This is a slide with script presented at Conference On Cyber Security In Financial Institutions by Banking Association of Central and East Europe on 24th February 2023 - https://baceeconference.com/cyber-security-conference/
The issues mentioned on P19 are discussed here - "More Issues on Digital Identity"
https://www.slideshare.net/HitoshiKokumai/more-issues-on-digital-identity-24feb2023
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Fend Off Cyberattacks with Citizens’ Non-Volatile Episodic Memory
1. Fend Off Cyberattacks with Citizens’
Non-Volatile Episodic Memory
with the values of democracy
24th February, 2023
Hitoshi Kokumai, Chief Architect
Mnemonic Identity Solutions Limited
90-second introductory video
I ‘m Hitoshi Kokumai, Founder and Chief Architect at Mnemonic Identity Solutions
Limited (MIS), set up in August 2020 in United Kingdom. I am advocating the principle
of ‘Identity Assurance by Citizens’ Own Volition and Memory’ since 2001.
We have a 20 years long pre-history of technology development, product making and
commercial implementations with some 1 million dollar sales. Our champion use case
is Japanese Army deploying our solution on field vehicles since 2013. They will
continue to use it for at least 10 more years.
At MIS we are going to help global citizens fend off cybercrime by their non-volatile
long-term memory, with the values of democracy.
Let me present a 90-second introductory video on our solution that we call Expanded
Password System - https://youtu.be/T1nrAlmytWE
2. From ‘Password Fatigue’
to ‘Fatigue-free Password’
Passwords are
Hard to manage
And yet, absolutely
necessary Identity theft and
security breaches
are proliferating
Critical problem
requiring valid and
practical solutions
2
There could be two approaches to cope with the problem of Password Fatigue.
One is to throw away the password altogether, and give up the valuable security
somehow provided by the password. This is what ‘passwordless’ and ‘biometrics’
authentication schemes are supposed to be achieving, well, to the delight of criminals.
Moreover, democracy would be lost where the password that we feed volitionally was
lost. When authentication happens without our knowledge or against our will, it’s a
1984-like Dystopia.
Another is to promote ‘Fatigue-free’ Password System. This is what we are achieving
with Expanded Password System powered by citizens’ non-volatile episodic memory.
Say, from 'Password Fatigue' to 'Fatigue-free Password'
3. Basics of Authentication Factors
Let us first go through the basics of authentication factors.
‘Yes or No’ on feeding correct passwords and ‘Yes or No’ on presenting correct tokens
are deterministic, whereas biometrics which measures unpredictably variable body
features of living animals in ever changing environments is probabilistic.
It’s practically impossible to compare the security of a strong or very weak password
with that of a poorly or very wisely deployed physical token even though both
passwords and tokens are deterministic,
Deterministic authenticators can be used on its own, whereas a probabilistic
authenticator would lose its availability when used on its own. Direct comparison of
something deterministic and something probabilistic would absolutely bring us
nowhere.
Deterministic authenticators can be used together in a security-enhancing ‘multi-layer’
deployment, whereas probabilistic authenticators can be used with another
authenticator only in a security-lowering ‘multi-entrance’ deployment unless we can
forget the availability as illustrated here.
Password, token and biometrics are ‘authenticators’, while multi-factor schemes,
distributed digital identity, single-sign-on schemes and password management tools
are all ‘deployment of authenticators’; We would obtain nothing by comparing the
former with the latter.
4. What’s New?
The idea of using pictures has been around for two
decades.
New is encouraging people to make use of citizens’
non-volatile episodic image memories.
The idea of using pictures for authentication is not new. It’s been around for well
more than two decades, but the simple forms of picture passwords were not as useful
as had been expected. UNKNOWN pictures we manage to remember afresh are still
easy to forget and confuse.
Expanded Password System is new in that it offers a choice to make use of KNOWN
images that are associated with our personal experiences, as you saw earlier in the
introductory video.
5. Since the images of episodic memory are not only Non-Volatile but also are the least
subject to INTERFERENCE of MEMORY,
6. it enables us to manage dozens of unique strong passwords without reusing the same
password across many accounts or carrying around a memo or storage with passwords
on it.
