How to not see our weak digital identity further weakened (updated 31May2023)
Hitoshi Kokumai
Advocate of Identity Assurance by Citizens' Volition and Memory. Founder and Chief Architect at Mnemonic Identity Solutions Limited
A. Introduction - From ‘Password Fatigue’ to ‘Fatigue-free Password’?
We often hear ‘xxxx-fatigue’ these days.?'Password Fatigue' is one of them.
Well,?there could be two approaches to cope with this fatigue problem.
?One is to promote ‘Fatigue-free’ Password System. This is what we are achieving with Expanded Password System (EPS) powered by citizens’ non-volatile episodic memory.?Say, from 'Password Fatigue' to 'Fatigue-free Password'
?Another is to throw away the password and give up?the security somehow provided by the password. This is what ‘passwordless’ and ‘biometrics’ authentication schemes are supposed to be achieving, well, to the delight of criminals.
In a different perspective, we are anticipating that cyberattacks of grave consequences that we probably haven’t witnessed so far will do happen - probably will keep happening again and again until our behaviour changes.
?We have three scenarios -
1. Enhancing the defense
2. Inaction
3. Weakening the defense
?What we are witnessing in the foundation of cybersecurity, namely, digital identity, is neither (1) nor (2), but (3).
?We dissect the security-destructive effects of ‘passwordless’ authentication schemes in this paper.
?B. Basics of Digital Identity Security
A: ‘Yes/No’ on feeding correct passwords/EPS and ‘Yes/No’ on presenting correct tokens are deterministic, whereas biometrics which measures unpredictably variable body features of living animals in ever changing environments is probabilistic.
?B: It is practically impossible to compare the security of a strong or silly password with that of a poorly or wisely deployed physical token even though both passwords and tokens are deterministic,
?C: Direct comparison of something deterministic and something probabilistic would absolutely bring us nowhere.
?D: Deterministic authenticators can be used on its own, whereas a probabilistic authenticator would lose its availability when used on its own.
?E: Deterministic authenticators can be used together in a security-enhancing ‘multi-layer’ deployment, whereas probabilistic authenticators can be used with another authenticator only in a security-lowering ‘multi-entrance’ deployment unless we can forget the availability.
?F: Removal of the password brings a catastrophic loss of security. It also makes a grave threat to democracy.
?G: PIN belongs to the family of password as a numbers-only password; displacing a password by a PIN is like displacing the ‘knife family’ by a ‘paper knife’.
?H: Password/EPS, token and biometrics are ‘authenticators’, while two/multi-factor schemes, decentralized/distributed digital identity, single-sign-on schemes and password management tools are all ‘deployment of authenticators’; We would obtain nothing by comparing the former with the latter.
C. Specific Problems of Passwordless Schemes
?Remove the password, and we might find such ‘secure’ scenes as this at every ATM .
?We could accept “Passwordless” authentication without losing sanity if it comes with a transparent statement that it brings ‘better availability’ at the cost of losing security,?helping people where availability and convenience, not security, matter most.
?The problem is that the “passwordless” promoters are adamantly alleging that the passwordless schemes are to increase security, thus spreading a false sense of security.
?The false sense of security is not only weakening the defence of democratic nations from within when we have to cope with the yet increasing cybersecurity threats from aggressive anti-democracy regimes, but also preventing global citizens from being better prepared against the threats by making good use of the defence surface of the password and its expanded developments.
Let us try a breakdown of the passwordless concept.
?(1) Password-less + nothing else;?the least secure
?(2) Password-less + something else; more secure than (1)
?(3) Password + something else:?here is the point of arguments
?By our criteria, the security increases from 1 to 3. However, by the “passwordless” folks’ criteria, the security of (2) is viewed as higher than (3), presumably because an attack surface of the password is removed in (2) whereas there is an attack surface on the password in (3).
?Well, let me try the same for “token-less” login.
?(1) Token-less + nothing else;?the least secure
?(2) Token-less + something else; more secure than (1)
?(3) Token + something else: here is the point of arguments
?By our criteria, the security increases from 1 to 3. However, by the “passwordless” folks’ criteria, the security of (2) should be viewed as higher than (3) because an attack surface of the token is removed in (2) whereas there is an attack surface on the token in (3).
?Did you find it fun or very worrying?
?
PS Some guys try to compare (2’) passwordless + PKI-based token as something else and (3’) password + nothing else. We know that nobody can tell which is securer than the other - who can tell which of PIN-only ATM and Card-only ATM is safer than the other?
?Obviously, comparison must be made between (2’) passwordless + PKI-based token and (3’’) password + PKI-based token.
