Safest authentication factor for your digital identity
Debesh Choudhury, PhD
Information Security Researcher, Academician, Entrepreneur | Password & Cybersecurity, Data Privacy, Blockchains, Digital Identity, Biometrics Limit | 3D Education | Writer | Linux Trainer | Podcast Host
What is the safest authentication factor for your digital identity? This is the most relevant question in this Internet driven networked world. Because we need to safeguard our digital selves from the fraudsters, hackers and all types of cyber criminals including the top tier data harvesting companies. Everybody knows the answer. But a large number of digital citizens are attracted towards hypes.
While reading a shared document on digital identity, this question popped up
We can't live in this Internet driven world without engaging ourselves digitally. We login to our computers. We login to our mail accounts. We login to our social media pages. We login to our banks to make digital financial transactions. We login to several websites for getting various services. Still now we are used to access our logins by using text credentials, such as user names and text passwords. Only in recent days, we are also given test access to some of our digital services using cards, devices and our physical selves, i.e., biometrics, but with the text password/PIN as a fallback measure.
Passwords are "Something a person KNOWS"
Passwords are something we have in our memory. Smaller passwords are easier to remember but are not strong. The passwords are required to be longer and complex so as to make them stronger. Then our memory can't help writing it somewhere. And it becomes vulnerable to stealing. If somehow we could memorise complex and longer passwords, then there is nothing better than passwords.
Cards, devices are "Something a person HAS"
Security community has started testing cards and devices to be used as authentication factors. It is convenient to use a card or a device to access the digital accounts. There is no need to remember the passwords. The user credentials are already present in the cards and the devices. But then, the cards and the devices can be physically stolen or lost. This is a real problem.
Biometrics are "Something a person IS"
Humans can be authenticated by using their physiological and biological characteristics, such as fingerprints, face, iris etc which are known as biometrics. This is cool because the humans are their own physical credentials. But there is a problem. Biometrics is less reliable and secure than text password/PIN. That is why text password/PIN is always used as a fallback measure in case of biometrics failure. Moreover, biometrics can be spoofed. This is an increasing vulnerability. Biometrics is under more threat everyday as the biometrics spoofing technology is progressing at an alarming rate.
So which authentication factor is the safest?
I have recognized that "Something a person KNOWS" i.e., passwords etc, are the safest authentication factor we humans own. Because the criminals can't see inside our memories. They can steal the passwords while in transit or by some other indirect methods. On the other hand, what humans "HAS" (cards etc) or "IS" (biometrics) can physically be stolen or spoofed.
The challenge is to have a digital identity platform that can help remembering a complex and longer password
We need a passcode that is equivalent to a very complex and long text password. And that should be easy to remember or rather which is hard to forget. This appears to be a theoretical puzzle but it is real. I wonder if the episodic memory based graphical password systems can serve the purpose to easily remember complex and longer passwords.
Have you come through any safe authentication factor to safeguard your digital identity?
Recently, I have tested a demo version of an episodic memory based graphical password system called "Extended Password System" (EPS). There I can select images as passcodes which I can remember easily. The graphical passcode is equivalent to a very complex and long text password which is hard to be cracked. In fact it is not possible to hack image passcodes by programmatic guessing. Moreover, EPS is ready for panicky situations, such as COVID-19 pandemic.
Do you care about the authentication factors for your digital identity?
I would love to get your views and suggestions. If you like this article, please click a generous "Like" or any other LinkedIn "reactions", and "Share" it among your acquaintances and network.
Join the LinkedIn Group “Identity Crisis: The Future of Password Security” to get updates about the future of password security, authentication technology, episodic memory based password systems and beyond.
Acknowledgement: The idea of this article has been conceived while reading a shared document on digital identity by LinkedIn friend David Spinks in his LinkedIn group "Global Digital Identity (GDI)".
----------------------------------------
Join me on Twitter, Medium, Facebook, beBee, Steemit and LinkedIn
More of my articles on Digital Identity, Cybersecurity and allied topics:
- Is your chat end-to-end encrypted?
- Are Security and Privacy Intertwined?
- Privacy-Centric Authentication
- Digital Identity in Panicky Situation?
- Biometrics authentication is not reliable because it is probabilistic
- Passwordless is Like Living with the Lockers Always Open?
- Identity Crisis: The Future of Password Security
- The Biometrics Rush
- Can Cybersecurity and Quantum Computing be Friends?
- Does Cybersecurity have any Space for Digital Convenience?
- Security Ability and Convenience Bear an Uncertainty Relationship
- Convenience is the Weakest Link in Security
- Biometrics Liveness Detection May Help Criminals
- Can Liveness Detection Defeat Biometrics Spoofing Attacks?
- Biometric Data Breach Conundrum
- Is Biometrics More Secure than Text Passwords?
- Self-Sovereign Identity Depends on National Policies
- The Password Hole in the Cyber Bag
- Identity Dilemmas: Biometrics, Texts or Something Else
- Brand Identity, Digital Identity and Crypto Aspirations
- Digital Identity, Assets and Governance
- Decentralized Digital Identity: Which Distributed Ledger is Most Viable?
- Decentralized Biometrics: Is It the Ultimate Solution?
- Biometric Data Protection is a Big Challenge
- Reset Biometric Traits?
- Spoofing Biometrics isn't Impossible
- Privacy protection could have saved Aadhaar data breach
- Data Protection is a Big Challenge
For more articles, stories, and insights follow #DebeshChoudhury
* * * * * * * * * * * * * * * * * * * * * *
I am a researcher and academician of electronics and applied photonics. My current research focuses on Privacy Protected Digital Identity. My friend Jose Munoz Mata and I are researching distributed ledger technology for decentralized digital identity and other real world applications.
In June 2015, Dr. Jeffrey Strickland and I founded a new LinkedIn Group called "The Unfluencers". To learn about the history of "The Unfluencers" please read the seminal LinkedIn article by Dr. Jeffrey Strickland entitled -- "Who are the Unfluencers". This group is an open group. You are welcome to join this group and engage yourself in the discussions. The Unfluencer?? Logo is a registered trademark of Dr. Jeffrey Strickland.
Text Copyright ? 2020 Debesh Choudhury— All Rights Reserved
#identity #authentication #password #datasecurity #dataprivacy #democracy #emergency #disaster #panic #government #pandemic #cybersecurity #infosensys #dazlabsasia #learningtimes #debeshchoudhury #josemunozmata
Interested in contracting in cybersec, IT infrastructure, anti-spam | Growing a spam intel startup | FinEID 136964277 | EstEID 37308170088
4 年The personal ID smartcards issued by some governments (Estonia being the notable example) can indeed be stolen, but if you don't know the PIN codes the cards are as good as garbage. I invite you to study the Estonian electronic ID infrastructure.
Carefully standardized Reference Geek at ANS Group Plc; JOAT and penguin farmer
4 年I am playing with Fido2 ATM, but have hit the obvious problem there - MS Windows suddenly stopped recognising USB for no obvious reason, making the usb token unusable on that device. Which is a shame, as most MFA solutions really, really don't scale.
X-Ray(Metaphor) | Music Composition | Design & Build Software , Electronic Devices & Mobile Apps by combining & riveting together multidisciplinary technologies and multitude of ideas | Psychology | Philosophy
4 年Expanded password system using episodic memory is no doubt good for personal accounts , but, in non personal and business accounts , hardware key along with password is safe. Most business owners want that their employees should not access the system after office or no work hours . To protect their sensitive information , They want full control on the access to the system . This is where hardware key + password solves their problem . As hardware key remains in the office , the employees will not be able to access the system after office hours or on holidays.