Update - History, Current Status and Future Scenarios of Expanded Password System

Further updated on 17/Mar/2020. (Here is the original of 30/May/2019 )

On 7/Jan/2020 we incorporated the references to the publication of our article by Taylor & Francis and the selection of our proposition as a finalist for “FDATA Global Open Finance Summit & Awards 2019” quoted in the chapter of ‘History of Expanded Password System’.

We added on 5/Mar the references to the trouble-free military use of Expanded Password System for the most demanding application in the most demanding environment, with the users having increased 10-fold over the 7-year period from 2013 and 2020 and set to increase further, as well as the video interview titled ‘Expanded Password System’ by US-based Risk Group LLC, at the end of the text. Also added is the latest summary of our digital identity enterprise.

We have today referred to adoption by AFCEA for ‘2020 Solution Review Problem Sets'

Predicament of Digital Identity

Passwords are so hard to manage that some people are urging the removal of passwords from digital identity altogether. What would happen, then, if the password is removed from our identity assurance?

Where the password was kicked out, security providers would be given only the physical token and the biometrics as authentication factors, whereas biometrics requires a fallback measure against false rejection. With the password removed, nothing but the token could be the fallback measure for the biometrics. Then system designer could have only the two choices as follows.

(1)    authentication by the token alone, with an option of adding another token. Its security effect is highlighted in this cartoon we published 14 years ago.

(2)   authentication by the biometrics deployed in ‘multi-entrance’ method with the token as a fallback measure, security of which is lower than (1) irrespective of however called it may be, with an option of adding another token, as quantitatively explained here.

What a barren desert it would be!

More significantly, the password-less (will/volition-less authentication) is not consistent with the value of democracy. It would be a 1984-like Dystopia if our identity is authenticated without our knowledge or against our will.

Then What Else?

‘Achieving higher-security by removing the password’ and ‘Killing the password by biometrics’ are both no more than the hyped myths. Then, what else can we look to as a valid solution to the predicament of digital identity?

The answer is expanding the password system to accept credentials based on our non-text memories as well as the text memories. We call this proposition ‘Expanded Password System’

By accepting non-text memories, especially images associated with autobiographic/episodic memories, the Expanded Password System is able to offer a number of excellent features as follows.

- It is not only stress-free for users but fun to use.

- It turns a low-entropy password into high-entropy authentication data

- It eases the burden of managing the relationship between accounts and passwords

- It deters phishing attacks with this unique feature.

- It can be deployed under any type of circumstance, including combat and other panicky situations.

- It supports existing schemes, such as:

   - - Biometrics which require passwords as a fallback means

 - - Two/multi-factor authentications that require passwords as one of the factors

  - - ID Federations such as password managers and single-sign-on services that require passwords as the master-password

- Simple pictorial/emoji-passwords and patterns-on-grid can be deployed on this platform.

- It is relevant whenever text passwords and pin numbers are in use

- And, nothing would be lost for people who want to keep using text passwords

- Last but not least, it continues to rely on free will.

History of Expanded Password System

The concept of this Expanded Password System first came up in 2000. It was followed by the prototyping in 2001 and the commercial implementations from 2003. The history is outlined in this article - How Expanded Password System got this way -

Over the period of 2003 to 2008, the business actually successfully. We saw several commercial adoptions amounting to more than US$1 million, even though handling images was a much heavier task in those days when CPU was slow, the bandwidth narrow and the storage expensive.

It then ceased to grow as people were more and more carried away by the myths of biometrics and password-less authentication which the advocates alleged would kill the passwords altogether, with our proposition included, although we knew that biometrics have to depend on the password as a fallback measure and that a password-less auathentication, if literally implemented, would only bring tragically insecure cyberspace..

After struggling in vain to fight back for several years, we chose to get out of Japan where biometrics vendors were far more dominant than anywhere else, and started to look for bigger chances worldwide. Now, we have some good friends and supporters globally. The writer was invited to speak at KuppingerCole's Consumer Identity World 2018 in Seattle and Amsterdam.

