Mnemonic Gateways as Leading Digital Identity App (updated 16/Nov/2023)

We aim to grasp a quarter of the global demand for digital identity apps in 2027 with?Mnemonic Gateways, our new-breed leakproof password manager with no password vault, ?the beta of which will be released shortly.?This paper explains why we are confident and how we will achieve it.

Assuming that people in cyber security and digital identity are familiar with the password manager, we talk about where and how Mnemonic Gateways is different to the rest of password managers.

Where it’s different

A. Not having the likes of password vault, it’s hacking-proof.

B. ?Being practicable and not storing credentials and passwords in the program, it frees us from a single point of failure.

C. It offers a healthy second life for legacy password systems.

What’s in it?

?At is core is “Image-to-Code Converter” technology as outlined in this 9-page slide deck - https://www.slideshare.net/HitoshiKokumai/imagetocode-converter-31july2023pptx

?(added 16Nov2023)

How it’s different

A. Not having the likes of password vault, it’s hacking-proof.

It is ‘leak-proof’; the passwords, which are generated and re-generated on-the-fly by our image-to-code converter from users' hard-to-forget episodic image memory, will be deleted from the software along with the intermediate data when it is shut down.

When logged-in to the software by picking up your registered images, a unique secret credential is generated/re-generated from the image data on the fly.

Then, select the account requiring a password from the account list and the software will send out the user ID and the unique password generated/re-generated from the abovesaid secret credential to the login page of the target account.

* Significance of removing the likes of password vault

Having the likes of a password vault, whether offline or online and whether encrypted or not, is a perilous act. ?However, not having the password vault, a fatal weakness of the password manager would be gone.

Mnemonic Gateways, our own password management solution that we are going to put on the global market shortly, holds no password in it. ?We committed to the software design of not having any secret credential in the software itself in 2002

?Passwords, when required, will be generated and regenerated from the users’ unforgettable images that are registered as their secret credentials. Those passwords, once used for login to target accounts, will be eliminated from the software altogether.

Say, those passwords never exist anywhere in the universe, although they can be recovered from the registered images that only the legitimate users can correctly locate.

??It would not be easy for any skilled criminals to steal what does not exist but can only be regenerated from within the users’ brain.

* Further Security Consideration

1. Image-based password systems enable the users to select several pictures embedded among dozens of decoys.

?Now, we are talking about 80 bits, 160 bits and so on when coming to the defense against brute force attacks on passwords, whereas it is obvious that ‘several out of dozens’ would never get to such figures. This observation leads some security professionals to wrongly conclude that the solid identity security by image-based passwords is no more than a delusion.

?Here is what is actually going on in the real world.

?What ‘several images among dozens’ has to cope with is not the automated brute force attacks on the server, but visual-manual attacks on the display.? A million trials, say, 20 bits, would be no more than a joke against automated brute force attacks. However, it makes a pretty tall wall against visual-manual attacks.

?It could theoretically face the automated brute force attacks where the device to/from which we login had already been compromised by bad guys. Can it be an issue in this context?

?By the way, combinations of several images would enable us to get to the entropy of millions of bits -

?Let us take up the case of a combination of 5 images. A pixel of an electronic image usually requires 24 bits for full-colour rendering, which means that 50,000 pixels would get us to a 1.2 million bits. Assume that a credential is made from a combination of 5 images, an image needs to be 10,000 pixel (100x100) for achieving 1.2m bits, that is, 100x100x24x5 makes 1,200,000

?Should we put a 1,000 x 1,000 image behind a 100 x 100 sumnail, the entropy of the combination of 5 images would be 120 million bits (1000x1000x24x5) . Moreover, we could put any larger unique random data (giga, tera and so on) behind the sumnails that citizens need to identify. The burden on citizens will remain that of locating 5 images.

?Well, this feature is common to all the grid-formed picture passwords, not unique just to our proposition. What makes our solution unique is that we enable and encourage citizens to make use of their non-volatile episodic image memory, say, images linked to their emotion-coloured personal experiences, making it possible to reliably get secret credentials generated and regenerated on-the-fly. . The burden on citizens will be that of locating 5 UNFORGETTABLE images embedded in decoy images.?

2. ?The user can optionally turn the generated password into a ‘target password‘ that they feed manually.?(* Passwords told to use or passwords required to contain certain numbers of large/small letters, numbers and symbols. etc.)

