SlideShare ist ein Scribd-Unternehmen logo

Further Update: Identity Assurance by Our Own Volition and Memory

Als PPTX, PDF herunterladen
Hitoshi Kokumai
Hitoshi Kokumai

The volitional password is absolutely necessary where the democratic values matter (*1). whereas the conventional password is hated as everybody agrees. This observations lead us to conclude that we should agree that we have to find the sort of password system that is not hated. Logic tells that there can be no other choice. We came up with the way out. It is Expanded Password System that accepts images as well as texts/characters. This is the updated version of the slide used for the presentation on 30/Oct/2018 at KuppingerCole's Consumer Identity World Europe 2018 in Amsterdam (*2). P20 for "Deterrence to Targeted Phishing" has been added. *1 Where authentication of our identity happens without our knowledge or against our will, it is a 1984-like Dystopia. *2 https://www.kuppingercole.com/events/ciweu2018/agenda_overview <Link to Videos > 80-second video https://www.youtube.com/watch?v=ypOnKTTwRJg&feature=youtu.be 30-second video https://www.youtube.com/watch?v=7UAgtPtmUbk&feature=youtu.be

Technologie
1 von 23
Identity Assurance by Our Own Volition and Memory The safety of our cyber life depends on identity assurance which in turn relies on remembered passwords Hitoshi Kokumai President, Mnemonic Security, Inc. kokumai@mneme.co.jp Enabling Self-Sovereign Identity 13/Nov/2018 Our identity as human being is made of our autobiographic memory
The problem: passwords could work – but they need help Passwords are Hard to manage And yet, absolutely necessary Identity theft and security breaches are proliferating A critical problem requiring urgent practical solutions 13/Nov/2018
There are several known pictures in the matrix I can easily find all of them right away Only I can select all of them correctly Expanded Password System Broader choices: images AND characters Torturous login is history. Login is now comfortable, relaxing and healing. Easy to manage relations between accounts and corresponding passwords. There are several known pictures in the matrix I can easily find all of them right away Only I can select all of them correctly Expanded Password System Broader choices: images AND characters Torturous login is history. Login is now comfortable and even fun. Easy to manage relations between accounts and corresponding passwords. 13/Nov/2018
A Fun Way to Enhance Your Passwords A fun first step • Get the images in your password matrix registered. It’s easy. Huge Improvement • Password fatigue alleviated for all • Better security for password-managers and SSO services • Even better security for two/multi-factor authentications • Less vulnerable security for biometric products Backward-Compatible • Nothing lost for users who wish to keep using text passwords. 13/Nov/2018
We Need a Broader Choice If only text and # are OK It’s a steep climb … to memorize text/number passwords to lighten the load of text passwords to make use of memorized images 3UVB9KUW 【Text Mode】 【Graphics Mode】 【Original Picture Mode】 Recall the remembered password Recognize the pictures remembered in stories Recognize the unforgettable pictures of episodic memories Think of all those ladders you have to climb in Donkey Kong ;-) Low memory ceiling Very high memory ceilingHigh memory ceiling + + 13/Nov/2018
Volition and Memory (1) Volition of the User – with Self-Determination (2) Practicability of the Means – for Use by Homo sapiens (3) Confidentiality of the Credentials – by ‘Secret’ as against ‘Unique’ 13/Nov/2018
What’s New? The idea of using pictures has been around for two decades. New is encouraging people to make use of episodic image memories. 80-second video YouTube Keyword – Smallest Interference of Memory 13/Nov/2018
Isn’t Episodic Memory Changeable? We know that episodic memories can change easily. … But that doesn’t matter for authentication. It could even help. 13/Nov/2018
What about Entropy? A PASSWORD LIKE ‘CBA123’ IS ABSURDLY WEAK. WHAT IF ‘C’ AS AN IMAGE GETS PRESENTED BY SOMETHING LIKE ‘X4S&EI0W’ ? WHAT IF ‘X4S&EIWDOEX7RVB%9UB3MJVK’ INSTEAD OF ‘CBA123’ GETS HASHED? 13/Nov/2018
Relation of Accounts & Passwords Account A Account B Account C Account D Account E, F, G, H, I, J, K, L----------- • Unique matrices of images allocated to different accounts. • At a glance you will immediately realize what images you should pick up as your passwords for this or that account. 13/Nov/2018
