Follow logic and we will find a simple fact: what was presented by a number of big names as an extremely complicated problem is actually not complicated at all. It is just simple and plain as unraveled below.
Proposition 1: Secret credentials are absolutely necessary for digital identity platforms.
Proposition 2: The text password, which is a section of the secret credentials, is hard to manage, often loathed as a cause of pains and miseries.
Conclusion: Assuming that both Proposition 1 and 2 are valid, logic leads us to conclude that we could and should look for ‘something other than the text password’ in the domain of ‘Secret Credentials’. This is the only logical conclusion. There cannot be anything else.
Well, we obviously need to examine whether Proposition 1 and 2 are both valid or not.
- Proposition 1: Secret credentials are absolutely necessary for digital identity platforms.
- From technical point of view, we would have only ‘biometrics’ and ‘physical tokens’ as authenticators where the ‘secret credential’ has been removed from digital identity altogether.
The biggest headache of the digital identity is ‘Password’, more accurately, ‘Text Password’, which is so hard to manage that some people are urging the removal of the ‘Password’ from digital identity altogether.
It is too narrow-sighted, however. We should consider what would actually happen if the password is removed from the digital identity altogether. Where the password is removed, designers of the digital identity platform would be given only a physical token and a biometric sensing as authenticators.
Biometrics requires a fallback measure against false rejection. Then, with the password removed, nothing but the token could be the fallback measure for the biometrics. System designer could have only the following two choices.
- authentication by a physical token alone, with an option of adding another token, security effect of which is highlighted in this cartoon we published 14 years ago.
(2) authentication by a biometric sensing deployed in ‘multi-entrance’ method with a physical token as a fallback measure, security of which is lower than (1) , with an option of adding another token.
Two Houses with One Entrance and Two Entrances. Which is easier to sneak into?
The token and the password/PIN can be deployed on its own and also with other valid authenticators in the security-enhancing ‘multi-layer’ methods, whereas the biometrics generally cannot be deployed on its own. It can be deployed only in the security-lowering ‘multi-entrance’ methods along with a fallback measure, as quantitatively explained in ‘Quantitative Examination of Multiple Authenticator Deployment’.
We would have to live in a miserably insecure environment.
- From non-technical point of view, the password-less (will/volition-less) authentication is not compatible with the value of democracy.
It would be a 1984-like Dystopia if our identity is authenticated without our knowledge or against our will/volition.
- Proposition 2: The text password, which is a section of the secret credentials, is hard to manage, often loathed as a cause of pains and miseries.
Human beings are so diversified that there may be some people who love the text password, finding no problem in memorizing and recalling a limitless number of unique hard-to-break passwords together with the relations to all different corresponding accounts.
We will come back to those people later. For now, we assume that nobody doubt the validity of this proposition.
Given that these two propositions are valid, our conclusion is valid unless we are unfaithful to logic.
‘Secret Credentials’ are made of ‘Text Password’ and ‘Non-Text Password’. Now that we know that ‘Text Password’ is not sufficient, we could and should supplement and enhance the text password by bringing in ‘Non-Text Password’. There cannot be any other logical conclusion.
Furthermore, the secret credentials made of text passwords and non-text passwords could satisfy the need of the people who love the text password as well as the people who hate the text password.
As such, the real question is simply how to provide both ‘text passwords’ and ‘non-text passwords’ on a platform.
What will be a Successor to Seals, Autographs and Text Passwords?
‘Achieving higher-security by removing the password’ and ‘Killing the password by biometrics and physical tokens’ are both no more than the hyped myths. ‘Text passwords’ are not loved but ‘the password’ is absolutely necessary. Then, what else can we look to as a valid solution to the predicament of digital identity?
Our answer is expanding the password system to accept credentials made from our non-text memories as well as the text memories. Humans have a huge memory capacity for non-text memories – visual, audio, tactile, gustatory, olfactory, which have supported our history over hundreds of millions of years – besides the text memory our human ancestors acquired only hundreds of years ago among the large parts of the population.
We could consider making use of these deep-inscribed memory capacities, particular the visual memories. And, we know that the latest computers and phones are so good at handling visual images.
When expanding the password, we could consider making use of our autobiographic memories, episodic memory in particular.
Well, we could take one basic requirement into account – Democratic societies must provide citizens with the identity authentication measures that are practicable in disaster recovery and other emergencies.
When injured and panicked with empty hands in emergencies, how can we get authenticated securely and reliably?
Authenticating empty-handed and injured people cannot be done without involving ‘secret credentials made from our memory’. Physical tokens and biometrics do not help.
Getting empty-handed, injured and panicked people authenticated cannot be achieved without involving ‘Panic-proof secret credentials’. Images of episodic memories are panic-proof.
And it should be emphasized that what is practicable in panicky situations is easily practicable in everyday life – the reverse is not true.