Security - Both the generated password and the ‘target password’ will be eliminated from the software when it is shut down, and will be re-generated when the user logins to the software with the correct combination of images.

3. The identical passwords are to be regenerated if, ?while you are logged in, you change the images for login; ?a relevant formula is incorporated in the software.

Security - Should the formula be leaked, it would not matter, since the formula could not generate the correct passwords unless the correct combination of images are selected.

4. While we do not use a vault for storing passwords, we provide a vault for storing various user data.?

Security - The user data is also leakproof; ?The cryptographic key for the user data vault is not stored in the program, but gets generated and regenerated from (only from) the correct combination of images that the user registered as their secret credential. The cryptographic key does not exist any where in the universe once the software is shut down until the user logins to the software next time.

?By the way, the on-the-fly regeneration of non-existent passwords or crypto keys from image data is not what we have recently developed. It is what we developed in 2003 and implemented commercially in 2004 - 5.?It did not give a big impact in those days, presumably because it came up two decades too early and partly because it was an event within Japan.

Remark 1:??In 2003 we used the combination of MD5 and Sha-1 for hashing and AES-128 for symmetric encryption. As of June 2023, we deploy the combination of Sha-256 and Argon2id for hashing and AES-256-GCM for symmetric encryption (added 20June2023)

?Remark 2: The first source of images is citizens’ own photo albums/libraries. The second is copyrights-free images available on the web.?

?Confidentiality-sensitive users are advised to retouch the images lest they should be identified by bad actors armed with advanced image-search programs. We have a plan of providing a highly automated image editing program of our own. (added 22May2023)

B.?Being practicable, it frees us from a single point of failure.

Mnemonic Gateways is an applied solution of Expanded Password System that is used by Japanese Army since 2013 due to the ‘hard-to-forget’, ‘hard-to-break’ and ‘panic-proof ‘ credentials it provides. We are told that the software will stay in use for at least 10 more years.

* 90-second video on Expanded Password System

The merits of making use of non-volatile episodic image memory enable us to easily handle multiple password managing modules with multiple unique sets of images; it helps us avoid creating a single point of failure.

C.?It offers a healthy second life for legacy password systems

Offering a healthy second life to the ubiquitous legacy text password systems is equivalent to enabling global citizens to make safer use of conventional text password systems

*90-second video on Mnemonic Gateways

Outstanding Features

1. user-friendliness of operation

2. 'hard-to-forget' and 'panic-proof' feature of secret credential

3. high entropy of passwords to be re-generated

4. single point of failure avoidable

5. easy export/import features across multiple devices and OSs

6. no need of vault to store passwords and personal data in it

7. lightweight of the program

8. distributed 2-factor options

9. data separation and integration options

Prospect

We will expect the revenue from the sales of high-security versions for tens of millions of professional users, while offering a standard version to billions of global consumers at no cost.

More specifically, Mnemonic Gateways will come in three versions - (1) usability-focused standard version that will be offered to billions of consumers free of charge, (2) security-focused business version for millions of business people that will be charged and (3) MFA version for the smaller number of professionals who require an extra defense.

Well, this report reads “The total number of app will exceed 4.1 billion globally by 2027”?https://www.thinkdigitalpartners.com/news/2023/03/02/digital-identity-apps-to-surpass-4-1-billion-by-2027/

With the hitherto unknown unique features coupled with a marketing scheme for the quickest global adoption,?we believe that it would be feasible for us to grasp a quarter of the global demand for digital identity apps in 2027.

There is more to it;?Should the sandcastles of falsehood-based ‘passwordless’ and ‘biometrics’ authentication schemes collapse in avalanche sooner than now anticipated, ?we would likely be far more dominant than the present forecast.

In order to accelerate the overall process, we are planning a crowdfunding to secure the?budget upon the beta release.

Reference

For our overall activity -

“When, why and how Expanded Password System was developed” (28Mar2023)

“Fend Off Cyberattack with Episodic Memory (Slide - 24Feb2023)

For related topics -

“How to not see our weak digital identity further weakened”

?Intermezzo

?

Some more information

Backdrop

Many people expected ‘password managers’ to help. However, its effectiveness is limited; ?While the conventional password manager helps relieve us of the burden of remembering a number of passwords, it does not relieve us from the burden of remembering the crucial master-password that should stand any fierce attack.?It’s truly hard to remember a truly hard-to-remember password.