The key logic is, simply, “There are several known images in the grid. I can easily find all
of them right away. Only I can select all of them correctly.”
Furthermore, watching memorable images makes us feel pleasant, relaxed and even
healed; What about seeing the pictures of comfortable places where you had nice
experiences with your family at each login?
7. "Memory of past episodes provides a sense
of personal identity - the sense that I am the
same person as someone in the past"
Source: Memory and the Sense of Personal Identity. Mind, 121(483), 677-702.
http://www.jstor.org/stable/23321780
Episodic Memory and Personal Identity
The role that our episodic memory plays for our sense of personal identity is now
broadly known, for instance,
"Memory of past episodes provides a sense of personal identity - the sense that I am
the same person as someone in the past"
Episodic memories of citizens are now collectively playing a critical role in building a
solid and sustainable identity assurance platform.
8. Broader Choice
If only text and # are OK It’s a steep climb …
to memorize
text/number passwords
to lighten the load of
text passwords
to make use of
memorized images
3UVB9KUW
【Text Mode】 【Graphics Mode】 【Original Picture Mode】
Recall the remembered
password
Recognize the pictures
remembered in stories
Recognize the unforgettable
pictures of episodic memories
Think of all those ladders you have to climb in Donkey Kong ;-)
Low memory ceiling Very high memory ceiling
High memory ceiling
+ +
8
Shall we have a bit closer look at what it offers?
With Expanded Password System, we could imagine a situation that escalators and
elevators are provided along with the staircase.
We could opt to continue to recall the remembered text passwords, although the
memory ceiling is very low.
We could opt to recognize the pictures remembered in stories. We would be able to
manage more and more of them.
Where we choose to make use of episodic image memory, we would be able to
manage as many passwords as we like without any extra efforts.
9. Relation of Accounts & Passwords
Account A Account B Account C Account D
Account E,
F, G, H, I, J,
K, L-----------
Unique matrices of images allocated to different accounts.
At a glance you will immediately realize what images you
should pick up as your passwords for this or that account.
9
Being able to recall strong passwords is one thing. Being able to recall the relation
between accounts and the corresponding passwords is another.
When unique matrices of images are allocated to different accounts, those unique
image matrices will be telling you what images you should pick up as your password
for this or that account.
Expanded Password System will thus free us from the burden of managing the relation
between accounts and the corresponding passwords.
10. Isn’t Episodic Memory Malleable?
We know that
episodic
memories can
change easily.
… But that doesn’t
matter for
authentication. It
could even help.
10
It’s known that episodic memories are easily changeable.
From confidentiality’s point of view, it could be even better than objectively factual
memories since no clues are given to attackers.
11. What
about
Entropy
‘CBA123’ IS
ABSURDLY WEAK.
WHAT IF ‘C’ AS AN
IMAGE GETS PRESENTED
BY SOMETHING LIKE
‘X4S&EI0W’ ?
WHAT IF
‘X4S&EIWDOEX7RVB%9UB3MJVKEIXE94AN2KDGHQD
PGPE#IDGHEI’ INSTEAD OF ‘CBA123’ GETS HASHED?
11
Generally speaking, hard-to-break passwords are hard-to-remember. But it’s not the
fate of what we remember.
It would be easily possible to safely manage many of high-entropy passwords with
Expanded Password System that handles characters as images as you see here.
If started from the whole image data, the overall entropy could easily exceed millions
of bits.
By the way, threats of 'visual-manual attacks on display’ are very different to
'automated brute force attacks’ on the data server.
A figure of ’20-bits’, say, a million attempts, for instance, would be just a bad joke
against automated attacks, whereas it would make a pretty tall wall against visual-
manual attacks on display.
12. Huge Improvement
• Password fatigue alleviated for all
• Better security for password-managers and SSO services
• Even better security for multi-factor authentications
• Less vulnerable security for biometric products
Backward-Compatible
• Nothing lost for users who wish to keep using text passwords
Enjoyable Login
• Get the images in your matrix registered. It’s easy and joyful.
12
What to Gain
People who enjoy handling images will gain both better security and better
convenience. The only extra effort required is to get the images registered; people
already do that across social media platforms and apparently love it.
Then, huge improvement as show here.
