Passwords are said to be too vulnerable to theft and too hard to manage. Many people sound as if the password were an enemy of people. Some people even allege that removal of the password would improve the security of digital identity. Let us examine how valid such views are.
More information at https://www.mnemonicidentitysolutions.com/
My INSURER PTE LTD - Insurtech Innovation Award 2024
Bring healthy second life to legacy password system
1. スライド 1
Bring Healthy Second Life to
Legacy Password System
Identity Assurance by Our Own Volition and Memory
Mnemonic Identity Solutions Limited
United Kingdom/Japan
15 August, 2021
2. スライド 2
Problem - Password Predicament
Secret credentials are indispensable for identity assurance,
whereas passwords are hard to manage.
Passwords are said to be too vulnerable to theft and too hard to manage.
Many people sound as if the password were an enemy of people.
Some people even allege that removal of the password would improve the security of
digital identity.
Let us examine how valid such views are.
By the way, the word ‘Password’ is interpreted in two ways in different contexts.
In some cases, it narrowly means conventional ‘text password’.
In other cases, it broadly means the whole family of ‘secret credential’.
I talk the latter interpretation here, say, the whole family of secret credentials.
3. スライド 3
What if Password is Removed?
Our Answer –
Password-less Security is to Cyber Security what Army-less
Defence is to National Defence
Or such a PIN-less ATM as
“The army is so vulnerable to air attack. What is vulnerable to attack is detrimental to
our defence. Therefore, we must remove the army so that we will have a stronger
national defence.”
Hearing me mention the above, you might well think I am making a bad joke, since this
proposition sounds too insane. I am, however, dead serious.
The army-less defence should be viewed as valid where people believe in the merit of
‘password-less authentication, alleging “The password is so vulnerable to theft. What
is vulnerable is detrimental.
Therefore, we need to remove the password so that we will have a stronger identity
security.”
Well, in many of the password-removed authentication schemes, biometrics is
supposed to play a big role.
Let us examine next whether and how it can displace the password.
4. スライド 4
What if Password is Displaced by Biometrics?
Our Answer–
Biometrics is to Password what Back Door is to Front Door
Most, if not all, of the user devices come with a password or pincode authentication as a default login
function. Most, if not all, of the user devices that come with a biometrics login accept the login by
biometric as well as the login by a default password. Let me try to make the relation of the
biometrics and the ‘default password’ clearer with the picture of a house with a front door of a
deterministic password login, to which a back door of probabilistic biometrics login was added as
another entrance.
Residents are required to use the seemingly-convenient back door as the first choice for entry, until
they get falsely rejected there by the probabilistic biometrics. The residents rejected at the backdoor
would be required to try the front door of a deterministic password login. The correct residents with
correct memory are expected to be accepted deterministically.
If the one-door house was not secure enough in the first place, the two-doored house is made even
less secure. Bad guys, who are now given the chance to break the back door as well as the front door,
can enjoy an increased attack surface., i.e., lowered defense. Now, we have thus confirmed that the
view that biometrics contributes to identity security is falsity.
Incidentally, what ‘being probabilistic’ means is that it cannot escape the trade-off between False
Acceptance (false positive/false match) and False Rejection (false negative/false non-match) and
therefore it cannot be used on its own without sacrificing the availability, whereas ‘being
deterministic’ means that it can be used on its own.
5. スライド 5
’Non-Text’ Secret Credential
Now we have come to confirm that removing the password would only make the matter
worse. Can we only despair?
The secret credential (A) is made of the text credential (B) and the non-text credential
(Non-B). The relations among the 3 elements are illustrated here.
It is really a no-brainer question unless we are so reckless to assume that a safe and
orderly societal life can exist without a solid identity assurance made possible by the
solid secret credential.
6. スライド 6
Solution
Well, we propose that we can make use of our autobiographic memory, especially
episodic memory that is coloured in joyful, healing and heartening emotion from our
pleasant experience.
The identity authentication by pleasant episodic image memory also enables us to
• recognise dozens of different secret credentials effortlessly
(2) manage the correspondence between the accounts and the passwords
• re-generate cryptographic keys on-the-fly
(4) provide a solid defence against advanced persistent threats
7. スライド 7
Theory - Science of Human Memory
With emotion-colored episodic image memory,
‘Hard-to-forget’ secret credentials are easily achievable
‘Easy-to-Remember’ is one thing. ‘Hard-to-Forget’ is another - The observation that
images are easy to remember has been known for many decades; it is not what we
wish to talk.