In 2019 these developments were followed by two outstandingly positive events.

In September Taylor & Francis published our “Digital Identity and Our Remembrance” on its EDPACS (EDP Audit, Control and Security Newsletter) page. Below is the core logic of our discussions.

Assumption: The gains of cyber age would turn against us if connected computers were placed under bad guys’ control. Reliable digital identity is the key to keep off bad guys.

1.   Secret credentials are absolutely necessary for digital identity in democratic societies.

2.   The text password, which is a section of the secret credentials, is known to be too hard to manage.

3.   We could look for something other than the text password as the valid secret credential.

What can be simpler and plainer than this transparent logic? Perhaps only except when being distracted and blinded by vested interests and sunk costs.

Two months thereafter, we were suddenly contacted by Financial Data and Technology Association (FDATA) and invited to present our proposition for “FDATA Global Open Finance Summit & Awards 2019”.

We submitted the proposition on 24/Oct and the writer was at the Edinburgh summit to receive the honor of being selected as one of the three finalists even though we are not a FDATA member nor related with the organization in any way. It was a dazzlingly rapid development.

Fintech people talk about Open Finance as an enabler of many good things. They talk about Digital Identity as an enabler of the Open Finance and many other good things. They will be talking more about what can really be an enabler of the Digital Identity and we will be making a significant contribution to it with our knowledge and expertise as expressed in our ‘Proposition on How to Build a Sustainable Digital Identity Platform shortlisted for the Summit and Awards 2019”.

Expanded Password System is acknowledged as Draft Proposal' for OASIS Open Projects.

Current Status of Business Development

As indicated above, we had come up with not just prototypes but also several commercial products developed for the Japanese clients such as follows:

Client Software for

- Device Login (commercial implementation)

- Applications Login (prototype)

- Image-to-Code Conversion (p)

Server Software for

- Online-Access (c.i.)

- 2-Factor Scheme (c.i.)

- Open ID Compatible (p)

Applied Products: Data Encryption with on-the-fly key generation

- Single & Distributed Authority (c.i.)

None of them, however, are well suited for the services and sales on the global markets, since the programs were all written by Japanese engineers for the Japanese clients with no consideration about the operation, support and maintenance outside Japan. 

This also means, however, that we will be able to come up with the products for the global market just easily and quickly with a relatively small budget because algorithms are already here and all that we need to do is to re-write the software in English with the updated cryptography.

For a brief glimpse of what Expanded Password System can offer, watch these brief videos.

Basic Operation - on Smartphone (1m41s)

High-Security Operation - local on PC (4m28s)

Capture and registration of pictures - mapping to long PIN Codes (1m26s)

The readers might also be interested in this comprehensive FAQ -

Future Scenarios

In view of the global nature of our enterprise, we are planning to set up the headquarters in an English-speaking country where we have easy access to the sufficient business and technological resources.

Identity/Security-related businesses who are interested to share the benefits of Expanded Password System could choose one or some of the scenarios as quoted below.

1.  Become one of the co-founders of a new business entity that we are going to set up as the global headquarters.

2.  Secure a highly privileged status by joining our team at OASIS Open Projects as a voting sponsorship member.

3.  Secure some advantageous position by taking part in the active discussions at the OASIS Projects as a non-voting member.

4.  Consider other scenarios depending on their aspiration and budget.

* All would depend on their judgement on

- how large or small the enterprise of the now-unknown Expanded Password System could grow and how long or short it could survive and sustain,

- as compared with the now-popular propositions such as ‘password-less authentication’, ‘biometrics as a password-killer’ and ‘physical tokens as a password-killer’,

- as a legitimate successor to the traditional seals, autographs and text-passwords, bearing it in mind that this digital identity enterprise to serve the whole global population could keep a value for social good until humans abandon the digital identity altogether.

