Update: Questions and Answers - Expanded Password System and Related Issues

Updated from the earlier version of 30/Sep/2018 

 The following questions are answered in this update.

- What shall we do with the legacy text-only password systems?

 -      Who adopted Expanded Password System for what?

-      What do we think makes ‘what we are’?

-      Does it make sense to compare different authenticators?

-      Are you sure that the password is easy to crack?

-      How different is ‘hard-to-forget’ from ‘easy-to-remember’?

-      What impact the computing power has on the processing of secret credentials?

-      What are ‘necessary’ and ‘sufficient’ conditions for reliable identity assurance?

-      Does a solid theory warrant a solid implementation?

-      What role cryptography plays for Expanded Password System?

-      What is ‘on-the-fly’ key regeneration?

-      Is Expanded Password System complementary to FIDO2?

-     What can ‘probabilistic authenticators’ achieve in cyberspace?

-      How different is ‘Another Layer’ from ‘Another Entrance’?

-      Is a default password different from a fallback password?

-      Why so many people do not hesitate to sacrifice privacy for decreased security?

-      What are correct use cases of biometrics?

-      Why is UK adopted as the venue for the global headquarters?

Questions and Answers

Password and Expanded Password System

New Q: What shall we do with the legacy text-only password systems?

New Q: Who adopted Expanded Password System for what?  

New Q: What do we think makes ‘what we are’?  

New Q: Does it make sense to compare different authenticators?

New Q: Are you sure that the password is easy to crack?

New Q: How different is ‘hard-to-forget’ from ‘easy-to-remember’?  

New Q: What impact the computing power has on the processing of secret credentials?

New Q: What are ‘necessary’ and ‘sufficient’ conditions for reliable identity assurance?

New Q: Does a solid theory warrant a solid implementation?

New Q: Q: What role cryptography plays for Expanded Password System?

New Q: What is ‘on-the-fly’ key regeneration?

New Q: Is Expanded Password System complementary to FIDO2?

 Q: How would you like to define ‘Password’

Q: What do you think about password-less authentications?

Q: What merits and demerits do you see in ID federationa?

Q: What do you think about two/multi-factor authentications?

Q: Why did you think of making use of episodic memory?

Q: What do you rely on for your understanding of episodic memory?

Q: Why do you think people have been sticking to characters for passwords?

Q: How can it cope with hacking of the image identifier data?

Q: What if users register the images that are easy for attackers to guess?

Q: How do you handle ‘combination’ and ‘permutation’ for image registration?

Q: What do you think about shoulder surfing?  

 Biometrics

 New Q: What can ‘probabilistic authenticators’ achieve in cyberspace?

New Q: How different is ‘Another Layer’ from ‘Another Entrance’?

New Q: Is a default password different from a fallback password?

New Q: Why so many people do not hesitate to sacrifice privacy for decreased security?

New Q: What are correct use cases of biometrics?

 Q: Can you tell us some more about false rejection as against false acceptance?

Q: Do you allege that biometrics is useless for security?

Q: Do you know something about what is happening with biometrics in India?

 Overall

 New Q: Why is UK adopted as the venue for the global headquarters?

Q: Why did you take up George Orwell’s 1984 and Deracroix’ s Goddess of Liberty?

Q: Why have you been so unknown for as long as 17 years?

Q: Why do you think so many security professionals tried not to listen to you?

Password and Expanded Password System

New Q: What shall we do with the legacy text-only password systems?

 A: https://www.dhirubhai.net/pulse/text-password-system-stay-as-is-expanded-hitoshi-kokumai

 New Q: Who adopted Expanded Password System for what?

 A: https://www.dhirubhai.net/posts/hitoshikokumai_identity-authentication-password-activity-6677761669030125569-eDhW

 New Q: What do we think makes ‘what we are’?

 A: https://www.dhirubhai.net/posts/hitoshikokumai_identity-authentication-password-activity-6665079970219593728-E24O

 New Q: Does it make sense to compare different authenticators?

 A: https://www.dhirubhai.net/posts/hitoshikokumai_identity-authentication-password-activity-6656782645411831808-MjMi

 New Q: Are you sure that the password is easy to crack?

