LOSS of Security Taken for GAIN of Security
Hitoshi Kokumai
Advocate of Identity Assurance by Citizens' Volition and Memory. Founder and Chief Architect at Mnemonic Identity Solutions Limited
Collected here are our digital identity posts since 24/February/2022 on the security-destructive effects of PASSWORDLESS AUTHENTICATION SCHEMES, that is, the reckless attempts to remove secret credentials from identity assurance.
"I do not want to be among those who knowingly turn a blind eye to the ongoing erosion of the democratic values due to a wrong design of digital transformation when facing the dreadful democracy-destroyers" - Moral Responsibility for Having Awoken
MFA with Unknown Configuration (12Dec2023)
How MFA is Configured? - Still Unknown (1Dec2023
MFA with Unknown Configuration - Yet Again (23Nov2023)
Determined to Destroy? - Hopefully Not (20Nov2023)
Want to Dive into Suicidal Disaster? (15Oct2023)
Don’t Mix Up Identification with Authentication? (31Aug2023)
Complementary Comment on Passwordless?(27May2023)
Loss of Our Password, Loss of Our Identity?(17May2023)
Offering a Second Door for Bad Guys ??(3May2023)
Dissection of Passwordless MFA (24Apr2023)
Identity Management Day for Action?(15Apr2023)
Wise NIST and Unwise NIST?(15Apr2023)
What about Saying "Kill the Passwordless Dead"??(10Apr2023)
Message to DIACC?(7Apr2023)
Worse than Thief of Time?(2Apr2023)
Prepare against Vicious AI?(22Mar2023)
No Report Means No Damage??(5Mar2023)
For joining ‘Passwordless Dystopia’ initiative?(23Feb2023)
Default PINCODE/password?-??Alive or Dead???(16Feb2023)
Biz/Tech Journalists’ Terrifying Behaviours?(13Feb2023)
Safety by Delusion and Mesmerisation?(11Feb2023)
From 'Removal of Passwords' to?'Removal of Falsehood'?(26Jan2023)
Caveats for Cybersecurity Starters?(24Jan2023)
What’s Removed Can’t Serve?(21Jan2023)
How to not see our weak digital identity further weakened?(20Jan2023)
Some More Topics on Digital Identity?#8-3 (15Jan2023 - Cognitive pitall)
Some More Topics on Digital Identity?#8-2 (10Jan2023 - Dissection of Passwordless concept)
Configured Correctly??(9Jan2023)
For ENISA (6Jan2023 - We are offering help to ENISA, not vice versa)
Killing Password is Easy (6Jan2023)
My First English Article published in 2014 (2Jan2023 - On 'Kill the password' nonsense)
What about False Assurance? (29Dec2022)
Some More Topics on Digital Identity #8 (20Dec2022)
Is Doublethink the Norm??(12Dec2022)
EU Citizens!?- Speak Out Yourselves?(3Dec2022)
Worse Type of False Sense of Security?(3Dec2022)
Encouraging ENISA to Act 1/2?(28Nov2022)
Encouraging ENISA to Act 2/2?(28Nov2022)
Terrifying Silence of Security Organisations?(20Nov2022)
How to Not Reuse Passwords?(12Nov2022)
Solutions Successful in Destroying Security (28Oct2022)
Raising ‘misguided’ cybersecurity awareness is good only for bad guys? (21Oct2022 - False sense of security is the consequence)
Solidly-Configured 2FA?is Stronger than Poorly-Configured 3FA?(15Oct2022 - MFA Hype)
To Secure or De-secure? (25Sep2022)
Basics of Digital Identity Revisited (9Sep2022)
What Separates Who Needs from Who Provides (8Sep2022)
FIDO and Biometrics?(31Aug2022)
FIDO and Expanded Password System? (26Aug2022)
Give Correct Tools to People? (25Aug2022)
Digital Laziness - Religion of Cyber Age? (6Aug2022)
Cognitive Pitfall over Password Removal (28July2022)
Different “password-less” ? (11July2022)
Also Disinvest from Security-Destroying Products (10July2022)
Do Keep Password Login (30June2022)
Conceivable Narratives of ‘Passwordless’ Authentication Promoters and Supporters (30June2022)
Dissecting Silence of Digital Identity Professionals (28June2022)
?-????????Two ways of Declaring Death of Password while Relying on Password (9June2022)
-????????Ditching Password for Ditching Security and Democracy ? (6June)
-????????Moral Responsibility for Having Awoken (30May)
-????????Your Problem that You Speak Up (25May)
-????????Opting to Weaken Defence from Within when Facing Formidable Adversaries? (22May)
