Identity Crisis: The Future of Password Security

Secret credentials are indispensable in the Internet driven cyber sphere. Text passwords/PIN are still the most used form of secret credentials. Now biometrics is being promoted for authenticating digital identity of the humans with text passwords/PIN as a fallback system. Text passwords seem insufficient, but are not harmful. Biometrics is not sufficient, and appears to be harmful in terms of data breach/stealing induced spoofing. What can be a viable digital identity solution in this crisis situation?

Secret credentials are indispensable

Can we live without the secret credentials? The simple answer is 'not possible'. Till date the text passwords and PIN are the most commonly used form of secret credentials. We need those whenever we need to login to check email, use our online bank accounts, or login to any online account.

But parts of the security industry are actively trying to 'kill passwords'!

The secret credentials give us the option for login to our cyber accounts by our own wish. If we give the right password, we get logged in, or if we give wrong password, we are rejected by the system. Some people are trying to 'kill passwords' and are promoting 'password-less' authentication. But this doesn't require to validate our wish to login. Then we get automatically logged in. It is dangerous to activate “password-less authentication”, because then it no longer requires to validate our democratic wish for login.

They are hell-bent to 'kill passwords' with biometrics

The concept of 'password-less authentication' is promoted by the use of biometrics, which brings the personal identifiers within the human body, such as fingerprints, face, iris scan etc. Biometrics is proposed to be used with a text password/PIN as a fallback system. They promote to use biometric tokens for online authentication, banking and other financial services, as well as governance.

Does biometrics improve security or bring down security?

If biometrics is more secure than text passwords, then how come text passwords are recommended to be used as a backup measure in case of biometrics failure? Isn’t it self contradicting? This shows that text passwords are more secure and safe than biometrics for online authentication. Does biometrics improve security or bring down security? This is the most important question!

Biometric recognition is probabilistic and associates uncertainty and risk factors

Biometrics essentially involves a probabilistic recognition process. There remains inevitable uncertainty and risk of errors resulting in unreliability. The vulnerability increases many fold with chances of loosing the associated device that stores the identifier signatures. If the device is stolen, then the risk is intensified. Not to mention the biometric data breach or stealing induced spoofing attacks. Biometric data once stolen creates life long problems.

Biometrics is a convenience-first authentication solution

Biometrics is a convenient way to personal identification under a supervised scenario. Biometrics is not secure and safe to be used for unsupervised online authentication. That is the reason a text password/PIN is kept as a fallback measure in case of biometrics failure. May we now conclude that biometrics can bring down security than the text password/PIN system?

Is the world rushing with biometrics?

'The biometrics rush' is more or less a myth driven hype. Biometrics is a convenience-first solution which is less reliable and secure than the text passwords. Moreover the progress in biometrics spoofing technology is a big threat. Biometrics liveness detection is a spoofing filter but can't defeat the spoofs for good. The world requires a security-first solution.

Non-text graphical passwords can improve the security

Since text passwords are hard to remember, there is another way of doing it. Instead of texts, a picture or an image can be used as a password to authenticate a login. A question arises: Are graphical passwords as secure as text passwords? The simple answer is ‘graphical passwords are more secure than text passwords’.

Episodic memory based graphical password is a high entropy authentication solution

Complex text passwords are not easy to remember and are often reused as login credentials of multiple accounts. Those are easily cracked by automated programmatic guessing. On the other hand, episodic memory based graphical passwords are more robust and secure than the text passwords. The episodic memory based passwords are relatively easy to remember, because those can be connected to our memorable past. That is why those episodic memory based questions are securely used as second layers to protect accounts. The password strength can be increased by using multiple images from a matrix of images. The entropy of graphical passwords are higher than the text passwords. The graphical passwords cannot be cracked by automated programmatic guessing.

Future of digital identity is complex

Now digital identity is everywhere, because we need it very much in the cyber sphere, for accessing our online accounts, banking transactions and all types of online processing. The future of digital identity is very complex.