 A: https://www.dhirubhai.net/posts/hitoshikokumai_easy-to-remember-is-one-thing-hard-to-forget-activity-6661037522530906112-kI_y

 New Q: How different is ‘hard-to-forget’ from ‘easy-to-remember’?

 A: https://www.dhirubhai.net/posts/hitoshikokumai_identity-authentication-password-activity-6656395682787753984-Ts1B

 New Q: What impact the computing power has on the processing of secret credentials?

 A: https://www.dhirubhai.net/posts/hitoshikokumai_removal-of-passwords-and-its-security-effect-activity-6651313582883606528-VCVs

 New Q: What are ‘necessary’ and ‘sufficient’ conditions for reliable identity assurance?

 A: https://www.dhirubhai.net/posts/hitoshikokumai_identity-authentication-password-activity-6661789631241035776-x93m

 New Q: Does a solid theory warrant a solid implementation?

 A: https://www.dhirubhai.net/posts/hitoshikokumai_identity-authentication-password-activity-6677466209044328448-Z61C

 New Q: What role cryptography plays for Expanded Password System?

 A: https://www.dhirubhai.net/posts/hitoshikokumai_identity-authentication-password-activity-6678120452411531264-tfCF

 New Q: What is ‘on-the-fly’ key regeneration?

 A: https://www.dhirubhai.net/posts/hitoshikokumai_identity-authentication-password-activity-6682826362807566336-2UfD

 New Q: Is Expanded Password System complementary to FIDO2?

 A: https://www.dhirubhai.net/posts/hitoshikokumai_removal-of-passwords-and-its-security-effect-activity-6671937157302669312-MJWH

 Q: How would you like to define ‘Password’?

 A: We are of the view that it would be most desirable to define ‘Password’ most broadly. As a denotational definition, it could be ‘Whatever we remember and recall volitionally for identity authentication.

 As a connotation, it could be “A shared secret known only by two consenting parties. The secret will be submitted by one party to the other on request. It is used to verify legitimate access to an asset of shared interest.” (This is suggested by my British friend.)

 Incidentally, password-like texts written on a memo or stored in a physical device should desirably be given other names than ‘Password’. For now I would like to call it ‘physically possessed password’ as against ‘password’ or ‘remembered password’.

 Physically possessed high-entropy passwords have a potential merit of being strong against brute force attacks but it is as vulnerable to physical theft as other physically possessed objects like cards and tokens.

 We do not see any difference against wiretapping between the remembered and physically possessed passwords.

 Q: What do you think about password-less authentications?

 A: I understand that the password-less authentications are volition-less authentications. We are of the belief that identity authentication with no confirmation of our volition is not compatible with the values of democratic societies. What I see in a password-less world is a 1984-like authoritarian society where Big Brother dominates.

 Q: What merits and demerits do you see in ID federations?

 A: ID federations such as single-sign-on services and password managers indeed help us mitigate the burden of managing so many passwords.

 On the other hand, ID federations create a single point of failure like putting all the eggs in a single basket. It manages all my passwords when un-hacked and loses all my passwords to criminals when hacked. 

 ID federations should be operated in a decentralized formation or should be considered mainly for relatively lower-security accounts, not for the highest-security business accounts which should desirably be protected by all different strong passwords unique to each account. Needless to say, the strength of the master-password is crucially important in any case.

 Q: What do you think about two/multi-factor authentications?

 A: It certainly could have a big merit for better security. It should, however, be operated with caveats.

 Firstly, ‘2’ and ‘3’ are indeed larger than ‘1’ on paper, but we should not forget that two or three weak children may well be much weaker than a single toughened guy.

 Secondly, physical tokens, cards, phones and memos are easily left behind, lost, stolen and abused. Then the remembered password would be the last resort. The two/multi-factor authentication could be reliable only when it comes with a reliable password.. A truly reliable two/multi-factor solution desired for most important accounts requires the use of the most reliable password. 

 Incidentally, all the factors of two/multi-factor authentications must be deployed ‘in series’, not ‘in parallel’. Biometrics deployed ‘in parallel’ instead of ‘in series’ must not be counted as a factor of the two/multi-factor authentications. We need to harbor a serious doubt when we hear of a two/multi-factor authentication that is claimed to have a biometrics as a factor of it.