-????????Societal and Economic Impact of?Mis-Designed Digital Identity (17May)
-????????What Happens when Truth Prevails (10May)
-????????Wrong Voices from Big Players (8May)
-????????Don’t be So Irrational (7May)
-????????Digital Dystopia (5May)
Intermezzo - How Can We Easily Manage the Hard-to-Manage Password ? (7June2022)
??-????????Then, Firstly, Defend Digital Identity Platform against Threats from Within (19Apr)
-????????Two Ways of Damaging Cyberdefence from Within (13Apr)
-????????Password is So Easy-to-Steal. Therefore ... (30Mar)
-????????Login by Password/Pincode Removed from Their Smartphones? (23Mar)
Coffee Break - Parody Cartoon
-????????The zero-password future MUST NOT come (6Mar)
-????????Striking Case of Misperception about Secret Credential (1Mar)
-????????Online Vote Precluding Citizens’ Volition and Memory (27February)
-????????Don’t Let Them Destroy Defence from Within against Dictators’ Attacks (25February)
?Two ways of Declaring Death of Password while Relying on Password
?I posted “Truly Killed or Just Hidden from Sight ? “ a few days ago on a Wired report titled “Apple Just Killed the Password - for Real This Time”- ?https://www.dhirubhai.net/posts/hitoshikokumai_apple-just-killed-the-passwordfor-real-this-activity-6940204678047481856-Aqcn
?I mentioned “Just Hidden from Sight?” in there;?we know there are at least two ways to claim that the password is declared to have been killed while the password actually stays alive, just hidden from our sight.
?1. Look away from the presence of ‘default/fallback password’
?Biometrics needs a fallback measure against false rejection that no biometrics can escape due to its inherent probabilistic nature. A password registered as the fallback measure is not used when the user is not falsely rejected.?It is supposed to be used only occasionally when the user is falsely rejected.
?It wouldn’t be so a big surprise if some people alleged that they killed the password by looking away from the presence of a default/fallback password.
?2. Kill ‘password’ by replacing it with ‘pincode’
?By our criteria, a pincode is no more than a numbers-only weak password. So, trying to replace a password with a pincode is no different to trying to replace a knife with a paper knife.?
?Apparently, those people have a different lexicon.
?In the above two cases, we would not have to bother too much. It might well be a matter of LOL.?
?However, should they have truly killed/ditched/eliminated/removed the password (secret credential) altogether, we have to be horrified; we are facing a very grave consequence of not just security but also democracy being seriously threatened.
??Ditching Password for Ditching Security and Democracy ?
?Let me try to dissect where, why and how so many people have been misguided to assume that they would be able to achieve a better identity security by ‘ditching/removing/eliminating/killing’ the password (secret credential) altogether.
?Let’s first examine this proposition - “The smaller the attack surface of an authentication factor is, the less vulnerable the identity assurance is”.
?It appears that both we and they agree to it. Our solution is actually to achieve this objective most effectively.
?What about moving next to this proposition? - “The identity assurance would be the least vulnerable if we reduce the attack surface down to absolute zero”.
?Both they and we may well agree that it would be very nice if we could achieve it.
?Well,?what about the third proposition??- “The overall security would increase?if we remove the attack surface of the password by ditching the whole of the password.”
?Presumably, this is where we and they break up.
?We deem that this proposition is invalid unless it is possible for us to remove the attack surface altogether without losing the defence surface that the password provides.
?Some people, who may have big voices in the trade of cybersecurity, seem to have deemed it valid and jumped on to it.