13. Typical Use Case
Japan’s Army adopted our
product for accepting ‘Panic-
Proof’ and yet ‘Hard-to-
Break’ credentials.
Japan Ground Self-Defense Force, aka, Army is using Expanded Password System for
authentication of the personnel who handle the encrypted data exchange between
commanders and field communications vehicles since 2013.
Some 460 licenses were offered to field communications vehicle. With each vehicle
shared by multiple soldiers, the number of people who use our solution are now
supposed to be in many thousands.
The number of licenses increased more than 10-fold over the 10-year period of use
from 2013. And, the client tells us that it will stay in use for at least 10 more years. We
humbly assume that they are well satisfied with our solution.
14. Client Software
for
Device Login
Applications Login
Image-to-Code Conversion
Server Software
for
Online-Access
2-Factor Scheme
Open ID Compatible
Data Encryption Software
with on-the-fly key generation
Single & Distributed Authority
Unlimited Use Cases
14
Applications of Expanded Password System will be found wherever people have been
dependent on text passwords and numerical PINS,
And wherever people need some means of identity authentication, even if we still do
not know what it will be.
15. Launching Global Operation
Following experimental successes in Japan, we set up our global
headquarters as Mnemonic Identity Solutions Limited (MIS)
in United Kingdom in August 2020 -
https://www.mnemonicidentitysolutions.com/
With the sales of some 1 million dollars and a successful adoption by Japan’s military in
2013 at a preceding Japanese entity named Mnemonic Security, Inc., we came to
realise that it will not be in Japan but the global market that decides the future of our
endeavour.
We set up Mnemonic Identity Solutions Limited with British colleagues in UK in 2020
for launching the global operations.
16. First Global Project
“Mnemonic Gateways”
Leak-proof Password Manager with No Password Vault
powered by citizens’
non-volatile episodic
image memory
90-second demonstration video
What if we come up with a password manager powered by citizens’ non-volatile
episodic memory?
It’s ‘leak-proof’; the passwords, which are generated and re-generated on-the-fly by
our image-to-code converter from users' hard-to-forget episodic image memory, will be
deleted from the software when it’s shut down.
The merits of episodic image memory make it possible to do without the likes of a
password vault. It also enables citizens to handle multiple password managing modules
with multiple unique sets of images; it helps us avoid creating a single point of failure.
Please watch a 90-second demonstration video - https://youtu.be/0nNIU4uYl94
17. Mnemonic Gateways makes the first product for our global operations. We will expect
the revenue from the sales of high-security versions for tens of millions of professional
users, while offering a standard version to billions of global consumers at no cost.
It’s now on the way towards Beta release. We expect to make the formal
announcement in the very near future
18. Goal
Make Expanded Password System solutions readily available
to all the global citizens –
rich and poor, young and old, healthy and disabled, literate and illiterate,
in peace and in disaster –
over many generations until humans discover something other than
'digital identity' for safe and orderly societal life.
Our mission is
to make Expanded Password System solutions readily available to all the global citizens
–
rich and poor, young and old, healthy and disabled, literate and illiterate, in peace and
in disaster –
over many generations until humans come up with something other than 'digital
identity' for safe and orderly societal life.
19. More Issues on Digital Identity
19
I would have taken up these issues as well if I had another 20 minutes -
- Phishing Deterrence
- Cryptography and Digital Identity
- AI and Quantum-Computing
- Login under Duress
- 2-Channel Expanded Password System
- Secure Brain-Machine-Interface
- Security-Destructive Passwordless schemes
- Misused Biometrics
- Stopgap Hybrid Text Password
- Dementia and Identity
I would have taken up these issues as well if I had another 20 minutes
20. There exists a secure and yet stress- free means of
democracy-compatible identity authentication.
That is Expanded Password System
Thank You for Your Time
Hitoshi Kokumai
Founder & Chief Architect
Mnemonic Identity Solutions Limited
Profile https://www.linkedin.com/in/hitoshikokumai/
hitoshi.kokumai@mnemonicidentitysolutions.com
kokumai@mneme.co.jp
20
24th February 2022
Mnemonic Identity Solutions Limited
As such, there exists a secure and yet stress free means of democracy-compatible
identity authentication. That is Expanded Password System
Thank you very much for your time.