We call this proposition ‘Expanded Password System’
Expanded Password System that drastically alleviates the password fatigue is supportive of
– Biometrics that require passwords as a fallback means against false rejection
– Two/multi-factor authentications that require passwords as one of the factors
– ID federations such as password managers and single-sign-on services that require passwords as the master-password
– Simple pictorial/emoji-passwords and patterns-on-grid that can all be deployed on the common platform
* All with the effects that handling memorable images makes us feel pleasant and relaxed
– Nothing would be lost for the people who want to keep using textual passwords
– It enables us to turn a low-entropy password into a high-entropy authentication data
– It is easy to manage the relation between accounts and the corresponding passwords
– It helps deter sophisicated phishing attacks
– It helps to build practicable Brain-Machine/Computer-Interface
– It helps with Self-Sovereign Identity and Bring Your Own Identity
Lastly but not the least, it is democracy-compatible by way of providing the chances and means to get our own volition confirmed in our identity assurance.
Expanded Password System is now at the stage of Draft Proposal’ for OASIS Open Projects.
Fight against the threats to our descendants
We are facing several grave threats, some real and imminent, some theoretical or imaginary. At the top of the imminent threats list is probably the climate change, which is also viewed as an existential risk.
We could be somewhat hopeful on this threat; thousands of professionals and politicians debating how to avert the catastrophe, millions of volunteers endeavoring to awaken the population about its gravity and billions of people already aware of this problem to some extent, say, things moving apparently in the correct direction if not as fast as it should, despite a pocket of infamously noisy opponents and sceptics
If not an existential threat like the global warming, the subject of this article, the absence of a valid digital identity platform, could be one of the most grave threats, since it could force our descendants to experience erosions of democracy and chaotic social life, if left unsolved,
A valid digital identity platform is indispensable for sustaining democratic societies and human rights in the cyber era, perhaps until our descendants get to live a safe and democratic life without depending on anything like digital identity. Its absence will certainly have a huge destructive impact,
Our observation can be summarized as follows.
- Our descendants would be deprived of the necessary level of security where the digital identity platform were built without the secret credentials made from our memory, say, what we remember as the likes of passwords.
- Our descendants would experience erosions of the democracy our ancestors have won through heavy sacrifices where the secret credentials, for which our will/volition is indispensable, are removed from the digital identity platform.
On this front we are less optimistic; too few people are taking the correct course towards the correct objectives. Too many people, with professionals, researchers, politicians and journalists included, are badly distracted and straying off the course.
We are certain that quite a few professionals of security and identity management are well aware of these facts but something prevents them from speaking out, perhaps in view of the huge weights of the vested interests. Once they had sold those powerless solutions and recommendations to millions of clients, it might well be just embarrassing to talk the opposite.
We are being driven by the acute notion that we might well be one of the very few who are willing to freely discuss the digital identity issue with respect to democracy, i.e., the role that the valid digital identity will play for sustaining security and democracy in the cyber age.
We would appreciate your participation and support.
President, Mnemonic Security, Inc.
Profile: Advocate of ‘Identity Assurance by Our Own Volition and Memory’, Hitoshi Kokumai is the inventor of Expanded Password System that enables people to make use of episodic image memories for intuitive and secure identity authentication. He has kept raising the issue of wrong usage of biometrics and the false sense of security it brings for 17 years. Mnemonic Security Inc. was founded in 2001 by Hitoshi Kokumai for promoting Expanded Password System. Following the pilotscale operations in Japan, it is seeking to set up the global headquarters.
Appendix – Excerpt from ‘Quantitative Examination of Multiple Authenticator Deployment’
Vulnerability (attack surface) of an authenticator is generally presented as a figure between 0 and 1. The larger the figure is, the larger the attack surface is, i.e., the more vulnerable. Assume, for instance, as just a thought experiment, that the vulnerability of the PKI-enabled token (x) be 1/10,000 and that of the password (y) be 10 times more vulnerable, say. 1/1,000. When the two are deployed in ‘multi-layer’ method, the total vulnerability (attack surface) is the product of the two, say, (x) and (y) multiplied. The figure of 1/10,000,000 means it is 1,000 times more secure than (x) alone.
On the other hand, when the two authenticators are deployed in ‘multi-entrance’ method, the total vulnerability (attack surface) is obtained by (x) + (y) – (xy), approximately 0.0011. It is about 11 times less secure than (x) alone.
So long as the figures are below 1, whatever figures are given to (x) and (y), deployment of 2 authenticators in ‘multi-layer’ method brings higher security while ‘multi-entrance’ deployment brings lower security. As such ‘multi-layer’ and ‘multi-entrance’ must be distinctly separated when talking about security effects of multiple authenticators.
The same calculation applies to biometrics used in cyber space where it has to rely on a fallback password/PIN deployed in ‘multi-entrance’ method against false rejection. You might assume that biometrics deployed with a password/PIN in ‘multi-layer’ method should bring us a very high security. But, very sadly, this scenario never comes true. When rejected by biometrics, what can we do? We will only see that we are unable to login even if we can feed our password/PIN.