< Update on 5/Feb/2020 >

Towards the end of January, I was invited by US-based Risk Group LLC for a video interview on the subject of identity assurance. By the interview titled ‘Expanded Password System’ I was able to convey the huge merits of making use of our episodic image memory for digital identity to quite a few security professionals.

Separately, we are now able to confirm a successful 7-year military use of Expanded Password System for the most demanding application in the most demanding environment.

We had a contract in 2013 of supplying Mnemonic Guard (brand in Japan for Expanded Password System) to Japan's Ground Self-Defense Forces (alias, Army) amid the strong headwind of biometrics.

The Mnemonic Guard software was loaded on a hardened Windows machine mounted on communications-hub vehicles deployed in the field for encrypted information exchange. We have now been told that the soldiers wish to keep using the Mnemonic Guard with upgrade to Windows 10 after the 7-year use to their satisfaction. The number of users has increased 10-fold over the period from 2013 to 2020 and set to increase further.

The 7-year use substantiates our belief that Expanded Password System enables the soldiers to make use of their unforgettable image memories, making the login very pressure-proof; photos of toys, dolls, dogs and cats , for example, that our children used to love for years would jump into our eye even when we are placed in heavy pressure and caught in severe panic.

This development is pushing our back to bring forward the plan of setting up the global headquarters. Below is the latest summary of our digital identity enterprise.

We are the first company to provide the software products for Expanded Password System (EPS) that accepts images as well as texts, which is intended to be a legitimate successor to the time-honored seals, autographs and text-only password systems. 

Our EPS software and applied solutions offer ‘Hard-to-Forget’, ‘Hard-to-Break’, ‘Panic-Proof’ digital identity authentication. The software can be used stand-alone, as the master-password of password-managers and single-sign-on services, as a factor of multi-factor authentication schemes and as a fallback measure of biometrics.

The versatile practicability of the EPS software is demonstrated by the 7-year use by army soldiers in the field as well as the 5-year online use by up to 140, 000 digital shoppers. What is practicable in the most demanding environment for the most demanding application can be easily practiced in everyday environments for everyday applications; the reverse is not true, though.

The solid theory of our EPS proposition is endorsed by publishing by Taylor & Francis and selection as a finalist by Financial Data and Technology Association for ‘Summit and Awards 2019’. We are quickly getting recognized as Pioneer and Thought Leader in this domain.

We are on the global identity verification market, which a research company projects to reach US$12.8 billion in 2024 with a CAGR of 16%. https://www.marketsandmarkets.com/Market-Reports/identity-verification-market-178660742.html

 As an advocate of low-friction and panic-proof identity authentication, we intend to provide the sort of customer support that the elderly, the electronically illiterate and those under heavy pressure, ill in bed and caught in panic can access easily without friction, recruiting human responders even though it is against the current trend of saving costs by recruiting robots. It will offer the job opportunity to the e-literate retired elderly who are able to work part-time from home globally on the web.

< Update on 16/Mar/2020 >

AFCEA called for propositions for ‘2020 Solution Review Problem Sets’ which was intended to answer to U.S. Army Chief Information Officer who is seeking solutions to emerging or existing challenges.

 We submitted an abstract of our proposition for Item #3 and were notified that our abstract is kept on-file as a backup and will be included in the compendium of the abstracts that is made available to CIO/G6 leadership. We are very pleased to see this positive development.

< Video Interview by Risk Group LLC >

 Risk Roundup | Episode #222 | Expanded Password System 

< Related Articles >

For Achieving Solid Digital Identity on Information Security Buzz (Mar/2021)

What We Know for Certain about Authentication Factors

Update: Questions and Answers - Expanded Password System and Related Issues

Text Password System to Stay As-Is with Expanded Password System

Advanced Persistent Threats in Digital Identity

Technology Obsession and Liberal Arts

Negative Security Effect of Biometrics Deployed in Cyberspace

Removal of Passwords and Its Security Effect

 #identity #authentication #password #security #fintech #finance #banking #biometrics #ethic #privacy #democracy