 Q: Why did you think of making use of episodic memory?

 A: It is known that the episodic memory is the cognitive core of our continuous identity. It ensures the continuity of our perception of our self. 

 It is obvious that our bone, flesh, fat or skin does not make our identity as a citizen living in societies. We could be more rational in defining our identity as a social being...

 Q: What do you rely on for your understanding of episodic memory?

 A: An example is a book titled “The Seven Sins of Memory – How the Mind Forgets and Remembers” in 2001.by Daniel Schacter.

 Q: Why do you think people have been sticking to characters for passwords?

 A: Frankly, I have no answer.

 It is now broadly known that human beings are far better at remembering and recalling visual memories than doing the same for text memories. We have hundreds of millions of years of history for the visual memory whereas the history of our text memories is no more than hundreds of years for most of us. It is also known that CPUs are now fast enough, connection band broad enough, data storage cheap enough and digital cameras affordable enough. 

 As such there is absolutely no reason to hesitate to use images for identity authentication. And yet, people apparently think only about texts when they talk about passwords. I could only think of ‘momentum’, ‘sheer force of habit’ or cognitive bases like ‘normalcy bias’.  I would wish to ask for the help of researchers of cognitive science and behavioral economics

 Q: How can it cope with hacking of the image identifier data?

 A: We could opt to store a part of the authentication data including the image identifier data on a user’s device while the rest of the authentication data stored elsewhere, say, on the server on the network. Then hacking would be next to impossible.

 Q: What if users register the images that are easy for attackers to guess?

 A: The specification of Expanded Password System requires the user guidance in which what to do and what not to do about the images to be registered.

 Specifically, the pictures uploaded on social media should never be registered as the passwords. But it could be a good idea to use them as decoys for getting attackers confused and forcing them to waste their time in vain.

 Q: How do you handle ‘combination’ and ‘permutation’ for registration and recognition of images?

 A: The specification of Expanded Password System requires a guideline in which the gains and losses of ‘combination’ and ‘permutation’ must be plainly explained. Combination requires a lower energy of the users whereas permutation provides higher mathematical strength against manual attacks on the screen.

 Q: What do you think about shoulder surfing?

 A: We could mitigate the threat by randomly changing the positions of images at each access, possibly combined with reducing the image sizes. 

 Images remembered afresh are hard to locate, but known images are far easier to locate. It is as if these memorable, unforgettable, known images jump into our eye even if they are largely shrunk in size.

 Biometrics

 New Q: What can ‘probabilistic authenticators’ achieve in cyberspace?

 A: https://www.dhirubhai.net/posts/hitoshikokumai_identity-authentication-password-activity-6657111780965355520-pi2n

 New Q: How different is ‘Another Layer’ from ‘Another Entrance’?

 A: https://www.dhirubhai.net/posts/hitoshikokumai_identity-authentication-password-activity-6661129659054460928-lO7V

 New Q: Is a default password different from a fallback password?

 A: https://www.dhirubhai.net/posts/hitoshikokumai_early-models-of-smartphones-were-safer-than-activity-6682495426207326208-dWwl

 New Q: Why so many people do not hesitate to sacrifice privacy for decreased security?

 A: https://www.dhirubhai.net/posts/hitoshikokumai_puzzling-perception-sacrificing-privacy-activity-6667688557014077441-t-e6

 New Q: What are correct use cases of biometrics?

 A: https://www.dhirubhai.net/posts/hitoshikokumai_air-force-and-disa-working-to-secure-off-the-shelf-activity-6671253950278316032-RvXO

 Q: Can you tell us some more about false rejection rates (FRR) as against false acceptance rates (FAR)?

 A: FAR and FRR are not the variables that are independent from each other, but are dependent on each other. Furthermore, FAR and FRR are not just mutually dependent but are in a trade-off relation. When a FAR is close to 0 (zero), the corresponding FRR is close to 1 (one). When a FRR is close to 0 (zero), the corresponding FAR is close to 1 (one).

 Q: Do you allege that biometrics is useless for security?