?This misperception spread very quickly among the people who wanted a quick and simple fix to one of the worst headaches of cyber business - “We had to rely on the trio of password, PKI-powered token and biometrics for poor security but we can now rely on the duo of PKI-powered token and biometrics for better security.?Really quick and simple - Just ditch the password. That’s all”.
?It’s obvious that the same logic can apply to the removal of a token which has its own attack surface, one of which is its physical theft. But, mysteriously, it seems that they show no interest to give any thought to this observation.
?With their voices growing louder and louder, we now have to ask “Would you be happy to weaken the defence of democratic nations from within when dreadful adversaries are attacking our defence line?”
?Should some of you have a different dissection of this awkward situation, please let me know. It will be very much appreciated.
?Ref:?“Attack Surface and Defence Surface Visually Explained”
?and “Your Problem that You Speak Up”?https://www.dhirubhai.net/posts/hitoshikokumai_democracy-privacy-ethics-activity-6935117823224487936--0TE
Moral Responsibility for Having Awoken
?It would not be very wise to weaken the defence line from within when facing formidable adversaries who are known to be making every effort to destroy the values of democracy.
?What I mean is the misguiding “passwordless” and “biometrics” authentication schemes that not a few security professionals and big IT players are touting, as discussed in “Your Problem that You Speak Up” https://www.dhirubhai.net/posts/hitoshikokumai_democracy-privacy-ethics-activity-6935117823224487936--0TE
?I have been trying to stay tenacious since I awoke to this consequential problem, probably as one of the first few to have awoken to it.
?I do not want to be among those who knowingly turn a blind eye to the ongoing erosion of the democratic values due to a wrong design of digital transformation when facing the dreadful democracy-destroyers.
?If you can agree to our reasoning, consider joining this endeavour in your own way!
??Your Problem that You Speak Up
?Are you happy or unhappy with the situation that it is viewed as legal and ‘no-problem’ for you to be authenticated over your rights and duties while you are unconscious or while you are unable to move?
?This may well be a sanity-check question, perhaps applicable to security professionals offering advice to policy-making people in democratic nations.?By the way, I have no idea of whether or not such a check would be allowed in a dictatorial state.
?Are you happy or unhappy with the situation that selling security-lowering products claimed to be security-enhancing products?is allowed or even encouraged? It may well be another sanity-check question, probably applicable anywhere in the world, irrespective of whether you live in democratic or dictatorial countries.
?What would be your answer?
?< Reference >
?“Societal and Economic Impact of Mis-Designed Digital Identity” https://www.dhirubhai.net/posts/hitoshikokumai_democracy-privacy-ethics-activity-6931851743349649408-fLlm
?.......................................................................
?This is not my problem.?This is not just a few one’s problem, either.?It’s everyone’s problem and certainly your problem.
?I am not the owner of this discussion. You are also the owner of the discussion. You would not need to be with me. You could act in your own way.?Please.
??Opting to Weaken Defence from Within when Facing Formidable Adversaries?
?A friend referred me to Sun Tzu in a comment given to one of my posts. I have read “The Art of War” repeatedly over 5 decades. Every time I open the book, I make some findings.?Its philosophy may well be heavily reflected in my writings.
?By the way, a number of big players seem to be challenging what we learn from Sun Tzu.
?As we are getting ever more dependent on the digital network, there are more bad guys who want to exploit it. We are watching state-sponsored formidable adversaries among them.
领英推荐
?We conclude that we need to enhance the defence in line with common sense that Sun Tzu certainly would share, whereas those people appear to have concluded?that they need to weaken the defence from within in order to achieve the stronger defence.
?Very alarmingly, not a few security professionals, who cannot be ignorant of it, appear to have opted to be silent about this perilous situation, presumably in view of the huge collective influence of those big players.
?Individuals who speak out could be sniped one by one if they speak out on their own one by one as I experienced badly myself in the past when I tried to be very vocal in Japan.?We should act collectively.?The more people speak up together, the safer we will be.
?Ref: “Societal and Economic Impact of Mis-Designed Digital Identity”
?Speak up together!