More importantly, users of conventional password managers cannot escape the concern that their precious passwords could leak. Should it happen, a single point of failure that often comes with the use of password management could wreak havoc.

Incidentally, the password manager does not help for login into the user’s devices. This feature stands out particularly well when we look at the login into the devices on which the password managers are stored. This issue cannot be solved by our Mnemonic Gateways.?Wait for another applied solution of Expanded Password System for the login to devices.

Cost Benefit of Using Images for Login

?When we first came up with the idea of making use of memorable images for identity authentication in 2000, the costs on the users and servicers were much heavier than now in 2023.

?CPU far slower, bandwidth much narrower and memory chips way more expensive. We nevertheless progressed the development in the belief that the situation would change in due course of time.

?Now, our environment is very different. CPU and communications fast enough to handle dozens of large pictures in seconds with the memory chips really affordable.?What we now see in the login by image selection are -

?Cost Users Bear - Picking up several unforgettable images from among dozens of meaningless decoys for each login, besides a one-off joyful trouble of handling pleasing images for preparation of an image matrix.

?Benefit Users Receive - Secret credentials that are strongly defended against both visual-manual attacks on the display and automated brute forces attacks on the server.?Where citizens are encouraged to register images of their pleasant episodic memory, the work of login, which had been demanding and painful in the past, is now pleasant, joyful and relaxing.

?Images of toys, dolls, dogs and cats, for example, that our children used to love for years would jump into our eye even when we are placed in heavy pressure and caught in severe panic. Stressful and painful login is history. (added 30May2023)

Image-based Login Misunderstood by Developers Themselves

?A number of people have looked to the potential of picture passwords, sadly with a big misunderstanding of their own, but we have a different view.

?There have been basically two types of propositions.

?A. Selecting several easy-to-remember points on a big image -

?It is impossible for a human to remember the position of the correct point to the accuracy of a pixel (which computers cannot be poor at). The software is required to make a judgement of whether the pixel picked up is close enough or too distant to the registered pixel.??The judgement is dependent on the threshold that the computer programmer adjusts. This makes this method ‘probabilistic’, which brings the same problem that we see in biometrics, say, the presence of false acceptance and false rejection.

?One vendor seems to have misguided themselves into wrongly believing that this method would bring a huge mathematical strength, with the probabilistic nature ignored.?They killed their solution by the misunderstanding of their own.

?B.?Selection of the registered images embedded among decoys on a grid/matrix -

?It looks impossible for ‘several images among ?dozens of decoys’ to achieve the mathematical strength required to stand the brute force attacks that break the entropy of 80 bits, 160 bits and so on.?Most of the picture password developers seemed to be trapped in this misunderstanding of their own.

?We know that it is not the case; The threat of 'visual-manual attacks on display’ is very different from 'automated brute force attacks’ on the data server. A figure of ’20-bits’, say, a million attempts, for instance, would be just a bad joke against automated attacks, whereas it would make a pretty tall wall against visual-manual attacks on display.

?Well, (A) was among the first round of our patent applications in 2000 but we soon decided to forget it for the reason explained above. We have since been persistently on the course of (B).?(added 5June2023)

Roadmap

Image-to-password conversion module is already completed

Beta version of Mnemonic Gateways expected to be ready shortly.

Consumer, Business and Professional versions for English-spoken markets expected to be ready in 12 months upon a successful fundraising

A dozen or so translated versions expected to be ready in 24 months.

* The features common for Consumer, Business and Professional versions;

- Hard-to-forget and hard-to-break secret credential for authentication

- On the fly password generation/regeneration through conversion from selected images to very high-entropy passwords.

- Leak-proof due to the deletion at shutdown of the passwords along with the temporary calculation data, which will be re-generated on-the-fly next time. In other words, no need of the likes of vaults that could be broken into.

** The features for Business and Professional versions are

- Management of personal data like credit card details

- Software being portable across multiple devices and OSs

- Extra security-enhancing features

The features for Professional version

- Data separation between the device and the network

- Upgrading option to PKI-based 2 factor authentication scheme

After Mnemonic Gateways, the core elements of this password manager will be re-used for producing a sister solution for the on-the-fly re-generation of decryption keys for cryptography-applied solutions.

Pricing

We first offer the consumer version to global citizens free of charge. Our revenue will be expected from the more versatile business version of the Mnemonic Gateways, that will be announced upon the launch of distribution of free-of-charge consumer versions.

