Removal of Passwords and Its Security Effect (updated on 13/May/2021)

Assume that the password has been removed from digital identity. Then digital identity platforms would have only two authenticators - physical tokens and biometrics.

 Biometrics by its nature requires a fallback measure against false rejection, and only the physical token could be the fallback measure for biometrics in this situation. Here we have only two scenarios.

 (1) authentication by a physical token, with an option of adding another token. Its security effect is plainly illustrated above and below.

 (2) authentication by a biometrics deployed in ‘multi-entrance’ method with a physical token as the fallback measure, with an option of adding another token. Its security is even lower than (1) as quantitatively examined at "Quantitative Examination of Multiple Authenticator Deployment"

 We reckon that quite a few professionals of cyber security and identity management are well aware of these facts but something seems to prevent them from speaking out. Possibly, once they had touted those powerless solutions and recommendations to millions of clients, it might be embarrassing to admit the facts.

 But it’s never too late to return. They are expected to speak out.

PS Good Use of Biometrics

By its nature, biometrics, when used as an authenticator, brings down security in cyber space. However, this does not mean that biometrics is useless in cyber space. Biometrics, particularly the behavioral biometrics, could help for security if used, not as an authenticator, but as a part of the likes of an early warning system.

< Excerpt from Quantitative Examination .... >

Vulnerability (attack surface) of an authenticator is generally presented as a figure between 0 and 1. The larger the figure is, the larger the attack surface is, i.e., the more vulnerable. Assume, for instance, as just a thought experiment, that the vulnerability of the PKI-enabled token (x) be 1/10,000 and that of the password (y) be 10 times more vulnerable, say. 1/1,000. When the two are deployed in ‘multi-layer’ method, the total vulnerability (attack surface) is the product of the two, say, (x) and (y) multiplied. The figure of 1/10,000,000 means it is 1,000 times more secure than (x) alone.

 On the other hand, when the two are authenticators deployed in ‘multi-entrance’ method, the total vulnerability (attack surface) is obtained by (x) + (y) – (xy), approximately 0.0011. It is about 11 times less secure than (x) alone.

 So long as the figures are below 1, whatever figures are given to (x) and (y), deployment of 2 authenticators in ‘multi-layer’ method brings higher security while ‘multi-entrance’ deployment brings lower security. As such ‘multi-layer’ and ‘multi-entrance’ must be distinctly separated when talking about security effects of multiple authenticators.

The same calculation applies to biometrics used in cyber space where it has to rely on a fallback password/PIN deployed in ‘multi-entrance’ method against false rejection. You might assume that biometrics deployed with a password/PIN in ‘multi-layer’ method should bring us a very high security. But, very sadly, this scenario never comes true. When rejected by biometrics, what can we do? We will only see that we are unable to login even if we can feed our password/PIN. 

< Update on 12/Feb/2020 >

What does not exist will never be stolen

Removing what can be stolen from the picture can indeed ensure that what can be stolen will never be stolen and abused.

 Removing the password from digital identity can obviously ensure that the password will never be stolen and abused. Then, exactly by the same logic, removing the cryptographic-enabled physical token can also ensure that the cryptographic-enabled physical token will never be stolen and abused.

This cartoon produced 15 years ago will hopefully help to unravel this seemingly complicated but actually simple problem.

 I am very curious to know what the promoters of 'token-based password-less authentication' have to say.

< Update on 19/Feb/2020 >

What you ignore does not exist

 Inconvenient reality?

 Ignore it and it does not exist.

 Two factors used together in a security-lowering ‘multi-entrance’ deployment and the two factors used together in a security-enhancing ‘multi-layer’ deployment have exactly the opposite security effects? 

Ignore it and it does not exist. You will have the security-enhancing biometrics used with a default/fallback password in a security-lowering ‘multi-entrance’ deployment.

 Being insufficient is different to being harmful?

Ignore it and it does not exist. You will see a password-removed authentication that is more secure than a password authentication. By the same logic, you will also see a token-removed authentication that is more secure than a token-based authentication.

 PIN is no more than a weak form of numbers-only password? 

Ignore it and it does not exist. You will have a ‘PIN-based Password-less authentication’.

< Update on 20/Dec/2020 >

Bizarre Theory of Password-less Authentication

The theory is “A ground force can be easily defeated by air attack. Then, removing the ground force from our defense will make our defense securer”.

Replace ‘ground force’ with ‘password’, ‘air attack’ with ‘password theft’ and ‘defense’ with ‘cybersecurity’ and we realize that this is what happens when ‘insufficient’ is mixed up with ‘harmful’ in cyberspace

Well, why are we so persistent in busting the falsehood of password-less authentication?

Because the wide-spread falsehood of password-less authentication is so persistent as indicated in this report – “Is the future of cybersecurity passwordless?” https://www.openaccessgovernment.org/passwordless/97090/

< Update on 11/Mar/2021>

What we need to do for NOT achieving Solid Digital Identity

Follow the arguments that promote ‘passwordless authentication’ or ‘password-dependent password-less authentication’ and we would be successful in not achieving solid digital identity.

Should ‘passwordless’ literally mean ‘removal of all the password family’, we would be actually watching a ‘pass wordless authentication that is quite like an ATM that does not ask for your PIN in dispensing your money.

Should a PIN, that is a numbers-only weak password, be used in the passwordless authentication, we would be watching a delusive ‘password-dependent password-less authentication’,

Either of them would infallibly take us away from solid digital identity.

Ref: “What We Know for Certain about Authentication Factors” https://lnkd.in/gdUsfd9

Incidentally, biometrics, which requires a default/fallback password/PIN, is naturally unable to support the ‘passwordless’ authentication.

< Update on 28/Apr/2021 >

Get the password removed and we’ll see something very nice

It would be true if this remark were uttered by bad guys; the passwordless identity security is indeed very favourable to them, though not to good citizens.

 Removal of the password benefits bad guys in two ways – The lowered security is directly beneficial to criminals. On top of that, especially where it is touted by known big businesses, it provides a further advantage to the criminals, who would be dealing with the less guarded citizens who are trapped in the false sense of security.

Key References

 Negative Security Effect of Biometrics Deployed in Cyberspace

Slide: Biometrics in Cyber Space — “below-one” factor authentication

Additional References

For Achieving Solid Digital Identity on Information Security Buzz (Mar/2021)

“Impact of Episodic Memory on DigitalIdentity”

Digital Identity for Global Citizens

What We Know for Certain about Authentication Factors

Summary and Brief History — Expanded Password System

Proposition on How to Build Sustainable Digital Identity Platform

External Body Features Viewed as ‘What We Are’

History, Current Status and Future Scenarios of Expanded Password System

Availability-First Approach

Update: Questions and Answers — Expanded Password System and Related Issues 

< Videos on YouTube>

Slide: Outline of Expanded Password System (3minutes 2seconds)

Digital Identity for Global Citizens (10minutes — narrated)

Demo: Simplified Operation on Smartphone for consumers (1m41s)

Demo: High-Security Operation on PC for managers (4m28s)

Demo: Simple capture and registration of pictures by users (1m26s)

< Media Articles Published in 2020 >

Digital Identity — Anything Used Correctly Is Useful https://www.valuewalk.com/2020/05/digital-identity-biometrics-use/

‘Easy-to-Remember’ is one thing ‘Hard-to-Forget’ is another https://www.paymentsjournal.com/easy-to-remember-is-one-thing-hard-to-forget-is-another/

Identity Assurance And Teleworking In Pandemic https://www.informationsecuritybuzz.com/articles/identity-assurance-and