Societal and Economic Impact of?Mis-Designed Digital Identity
?I posted?a warning message a week ago on the impact of a wrong design of digital identity on democracy - "What Happens when Truth Prevails" https://www.dhirubhai.net/posts/hitoshikokumai_democracy-privacy-ethics-activity-6929600705875890177-M4x6
?I would reiterate we need to tackle this clear and present danger most urgently lest it should paralyse the nervous system of democratic nations.?
?Our voice is firm but still far too small against the loud roars of big players who are spreading the misguiding information.?Join and help us to make our warning heard.
?...........................................
?Well, I know how hard it is for a single person to speak up in public on this issue; it is only natural for them to fear that they could be a target of revenge by those big players who collectively have the huge entrenched interests in the security-destroying and democracy-eroding ‘passwordless’ and ‘biometrics login’ businesses.
?He/she could be sniped one by one if they speak out on their own one by one as I experienced badly myself in the past when I tried to be very vocal in Japan.?We can act collectively and we will be far less vulnerable. The more people speak up together, the stronger our collective voice will be and the safer we will be.
?What Happens when Truth Prevails
?Our economy would feel the pain of losing a finger if the truth prevails right now.?
?It would be the pain of losing a foot if it takes 5 more years before the truth prevails. It might be like losing a leg if it takes 10 more years . Should it not come for a generation, no pain might be felt: the sensory nerve might have been lost.
?What we mean is the inevitable consequences of removing/eliminating/ditching/killing the password (=?secret credential to be fed by our volition to the systems for viable identity assurance), i.e., destruction of security and erosion of democracy from within.
?When the truth prevails, those people who have been selling,?promoting and implementing the security-lowering products and democracy-eroding theories by spreading a false sense of security, will have to suffer.?With many big players sadly involved, it could have a sizeable impact on economy and society.
?One thing is clear and obvious, however.?The sooner it comes, the smaller the pains are.?The later, the graver.
?<Reference >
?“Wrong Voices from Big Players”?https://www.dhirubhai.net/posts/hitoshikokumai_us-tech-titans-look-to-ditch-passwords-activity-6928910359055527936-92Mz
?With your participation, we wish to see the truth prevail sooner than later.
Wrong Voices from Big Players
?Driven by this report - “US tech titans look to ditch passwords” https://techxplore.com/news/2022-05-tech-titans-ditch-passwords.html
?It is no good to see such influential corporations and organisations helping to spread a false sense of security and damaging the cyberdefence of democratic nations from within.
?History tells us that dominant voices, however loud,?are often wrong. We may well be witnessing one such case.
?Don’t lend a hand to the misguided and misguiding people who are damaging the defence of democratic nations from within. Be rational and logical.
<Reference >
?“Two Ways of Damaging Cyberdefence from Within” https://www.dhirubhai.net/posts/hitoshikokumai_democracy-privacy-ethics-activity-6919830534051307520-iQte
?“Digital Dystopia” https://www.dhirubhai.net/posts/mnemonic-identity-solutions-limited_democracy-privacy-ethics-activity-6927816247283757056-d5Yg
?"Don’t be So Irrational and Illogical" https://www.dhirubhai.net/posts/hitoshikokumai_microsoft-apple-google-step-up-push-to-activity-6928526197622521856-5x63
?Good cybersecurity is achievable only when it comes with identity assurance by our volition and memory.
Don’t be So Irrational
?Driven by this report – “Microsoft, Apple, Google accelerate push to eliminate passwords”??https://www.theregister.com/2022/05/05/microsoft-apple-google-fido/
?Presumably due to the collective influence of the players, especially as deep-pocket sponsors, many tech media are loudly taking up this non-new news,?
?From my experience, I could consider three possible cases of getting to being 'passwordless' -
?(1) the likes of passwords (=secret credentials to be fed by citizens’ volition) are to be literally eliminated,
?(2) alphanumeric passwords are to be removed but the likes of pincodes are to stay in their authentication schemes because numbers-only pincodes should not be viewed as the password,
?(3) passwords are to stay as a fallback measure against false rejection of fingerprints and face biometrics but are to be declared to be ditched because the fallback measures are usually skipped but would be required only in the cases of false rejection.
