UV, disinfectant and passwords.

 Citizens do not stop re-using the passwords across multiple accounts despite the persistently repeated warnings of security professionals, as discussed in this report - https://www.theregister.co.uk/2020/05/05/logmein_password_survey/

 Our view is that we would be unable to dissuade those individuals from registering absurdly weak passwords and re-using the same passwords unless we are able to offer them practicable alternatives.

 On Practicable Alternatives

   The password is easy to crack – Are you sure?

 Quite a few security professionals say ‘Yes’ very loudly. 

  We would say that a ‘hard-to-crack’ password is hard to crack and an ‘easy-to-crack’ password is easy to crack, just as strong lions are strong and weak lions are weak; look at babies, the inured and aged. 

  However hard or easy to manage, the password is absolutely indispensable, without which digital identity would be just a disaster. We need to contemplate on how to make the password harder to crack while making it harder to forget.

 ‘Easy-to-Remember’ is one thing. ‘Hard-to-Forget’ is another.

 Images are easy to remember – This observation has been known for many decades. It is not what we discuss.

 What we discuss is that ‘images of our emotion-colored episodic memory’ is ‘Hard to Forget’ to the extent that it is ‘Panic-Proof’.

 This feature makes the expanded password system deployable in any demanding environments for any demanding use cases, with teleworking in stressful pandemic situations included.

  This subject and related issues are also discussed on Payments Journal, InfoSec Buzz and Risk Group

 https://www.paymentsjournal.com/easy-to-remember-is-one-thing-hard-to-forget-is-another/

 https://www.informationsecuritybuzz.com/articles/identity-assurance-and-teleworking-in-pandemic/

https://www.valuewalk.com/2020/05/digital-identity-biometrics-use/

 https://riskgroupllc.com/democracy-and-digital-identity-2/

 On Related Topics

 Another LAYER or Another ENTRANCE?

 The deterministic authentication factors such as 'Yes or No' on the possession of correct tokens can be deployed as ‘ANOTHER LAYER’ for more secure digital identity, and so can ’Yes or No’ on the feed of correct passwords. 

 But we have not heard of the cases that the probabilistic factors such as fingerprints, selfies, irises and veins are deployed as ‘another layer' in cyberspace. We only hear of the cases that biometrics sensing is deployed as ‘ANOTHER ENTRANCE', which only brings down the reliability of the identity authentication.

 What can ‘probabilistic authenticators’ achieve in cyberspace?

 A big question is often missing in the discussions about the deterministic authenticators (passwords and tokens) and probabilistic authenticators (biometrics); Are the users to blame when the login fails?’ 

 When the user fails to feed a correct password or present a correct token, the user would be to blame. Well, when the sensor fails to get the user’s body features and behaviors authenticated, would the user be to blame?

 Where the rejected users are solely to blame, their login would be justifiably denied. On the other hand, where the rejected users are not solely to blame, they should be given a fallback measure with which they can access what they must be able to access. In cyberspace, passwords/PINs are the fallback measures for the self-rescue in most cases.

 Where biometrics is used together with a default/fallback password/PIN in a ‘two-entrance’ deployment, we will see the security getting brought down to the level lower than a password/PIN-only authentication. It is, as it were, a below-one factor authentication.

 This is what the probabilistic biometrics achieves in cyber space. Criminals will benefit.

 ‘Physical Tokens’ vs ‘Onetime Password Messaging’

 Question: Which proposition do you think is better as the second factor of 2-factor authentications?

 Answer: All depend on where you see the better balance between security and convenience for each use case.

 We could see a merit of physical tokens or hardware keys as against OTP messaging that is relatively more vulnerable in the online environment, but we could also see its demerit ; When we have dozens of accounts to protect, would we have to carry around a big bunch of hardware keys which could physically catch a quick eye of bad guys or would we have to re-use one or a few hardware keys across many accounts, physically creating a single point of failure?

 In order to overcome this conflict, we came up with our own proposition of 2-channel/2-factor authentication for achieving an optimal balance between security and convenience at a higher level, which was implemented for a corporate network 6 years ago and is still running.

Click the link for more https://www.dhirubhai.net/pulse/advanced-persistent-threats-digital-identity-hitoshi-kokumai/

 What Expanded Password System brings

 Expanded Password System that drastically alleviates the password fatigue is supportive of

 – Two/multi-factor authentications that require passwords as one of the factors

 – ID federations such as password managers and single-sign-on services that require passwords as the master-password

 – Biometrics that require passwords as a fallback means against false rejection (on the assumption that users are correctly informed that it is better convenience, not higher security, that the use of biometrics brings.)

 – Simple pictorial/emoji-passwords and patterns-on-grid that can all be deployed on our platform

 * All with the effects that handling memorable images makes us feel pleasant and relaxed

 Furthermore, 

 – Nothing would be lost for the people who want to keep using textual passwords

 – It enables us to turn a low-entropy password into a high-entropy authentication data

 – It is easy to manage the relation between accounts and the corresponding passwords

 – It helps deter various phishing attacks

 – It helps to build practicable Brain-Machine/Computer-Interface

 – It helps with Self-Sovereign Identity and Bring Your Own Identity

 Lastly but not the least, it is democracy-compatible by way of providing the chances and means to get our own volition confirmed in our identity assurance.

 Expanded Password System is now at the stage of Draft Proposal’ for OASIS Open Projects.

< Remark >

This article is a sequel to Proposition on How to Build Sustainable Digital Identity Platform (updated)

< Related Articles >

For Achieving Solid Digital Identity on Information Security Buzz (Mar/2021)

Update: Questions and Answers - Expanded Password System and Related Issues (30/June/2020)

 History, Current Status and Future Scenarios of Expanded Password System (updated)

Negative Security Effect of Biometrics Deployed in Cyberspace (updated)

Removal of Passwords and Its Security Effect (updated)

Availability-First Approach