What we discuss is that ‘images of our emotion-coloured episodic memory’ is ‘Hard to
Forget’ to the extent that it is ‘Panic-Proof
Images of toys, dolls, dogs and cats, for example, that our children used to love for
years would jump into our eye even when we are placed in heavy pressure and caught
in severe panic. It never fails to brings us joy and comfort.
The login can now be joyful, healing and heartening with Expanded Password System
(EPS) that enables us to use our pleasant episodic image memory that had been
acquired decades ago and solidly inscribed deep in our brain.
8. スライド 8
Wide choice of secret credentials
We are free to continue to use the remembered passwords as before, although the
memory ceiling is very low.
Most of us can manage only up to several of them.
We could opt to recognize the pictures remembered in stories where we want to reduce
a burden of textual passwords.
The memory ceiling is high, that is, we would be able to manage more and more of
them.
Where we opt to make use of episodic image memory, we would only need to recognize
the known and hard-to-forget images.
There is virtually no memory ceiling, that is, we would be able to manage as many
passwords as we like, without any extra efforts.
9. スライド 9
Being able to recall strong passwords is one thing. Being able to recall the
correspondence between accounts and passwords is another.
When different sets of images are allocated to different accounts, those unique image
matrices will be telling you which images you should pick up as your credential for this
or that account.
When using hard-to-forget images of our episodic memories, EPS will free us from the
burden of managing the relation between accounts and the corresponding passwords.
10. スライド 10
Bring a healthy second life to
legacy password systems
We do not have to replace or rebuild the existing text password systems for making use
of episodic memory; images of our episodic memory can be turned into a high-entropy
code with a simple tweak.
All that we need to do is ensure that our legacy password system accepts very long
passwords, desirably hundreds of characters, for obtaining very high-entropy hashed
values that can stand fierce brute force attacks.
11. スライド 11
Use Cases
Consumers – 140,000 online shoppers enjoyed friction-
less login from 2004 to 2008
Corporations - 1,200 people enjoying secure login by 2-
channel authentication since 2014
Military – ‘Panic-proof’ field use at Japan’s Ground Self-
Defense Force (Army)
Now I would like to talk who adopted EPS for What.
A telecom company who built a payment system designed for a million online shoppers
adopted EPS for accepting ‘Hard-to-Forget’ and yet ‘Hard-to-Break’ credentials and
for reducing the helpdesk cost drastically. Actually 140,000 online shoppers enjoyed the
no friction login for 5 years.
An IT corporation who built a security-conscious corporate network adopted EPS
deployed in 2-channel/2-factor scheme for accepting ‘Very Hard-to-Break’ and yet
‘Hard-to-Forget’ credentials. 1,200 employees have long enjoyed the good balance of
security and usability.
Japan’s Self-Defence Ground Force, aka, Army, adopted our solution for accepting
‘Panic-Proof’ and yet ‘Hard-to-Break’ credentials. The number of licenses has
increased more than 10-fold over the 8-year period from 2013 and is set to increase
further.
12. スライド 12
Mission
Make Expanded Password System solutions readily available to
all the global citizens –
rich and poor, young and old, healthy and disabled, literate and
illiterate, in peace and in disaster –
over many generations until humans discover something other
than 'digital identity' for our safe and orderly societal life.
Our mission is to make -----
13. スライド 13
Another Mission
For global citizens to enjoy a safer identity assurance,
we need to debunk wide-spread misperceptions such as
“indispensable passwords be removed altogether”
and
“passwords be displaced by password-dependent biometrics”
We have another big mission ---
14. スライド 14
Who We Are
Mnemonic Identity Solution Limited was
founded in UK in August 2020 by Hitoshi
Kokumai (left), who invented Expanded
Password System in 2000 in Japan.
Now launching the global operations from UK.
More information at https://www.mnemonicidentitysolutions.com/
With the core concept invented in early 2000, we launched the business operation in
late 2001 under the name of Mnemonic Security, Inc, which was the world’s first
company to provide the software products that offer ‘Hard-to-Forget’, ‘Hard-to-Break’
and ‘Panic-Proof’ digital identity authentication.
We registered Mnemonic Identity Solutions Limited in UK in August 2020 as the global
headquarters with the mission of globally promoting 'identity assurance by our own
volition and memory for 'secure digital identity in post-pandemic cyberspace.
Once the Covid pandemic subsides in UK and Japan, we will resume the active pursuit
of the global objective.
Thank you for your time.