The ‘passwordless’ promoters might have been trapped in a cognitive pitfall.?From my experience of debating with them, we suspect that there are three possible scenarios -
(1) They may have taken 'what is not good and helpful enough' for 'what is ‘bad and harmful’.
(2) They may have failed to notice that a token, whether PKI-based or otherwise, also carries the attack surface of being stolen or otherwise compromised.
(3) They may have assumed that a defense surface is a part of an attack surface in the case of password.
We wish that the ‘passwordless’ folks had listened to our advice.
D. Some More Discussions related to ‘Passwordless’ Authentication
Unable to Serve when Removed
?"What is removed can never be attacked" is true, but “what is removed can never serve” is also true. The latter is often forgotten. Soldiers and passwords, that are not there and therefore can never be attacked, ?would never be able to serve.
Basics of Biometrics
Biometrics is playing a critical role among the people who want to see the password removed.
All the biometrics share the same feature, that is, they measure the unpredictably variable body features of living animals in ever changing environments. All of the biometrics are inevitably probabilistic by nature.
?Whatever is probabilistic brings False Acceptance and the corresponding False Rejection. The former invites attackers to take advantage of it by any possible means, while the latter can only be solved by bringing in a fallback measure, a password/pincode in most cases, to the delight of attackers.
?Deployment of biometrics in identity authentication results in destroying the security that the password/pincode has somehow provided so far, as visually examined in this 2-minute video "Biometrics in Cyber Space - 'below-one' factor authentication” https://youtu.be/wuhB5vxKYlg
?Deployment of biometrics in individual identification by the officials who are not literate enough about the probabilistic nature of biometrics often results in mistaken arrests.?This problem could have been largely prevented if the biometrics vendors published the empirical false acceptance rates and the corresponding false rejection rates. (empirical = actually measured in the real use environments), which they would not publish and the authorities are silent about.
And yet there are so many security professionals and media reporters who are still loudly touting biometrics as an advanced high-tech solution while looking away from the need of getting empirical false acceptance/rejection rates known to the public
Pseudo-MFA
MFA helps only when multiple factors are deployed correctly in ‘multi-layer’ (in-series) formation. When deployed in ‘multi-entrance’ (in-parallel) formation, MFA would bring down security by increasing the attack surface. ?
It is no more than a ‘Pseudo-MFA’, security of which is even lower than a single-factor authentication. And, all the biometrics-based MFA are deployed in this security-lowering formation to the best of our knowledge.
There is nothing wrong in using biometrics this way provided users are duly informed that the security is sacrificed in return for availability. It would be, however, very unethical if the users are left trapped in a false sense of security - they wrongly feel safer when they are actually less safe.
领英推荐
It would be rational to keep away from pseudo-MFA where security matters.
False Sense of Security
There are two types of false sense of security -
(A) People are not safer and yet people feel safer
(B) People are actually less safe and yet people feel safer
Obviously (B) is far more devastating than (A.) Actually, we are witnessing the already weak identity security being further weakened from within.
Puzzling Silence of Cybersecurity Professionals
Is it because the problem is out of their sight? - It’s terrifying to see citizens hearing critical security recommendations from those ‘unknowledgeable cybersecurity professionals’!
?Is it because the problem is in their sight and they opted ‘apres moi le delug’ or ‘Out at sea, no choice but to sail or sink in the same boat’ for the sake of their selfish interests? - It’s terrifying to see citizens hearing critical security recommendations from those ‘dishonest cybersecurity professionals’!
?"The topic is the ‘cybersecurity professionals’ who look the other way and stay silent about the false sense of security brought about by the falsely-alleged ‘security-enhancing’ effects of ‘passwordless’ and ‘biometrics’ authentication schemes, which get our weak identity security further weakened from within.
We have long been really puzzled - How come they can carry on their business as if there were nothing wrong with their behaviour, especially for the second group?
?Well, the word ‘Doublethink’ could be a clue.?Suppose that ‘Doublethink’ be the norm among certain groups of cybersecurity professionals and we wouldn’t have to be so much puzzled by their queer behaviour. Doublethink might be providing a nice relief for them to mitigate their cognitive dissonance or pricks of conscience.
Digital Dystopia
“One day you suddenly find that you had e-voted for someone you were against.?You do not remember having taken such actions”.?Then you are living the life of a digital dystopia.
?The threats could be just a click away. You would only need to click ‘Agree’ to the identity authentication procedure from which the password, i.e., your secret credential to be fed by your volition, has been removed or during which the password can be skipped.
?Your identity is easily established while you are asleep, drunken or otherwise unconscious. Or while you are unable to move for whatever reason. The digital dystopia would be the place where it is waste of time to talk the value of Privacy.