?In the case of (1), I coincidentally I posted this comment a couple of days ago -“Digital Dystopia” ?https://www.dhirubhai.net/posts/hitoshikokumai_democracy-privacy-ethics-activity-6927814869891096577-eUEd
?As for (2), it would be up to them to claim that they can achieve a knife-less kitchen by ditching kitchen knives while keeping a paper knife instead in the kitchen, if it be the norm in their world
?Coming to (3),?they could come up with new dictionaries which give extra meanings to ‘eliminate’, ‘remove’, ‘ditch’ and the like.
?Below are the comments I had posted yesterday on this topic -
??“Ditch Password to Ditch Security” ?https://www.dhirubhai.net/posts/hitoshikokumai_us-tech-titans-look-to-ditch-passwords-activity-6928245502828298240-t_3D
?“'Password-less' Means 'Volition-less” ?https://www.dhirubhai.net/posts/hitoshikokumai_microsoft-apple-and-google-to-support-fido-activity-6928235716489474048-LNGO
?History tells us that dominant voices, however loud,?are often wrong. We may well be witnessing one of such cases.
??Don’t lend a hand to the misguided people who are damaging the defence of democratic nations from within.
?Be rational and logical.?Good cybersecurity is achievable only when it comes with identity assurance by our volition and memory.
?Digital Dystopia
?“One day you suddenly find that you had e-voted for someone you were against.??You do not remember having taken such actions”. ?Then you are living the life of a digital dystopia.
?The threats could be just a click away. You would only need to click ‘Agree’ to the identity authentication procedure from which the password, i.e., your secret credential to be fed by your volition, has been removed or during which the password can be skipped.
?Your identity is easily established while you are asleep, drunken or otherwise unconscious.?Or while you are unable to move for whatever reason.?The digital dystopia would be the place where it is waste of time to talk the value of Privacy.
?It could be an uphill battle for you to take back the means to make your volition known to the system; you had already given the consent to the authentication procedure that does not require your volitional confirmation.
?Ref: “Two Ways of Damaging Cyberdefence from Within”?????https://www.dhirubhai.net/posts/hitoshikokumai_democracy-privacy-ethics-activity-6919830534051307520-iQte
??
/////////////////////////////////////////////////////////////////////
?Intermezzo -- How Can We Easily Manage the Hard-to-Manage Password ?
?Passwords are often blamed for bringing the worst headache to our digital life; how come it is so hard to manage!
Most of us are unable to remember and recall more than several passwords.?
?Those of us, who can somehow manage to remember several of them, find that they are unable to remember the relations between the passwords and the corresponding accounts .
?On the other hand, writing/storing multiple passwords and the corresponding accounts and carrying around the memos/storages outdoor brings the risk of physical theft, which exposes the single point of failure.
?It seems there is no way out of this trilemma.?(*1)
?Password managers are known to enable us to create and manage 18-character passwords that stand 1qt years (see the table below). Conventional password managers, however, have a couple of big problems - the users have to struggle to manage their hard-to-break=hard-to-recall strong master-passwords while they cannot escape the single point of failure (*2).
?*1 What was hard to manage was a conventional text-only password.?It was just that there was no way out because we only stuck to alphanumeric texts as the material of passwords.?Why not look to the potential of 'Non-text' secret credential?
"Solution Resides in Citizen’s Brain Unnoticed"?? https://www.dhirubhai.net/posts/hitoshikokumai_democracy-privacy-ethics-activity-6908966261007503360-_Cd_
?*2 Now there is a new breed of 'leak-proof' password manager powered by citizens' episodic memory that has been solidly inscribed deep in our brain. It enables us to achieve far better availability and usability as well as higher security.
“Fend off cyberattacks on democracy” https://www.dhirubhai.net/pulse/fend-off-cyberattacks-democracy-hitoshi-kokumai/
Well, by any chance, aren’t you considering that all those problems would go away at once if?we ditch the hated password altogether ?