The users of the consumer version can opt to upgrade to the business version bringing all the registered data for the purchase price of the business version at US$60 or so with no time limit. In view of the unprecedented features of ‘maximizing entropy of the passwords to generate while minimizing the users’ burden, which help to avoid creating a single point of failure, that our software has but others do not have, our price will be found competitive and attractive to serious business users

Budget

We estimate that US$250k to $500k would enable us to complete the production of consumer version and business/professional versions of Mnemonic Gateways password manager for English-spoken markets.

An additional $250k would enable us to come up with the translated versions for several African and Asian languages in the scarcity-ridden areas, with large and rich countries desirably left to regional partners.

With another $250k, we would make our solutions known to as many people as possible in every corner of the globe in the belief that the more quickly our solutions are known, the more quickly the global citizens will be freed of the persistent threats to their digital identity.

Besides being prepared to spend a substantial amount of budget for making our solutions known to the global population as speedily as possible, we also set aside some budget to secure our future colleagues and successors who are looking for the job opportunity of Mission, Profession, Passion and Vocation.

We will need to have more people who join our endeavour of ‘Identity Assurance by Our Own Volition and Memory’ for global citizens in some way or other, and find out what the world needs, what they love, what they are good at besides what they can be paid for.

After Mnemonic Gateways

As from the third year on, our activity will incorporate more of the EPS-powered solutions including cryptographic key generator software, add-on login-tools for users’ devices, web-deployed EPS solutions and custom-made solutions for critical sectors such as defence, government services, healthcare, finance, social and industrial infrastructure and so on.

Let us talk a bit more about the first two projects -

(A) ?Cryptographic Key Generator - Private keys of PKI will be regenerated in the same process that passwords are regenerated by Mnemonic Gateways. The software will be completed with a minor tweak added to the core of Mnemonic Gateways.

Situation - While PKI is known to be playing a crucial role for the safety in cyberspace, cryptographic keys for the PKI have been stored on a hard device, which means that the keys are vulnerable to theft, whereas good identity assurance practice should never involve the crypto keys left unprotected, however long and strong they may be.

They Key Generator is a software solution for generating and regenerating an asymmetric cryptographic key of an extremely high entropy on-the-fly from the big image data of citizens' episodic memory,

? Security and Availability - The crypto keys, once used, will be eliminated and will not exist anywhere in the universe but can be recovered from citizens' non-volatile episodic memory at any time when needed, say, staying outside the reach of artificial intelligence coming with quantum computing.??

Ref: ?“Account Recovery with Expanded Password System”

https://www.dhirubhai.net/pulse/account-recovery-expanded-password-system-hitoshi-kokumai/

(B)?Add-on Login Software for Users’ Devices - The software will be completed by slightly modifying the software that has been used by Japanese Army for soldiers on communications vehicles since 2013 and expected to stay in use for 10 more years.?

From among many different user devices, we could first look at mobilephones which are now viewed as lifeline for billions of citizens for business, social and personal life.

Situation - ?For most of the citizens, it’s extremely demanding and cumbersome to feed a safe, say, long and complex password on a mobilephone.

What we could think of are -

?1. Login by pincode or grid-pattern? - Easy to practise, but we have to be uneasy when we have to store sensitive data in the phone.

?2. Biometrics? - Very convenient but we know that the overall security is lower than a pincode/pattern-alone login due to the two factors deployed in a two-entrance/in-parallel formation

?3. No password, no pincode, no pattern, say, absolutely no protection? - Skipping the login altogether could be an answer where we are determined to do without storing any valuable information in the phone.

With our device login software, we will only need to locate and touch several pictures from among dozens of decoys on the display, whereas the entropy it provides is high enough to fend off persistent attackers.

Security and Availability - We offer the same feature of the login software being used by Japanese Army. It is solidly secure and easily practicable even in extremely stressful environments.

Well, we reckon that these additional business segments that follow the password manager project will eventually overgrow it by tens of times over one or two decades. With us being recognized as Pioneer and Thought Leader in this domain, we assume that we will be able to secure and keep a sizeable share of the Total Accessible Market (TAM) of identity assurance and digital identity even amid the competition with the newcomers who follow us with look-a-like products.

We firmly believe that the global population will continue to need the best form of identity assurance by our own volition and memory over many generations or centuries until humans come up with something other than ‘digital identity’ for the safe and orderly societal life. We, as a going concern, will continue to serve.