?It could be an uphill battle for you to take back the means to make your volition known to the system; you had already given the consent to the authentication procedure that does not require your volitional confirmation.
Quasi-Passwordless Schemes
Removing the password is not the only way to achieve ‘passwordless’ authentication. Two quibble-loving groups ?are witnessed to be promoting the quasi-schemes.
1. Renaming - ?Claiming that PINCODE, which is a weak form of numbers only password, is not the password.?PINCODE-enabled authentication could be called a passwordless scheme in their world.
2. Hiding - Avoiding a talk about a password that stays in the login process as a fallback measure against false rejection of biometrics.?The fallback password would be required only when the users get falsely rejected.?Say, passwords are not used unless falsely rejection happens.?It could, therefore, be called ‘passwordless’ in their world (Corrected 27May2023)
Where 'Passwordless' schemes could be supported
It is where the objective of deploying passwordless schemes is clearly defined as ‘better convenience’ in view of the notorious difficulty of safely managing conventional text-only passwords PROVIDED citizens are correctly informed as such.
We do not support the behaviours of those ‘passwordless’ scheme promoters who are claiming that removal of the password contributes to ‘stronger security’; It is a sheer falsehood.?
FIDO Initiative
The subject of FIDO frequently pops up in our digital identity discussions.
We might be watching two FIDOs;
(1) Password-receptive FIDO
(2) Password-rejective FIDO
We deem that the FIDO specification on its own is (1), although some FIDO people sound as if (2) is the case.
A password-repelled (passwordless) FIDO-specified product should not be recommend to the people who need a good security, although it might be acceptable for low-security use cases where availability and convenience matter more.
On the other hand, irrespective of how friendlily or unfriendlily FIDO people look at us, we are certain that Expanded Password System powered by citizens’ non-volatile episodic memory is perfectly compatible with the device-based FIDO specification for providing very solid two/multi-factor authentication solutions.
Removal of Falsehood
"Passwords are not good and helpful enough, which means passwords are bad and harmful. What is bad and harmful should be removed."
If someone followed this way of false thinking, they would already be walking towards a big cognitive pitfall.
Falsehood would inevitably destroy the global attempt to build a sustainable digital identity. Removal of falsehood is a prerequisite for sustainable digital identity
Dissection of Passkeys (added 7May2023)
‘Passwordless MFA’ like Passkeys are presumably made of 3 factors as below -
1. PKI - known for decades to be effective to prove the authenticity of a device with a private key embedded in it. It’s a good tool for device/machine authentication.??
2. Biometrics - supposed to authenticate the person who holds the PKI-embedded device, when (only when) the user is not falsely rejected by the biometrics??
3. Pincode -?supposed to authenticate the person when (only when) the user is falsely rejected by biometrics. (Pincode, which is no more than a numbers-only password, is supposed to not belong to the password when the solution is called a ‘Passwordless’ solution).
The problems that we identify therein are -
A.?Meaning of MFA
While it is often called ‘MFA’ because three factors are ostensibly involved, we should call it Quasi-MFA because (2) and (3) are deployed in a two-entrance/in-parallel formation, which only provides the security tragically lower than that of having two factors deployed in a two-layer/in-series formation (Corrected 23May2023)
B.?Private Key of PKI
A private key of PKI embedded in a device is vulnerable to theft and abuse.?The risks would be greater if it is copied and stored somewhere physically, whether online or offline.?
C.?Troubles of Pincode
Users of the likes of PassKeys have to continue to struggle with the dilemma of easy-to-remember or easy-to-break pincode.??
Safety by Delusion and Mesmerisation
Keep infusing a security-lowering delusive concept?powerfully into the minds of the public to the extent that not only good citizens but also security professionals and criminals are so mesmerized as to believe in it.
I mean the case of?‘passwordless’ authentication that might have successfully kept away the naive bad guys who believes in it from the digital asset protected by ‘passwordless’ authentication.?Toughened criminals, however, may well be simply waiting for the delusion to be spread further towards most inviting targets.
The present situation could be summarised as “Security-Illiterate Guys Selling Security Solutions.”??Alarmingly, we find the names of GAFAM and other big tech firms among them.?And, it’s those people who often entertain bad guys.?
Inaction and Silence
Inaction and silence of security professionals and biz/tech journalists on this grave threat could mean their taking sides with criminals and the likes of Putin.
E. Collection of Blogs on ‘Passwordless’ issue
LOSS of Security Taken for GAIN of Security
F. Collection of Blogs on other digital identity issues
Power of Citizens’ Episodic Memory
Biometrics Unravelled | password-dependent password-killer