?"Ditching Password for Ditching Security and Democracy ?” https://www.dhirubhai.net/posts/hitoshikokumai_democracy-privacy-ethics-activity-6939413376049512448-bpJC
* Recent digital identity comments are mostly collected for quick reference at https://www.dhirubhai.net/pulse/collection-digital-identity-comments-hitoshi-kokumai-posted-kokumai/
?For more, visit our corporate website - https://www.mnemonicidentitysolutions.com/
?/////////////////////////////////////////////////////////////
?Then, Firstly, Defend Digital Identity Platform against Threats from Within
?Driven by this report – “Ukraine conflict heightens US military’s data privacy vulnerabilities “?https://www.c4isrnet.com/opinion/2022/04/14/ukraine-conflict-heightens-us-militarys-data-privacy-vulnerabilities/
?If that is the case, damages that have been done to identity assurance platforms must be repaired ASAP before anything else.
?How to get digital identity platforms damaged from within and how to rectify the problem is visually examined in “Two Ways of Damaging Cyberdefence from Within” ?https://medium.com/@hitoshikokumai/two-ways-of-damaging-cyberdefence-from-within-2403213a9f23
?‘NO’ to Attacks on Democracy from within
Two Ways of Damaging Cyberdefence from Within
?Not a few security professionals are, perhaps unwittingly, ruining the cyberdefence of democratic nations from within by
?1. removing the defence surface that the password provides in an attempt to remove its attack surface that exists as a section of the defence surface,
?2. deploying two authentication factors in the attack-surface-increasing two-entrance/in-parallel formation (as against the attack-surface-decreasing two-layer/in-series formation),
?3. and looking away from the false sense of security that these two acts bring about
?The schema shown below may well be enough to get why and how. Should you want to know more, you could refer to “Attack Surface and Defence Surface Visually Explained” https://www.dhirubhai.net/posts/hitoshikokumai_democracy-privacy-ethics-activity-6906433198109155328-hXJO
?And here is our proposition on the practicable defence of our digital identity - “For Speedier Reinforcement in Cyber Defence against Tyrants” https://www.dhirubhai.net/posts/hitoshikokumai_democracy-privacy-ethics-activity-6911797383739711488-BSFj
?‘NO’ to Attacks on Democracy from within
?What We CAN DO and What We MUST NOT DO?against Credential Thieves
?Driven by this report – “Google: Russian credential thieves target NATO, Eastern European military” www.theregister.com/2022/04/01/russian_credential_phishing
?People whose accounts are especially important might hopefully be interested in our proposition of repelling phishers with the power of their episodic image memory -?“How to Cope with Wily Phishers” https://www.dhirubhai.net/posts/hitoshikokumai_this-browser-in-the-browser-attack-is-perfect-activity-6912265141011038208-Ua6P
?It would be very nice if you could share this information with your connections in defence and other critical sectors who must make every effort to protect their credentials.
?By the way, conventional passwords are indeed frighteningly vulnerable to theft. It would be no big surprise, therefore, to see some people tempted to remove the password altogether, since what does not exist obviously can never be stolen.
?You MUST NOT consider removing the password from identity assurance platforms, however.
?It would only destroy identity security, for a very simple and plain reason which seems to have fallen into a blind spot of those people, that it is impossible to remove an attack surface of a password without removing a defence surface of the password which?somehow provides a positive security effect.
?An attack surface exists inside a defence surface, not vice versa, as?visually examined in this comment - “Attack Surface and Defence Surface Visually Explained” https://www.dhirubhai.net/posts/hitoshikokumai_democracy-privacy-ethics-activity-6906433198109155328-hXJO
?and “Remove the army and we will have a stronger national defense” https://www.dhirubhai.net/posts/hitoshikokumai_going-passwordless-what-are-the-benefits-activity-6815852512889978880-R3RR
??Password is So Easy-to-Steal. Therefore ...
?Driven by this post – “Android password-stealing malware infects 100,000 Google Play users” https://www.dhirubhai.net/posts/alexandre-blanc-cyber-security-88569022_android-password-stealing-malware-infects-activity-6911776983458713600-JqF8
?Starting from the observation that the password is so easy to steal, some people jump to an idea that what does not exist cannot be stolen.