 A: No. I agree that it is very useful for forensic and other purposes of individual’s identification.

 As for identity authentication, it brings not just better convenience but also some protection, which is better than nothing although lower than a password-only protection. .

 In any case, biometrics could be recommended where convenience matters, but must not be recommended where security, matters.

 Q: Do you know something about what is happening with biometrics in India?

 A: I know that several deaths were reported as the result of inappropriate reaction of officials to the false rejection by biometrics. 

 And, the actual or measured false rejection rates turned out to be 6% for fingerprints and 8.5% for iris scans although the corresponding false rejection rates are not known. I am also aware of the report that up to 19 million biometric data had been mixed up. This kind of mishaps can happen to any one of us, anywhere and at any time.

 Overall

 New Q: Why is UK adopted as the venue for the global headquarters?

 A: https://www.dhirubhai.net/posts/hitoshikokumai_identity-authentication-password-activity-6674918786648428544-TLF-

 Q: Why did you take up George Orwell’s 1984 and Deracroix’ s Goddess of Liberty in the slide?

 A: If forced to choose a security for Big Brother and the security for citizens, I would choose the security for the citizens. The picture of Goddess of Liberty treading the Big Brother could be symbolic for it.

 Q: Why have you been so unknown for as long as 17 years?

 A: People who were carried away by the hyped attractiveness of biometrics and the inflated hi-tech image of password-less solutions would not listen to us.

 Actually, over the period of 2003 to 2008 we were successful in Japan. We saw several commercial adoptions amounting to some US$1 million, even though the CPU was so slow, the band was so narrow and the storage was so expensive in those days.

 It then ceased to grow as people were more and more carried away by the biometrics and password-less solutions which the advocates alleged would kill the likes of passwords altogether. We know, however, that biometrics have to depend on the password as a fallback measure against false rejection and that a password-less society would only lead us to Dystopia.

 After struggling in vain to fight back for several years, we chose to get out of Japan where biometrics promoters were exceptionally so dominant, and started to look for bigger chances worldwide. We now have a lot of friends and supporters globally. Expanded Password System is now acknowledged as ‘Draft Proposal’ for OASIS Open Projects. And I am given this chances to speak in front of the audience of Consumer Identity World 2018.

 Q: Why do you think so many security professionals tried not to listen to you for so long?

 A: Our view is that those professionals, who had loudly advocated, promoted and endorsed biometrics and password-less authentications, might well suspect that listening to us could throw them into an awkward psychological situation that is extremely inconvenient or embarrassing to them. 

 We could think of ‘cognitive dissonance’ coupled with such cognitive biases as ‘sunk-cost bias’, ‘confirmation bias’ and ‘normalcy bias’. It could well provide a very good research theme for sociology, psychology, cognitive science and behavioral economics.

< References >

For Achieving Solid Digital Identity on Information Security Buzz (Mar/2021)

Summary and Brief History - Expanded Password System

 Proposition on How to Build Sustainable Digital Identity Platform

External Body Features Viewed as ‘What We Are’

 History, Current Status and Future Scenarios of Expanded Password System

Negative Security Effect of Biometrics Deployed in Cyberspace

Removal of Passwords and Its Security Effect

Availability-First Approach

< Videos on YouTube>

Slide: Outline of Expanded Password System (3minutes 2seconds)

Demo: Simplified Operation on Smartphone for consumers (1m41s)

Demo: High-Security Operation on PC for managers (4m28s)

Demo: Simple capture and registration of pictures by users (1m26s)

Slide: Biometrics in Cyber Space - "below-one" factor authentication

< Latest Media Articles Published in 2020 Spring>

Digital Identity – Anything Used Correctly Is Useful https://www.valuewalk.com/2020/05/digital-identity-biometrics-use/

‘Easy-to-Remember’ is one thing ‘Hard-to-Forget’ is another https://www.paymentsjournal.com/easy-to-remember-is-one-thing-hard-to-forget-is-another/

Identity Assurance And Teleworking In Pandemic https://www.informationsecuritybuzz.com/articles/identity-assurance-and

#identity #authentication #password #security #biometrics #ethic #privacy #democracy #emergency #disaster #panic #defense #government #pandemic #teleworking