Self-sovereign identity depends on the policies of the national governments

Although we are talking about self-sovereign identity nowadays, but its future depends on the policies of the national governments. It is not feasible unless the laws of the national governments are modified suitably. Moreover, if the biometric data are already stolen or hacked, the identity data are already in the hands of cyber criminals. So creating a self-sovereign identity doesn’t make any sense.

As for example, the entire biometric database of Indian identity project Aadhaar leaked and are available in the dark market for a small amount of Indian rupees. Does it matter if the digital identity data of the Indian citizens are secured by a new more secure digital identity project?

We need to find out a more innovative and secure solution for digital identity platforms

We need to find out a more innovative and robust way to secure our cyber identity. Graphical password system can be a high entropy authentication solution for the future. However, technology alone can’t help unless we consider cybersecurity seriously. We must remember that convenience has no space in cybersecurity.

References:

1) A detailed account of this topic may be found in a podcast discussion - "The Identity Crisis: The Future of Password Security Systems".

2) “Digital Identity and Our Remembrance”, The EDP Audit, Control, and Security Newsletter Volume 60, 2019.

3) “Using Episodic Memory for User Authentication”, ACM Transactions on Privacy and Security Volume 22 Issue 2, 2019.

------- x ------- x ------- x ------- x ------- x -------

Do you think 'password is dead'?

What are your views about digital identity, biometrics and the future of password security? I would love to get your views and suggestions. If you like this article, please click a generous "Like" or any other LinkedIn "reactions", and "Share" it among your acquaintances and network.

Join the LinkedIn Group “Identity Crisis: The Future of Password Security” to get updates about the future of password security, episodic memory based password systems and beyond.

----------------------------------------

Join me on Twitter, Medium, Facebook, beBee, Steemit and LinkedIn

My Blog Page

More of my articles on Digital Identity, Cybersecurity and allied topics:

• The Biometrics Rush
• Can Cybersecurity and Quantum Computing be Friends?
• Does Cybersecurity have any Space for Digital Convenience?
• Security Ability and Convenience Bear an Uncertainty Relationship
• Convenience is the Weakest Link in Security
• Biometrics Liveness Detection May Help Criminals
• Can Liveness Detection Defeat Biometrics Spoofing Attacks?
• Biometric Data Breach Conundrum
• Is Biometrics More Secure than Text Passwords?
• Self-Sovereign Identity Depends on National Policies
• The Password Hole in the Cyber Bag
• Identity Dilemmas: Biometrics, Texts or Something Else
• Brand Identity, Digital Identity and Crypto Aspirations
• Digital Identity, Assets and Governance
• Decentralized Digital Identity: Which Distributed Ledger is Most Viable?
• Decentralized Biometrics: Is It the Ultimate Solution?
• Biometric Data Protection is a Big Challenge
• Reset Biometric Traits?
• Spoofing Biometrics isn't Impossible
• Privacy protection could have saved Aadhaar data breach
• Data Protection is a Big Challenge

For more articles, stories, and insights follow #DebeshChoudhury

* * * * * * * * * * * * * * * * * * * * * *

I am a researcher and academician of electronics and applied photonics. My current research focuses on Privacy Protected Digital Identity. My friend Jose Munoz Mata and I are researching distributed ledger technology for decentralized  digital identity and other real world applications.

In June 2015, Dr. Jeffrey Strickland and I founded a new LinkedIn Group called "The Unfluencers". To learn about the history of "The Unfluencers" please read the seminal LinkedIn article by Dr. Jeffrey Strickland entitled -- "Who are the Unfluencers". This group is an open group. You are welcome to join this group and engage yourself in the discussions. The Unfluencer?? Logo is a registered trademark of Dr. Jeffrey Strickland.

Text Copyright ? 2019 Debesh Choudhury— All Rights Reserved 

#digitalidentity #cybersecurity #biometrics #threats #spoofing #dataprivacy #datasecurity #passwordsecurity #technology #innovation #infosensys #dazlabsasia #learningtimes #debeshchoudhury #josemunozmata