?Removal of the password does remove an attack surface of the password. Alas, however, it is impossible to remove the attack surface without removing a defence surface of the password that contains the attack surface in it. (*1)
?We think otherwise. We look to making use of NON-TEXT secret credentials. (*2)
?< Reference >
?*1 “Clever Solutions to Silly Passwords? - Do What You CAN NOT Do or What You MUST NOT Do”? https://www.dhirubhai.net/posts/hitoshikokumai_democracy-privacy-ethics-activity-6910783916157136896-YJ8x
*2 “Solution Resides in Citizen’s Brain Unnoticed” ?https://www.dhirubhai.net/posts/hitoshikokumai_democracy-privacy-ethics-activity-6908966261007503360-_Cd_
Login by Password/Pincode Removed from Their Smartphones?
Driven by this report – “FIDO Alliance says it has finally killed the password Conceptually. It's OEMs who'll do the work, and you'll just have to trust them” https://www.theregister.com/2022/03/21/fido_password_killer/
?I am wondering if they have completely removed the password/pincode from the smartphones deployed in their scheme.
?(1) In case of NO, say, their scheme is still dependent on the password/pincode for protection of the smartphones, it would be simply wrong to claim that they have killed or are killing the password.
?(2) In case of YES, say, the scheme would indeed be ‘passwordless’ or ‘zero-password’, then this comic published 17 years would be found relevant - “Entangled thinking makes everything more Entangled”?https://www.mnemonicidentitysolutions.com/Comics/Comic2.2.html
?With the password, that is, their secret credential, removed from their identity assurance altogether, they believe they would enjoy a safer identity assurance because their identity can be authenticated while they are asleep or otherwise unconscious.?Shall we offer them the congratulations for their sophisticated cyber safety?
?Tyrants would be able to get them authenticated when they are not agreeable to it.?Shall we offer them the congratulations for their sophisticatedly defended civil rights?
?Ref: “Clever Solutions to Silly Passwords? - Do What You CAN NOT Do or What You MUST NOT Do” ?https://www.dhirubhai.net/posts/hitoshikokumai_democracy-privacy-ethics-activity-6910783916157136896-YJ8x
?Incidentally, there could possibly be a third scenario.
?(3) Login by a pincode can stay while the password login has to be removed, because the pincode, which is a weak form of numbers-only password by our criteria, is not the password for them. A paper knife should not be viewed as belonging to the knife family by their criteria, presumably because it is too powerless to be called a knife. Should it be the case by any chance, it would be really a pleasurable conception indeed!
?‘NO’ to Attacks on Democracy from within!
Parody Cartoon (published in 2005)
The zero-password future MUST NOT come
?Driven by this report – “The zero-password future can't come soon enough”?https://www.theregister.com/2022/03/02/passwords-weak-security-link/
?The ‘zero-password future’, which weakens the defence against criminals and tyrants while eroding the value of democracy, must not come. We should prevent it.
?The concept of ‘zero-password future’ has presumably have come from mixing up ‘insufficient’ with ‘harmful and also from looking only at ‘an attack surface’ of the password while looking away from ‘a defence surface’ that the password provides.
?Ref: “Attack Surface and Defence Surface Visually Explained” ?https://www.dhirubhai.net/posts/hitoshikokumai_democracy-privacy-ethics-activity-6906433198109155328-hXJO
?“Online Vote Precluding Citizens’ Volition and Memory “ https://www.dhirubhai.net/posts/hitoshikokumai_democracy-privacy-ethics-activity-6903550440357675008-WT8U
?and "Make Safer Use of Conventional Password Systems with Citizens’ Episodic Memory" https://www.dhirubhai.net/posts/hitoshikokumai_mnemonic-gateways-90s-video-activity-6905704640881545216-7z0s
?‘NO’ to Attacks on Democracy from within and without
?Striking Case of Misperception about Secret Credential
?Driven by this publication – “The end of passwords: Companies are finally shifting away from notoriously insecure alphanumerics to other methods of authentication”? https://www.technologyreview.com/2022/02/23/1044953/password-login-cybersecurity/
?A LinkedIn friend suggested me that I could say something about this piece of MIT Technology Review; I would say that being very reputed might not necessarily mean being very intelligent.
?Apparently behind this incorrect observation lies a?tragically misguided perception that removal of the password would?take away ONLY its ‘attack surface’; how come those clever people can turn a blind eye to the presence of ‘DEFENCE SURFACE’ of the password??how is it possible to be so indifferent to ‘insufficient’ being different to ‘harmful’?
?Removal of the password with its ‘defence surface’ would destroy the overall identity security by way of removing the security that the password has so far provided.
?It would?also fatally erode the value of democracy; what would you think about democracy where it is?viewed relevant and legal for your identity to be authenticated while you are unconscious, say, without your volition and memory confirmed?
?*Related Posts*
?Trapped in Muddle Downstream or Finding Solution Upstream https://www.dhirubhai.net/posts/hitoshikokumai_7-benefits-of-passwordless-authentication-activity-6889816152340623360-68iS
?"Online Vote Precluding Citizens’ Volition and Memory" https://www.dhirubhai.net/posts/hitoshikokumai_democracy-privacy-ethics-activity-6903550440357675008-WT8U
?‘In Series vs In Parallel’ and ‘in 2-Layer vs in 2-Entrance’ https://www.dhirubhai.net/posts/hitoshikokumai_identity-authentication-password-activity-6873410279053651968-TnUo
?It would certainly be nice to hear something back from MIT people.
?Online Vote Precluding Citizens’ Volition and Memory ?
?What if the online voting comes with a ‘passwordless’ authentication scheme which removes a precious defense surface of the password along with the unavoidable presence of its attack surface?
?Look at the picture below and imagine a voting machine or your communications device for voting instead of an ATM and a vote certificate card instead of a cash card.
?It would be very attractive for those agents who want to interfere with elections in democratic nations, wouldn’t it?
?Should you be interested in this topic, you might be interested to visit our website recently updated - https://www.mnemonicidentitysolutions.com/
?‘NO’ to War on Democracy from within and without!
?Don’t Let Them Destroy Defence from Within against Dictators’ Attacks
?Driven by this report – “NJ Gov. Murphy warns 'we're all vulnerable' as Russian invasion raises cyber attack concerns”? https://www.audacy.com/wcbs880/news/local/murphy-on-russia-cyber-threats-were-all-vulnerable
?What if you witness the front gate of defence is being made weaker from within???
?It is actually what we are witnessing.?It is what promoters of ‘passwordless’ authentication schemes are attempting, perhaps unknowingly out of their indifference and ignorance.
?“The password has an attack surface so removing the password brings the removal of its attack surface,” they allege.?There is a fatal misperception in there.?They apparently fail to look at another face of the fact, that is, the password has a defence surface so the removal of the password brings the removal of its defence surface.
?We could easily realise how ludicrous such a logic is if we imagine what would happen where their logic is applied to critical non-cybersecurity aspects such as conventional national defence.
?Ref: “Remove the army and we will have a stronger national defense” https://www.dhirubhai.net/posts/hitoshikokumai_going-passwordless-what-are-the-benefits-activity-6815852512889978880-R3RR
?and “False Sense of Security that is Worse than Lack of Security” https://www.dhirubhai.net/posts/hitoshikokumai_biometric-identity-fraud-on-the-rise-activity-6900649696822476800-qQQh
?We need to stop such a grave folly ASAP.
?
< Earlier References >
Remove the army and we will have a stronger national defense https://www.dhirubhai.net/posts/hitoshikokumai_going-passwordless-what-are-the-benefits-activity-6815852512889978880-R3RR
Disastrously Misguided and Misguiding Perception – ‘Removal of Authenticator’ taken as ‘Removal of Attack Surface’ https://www.dhirubhai.net/posts/hitoshikokumai_identity-authentication-password-activity-6883640399542525952-uqN8
Beta-tester at Parrot Security* Polymath*
2 年Exactly, No Gain only loss ;-) TY Hitoshi Kokumai