In the Field Practicable with both hands busy ? In panic? With injuries? Seizure of memos, devices, tokens Seizure of body features With protection gear on? Disaster Recovery Cards and tokens possessed? Biometrics practicable? Even in severe panic, we can quickly recognize unforgettable images of episodic memories. Identity Assurance in Emergencies 13/Nov/2018
Competition or Opportunity Biometrics? Passwords required as a backup means: Opportunity. Password-managers, single-sign-on service? Two/multi-factor authentication? Passwords required as one of the factors: Opportunity. Pattern-on-grid, emoji, conventional picture passwords? Deployable on our platform: Opportunity. Passwords required as the master-password: Opportunity. 13/Nov/2018
Client Software for Device Login Applications Login Image-to-Code Conversion Server Software for Online-Access 2-Factor Scheme Open ID Compatible Data Encryption Software with on-the-fly key generation Single & Distributed Authority Unlimited Use Cases 13/Nov/2018
OASIS Open Projects • Proposition of Expanded Password System at ‘Draft Proposal’ stage • With 56 individual participants • Going to secure some more participants • Corporate members in particular 13/Nov/2018
How We Position Our Proposition We make identity authentication schemes better by leveraging the time-honored tradition of seals and autographs The underpinning principle of Expanded Password System will not go away so long as people want our own volition and memory to remain involved in identity authentication. 13/Nov/2018
Some More Topics about Identity • Isn’t Biometrics killing Passwords? • Brain-Machine-Interface • 2-Channel Expanded Password System • Deterrence to Targeted Phishing • No-Cost 2-Factor Authentication 13/Nov/2018
Isn’t Biometrics killing Passwords? Fact 1: Biometrics used with a fallback password brings down the security that the password has provided. 30-second Video YouTube Specifically, old iPhones with PINCODE only were safer than newer iPhones featuring TouchID and FaceID. What has improved is convenience, not security. Fact 2: Biometrics dependent on a password as a fallback means cannot kill the password dead. Fact 3: A false acceptance rate does not make sense unless it comes with the corresponding false rejection rate. 13/Nov/2018
Brain-Machine-Interface Random numbers or characters allocated to the images. Ask the users to focus their attention on the numbers or characters given to the registered images. A simple brain-monitoring is vulnerable to wiretapping. The monitoring system will then collect the brain-generated onetime signal corresponding to these numbers or characters. 13/Nov/2018
13/Nov/2018 2-Channel Expanded Password System Conventional 2-factor authentication systems are effective only against abuse of the device/phone. 2-factor Expanded Password System enables the user to produce a onetime identity authentication data, i.e., a real onetime password.
13/Nov/2018 Deterrence to Targeted Phishing Genuine or Fake? Fake or Genuine? Though not designed against phishing attacks, wise deployment of Expanded Password System helps us deter not only indiscriminate mass phishing but also targeted phishing attacks as one of its secondary effects. Against Mass Phishing: Where users are encouraged to create their own unique image matrices with Expanded Password System, criminals would feel discouraged because of its heavy costs of capturing and activating thousands, millions or billions of image matrices all unique to different UserIDs. Against Targeted/Spear Phishing : ‘2-Channel Expanded Password System’ presented in the previous page could discourage targeted phishing because the criminals would have to place both of the two channels under their control simultaneously before starting the phishing trials. Alternatively, we can add a second step of Expanded Password System, making it 'Selective 2-step Authentication' for the users who opt for it, which makes criminals’ jobs extremely heavy and complicated. Against Persistent Targeted/Spear Phishing: Criminals who persistently chase really valuable information assets could be discouraged if we deploy the 2-step EPS coupled with the 2-Channel method.
No-Cost 2-Factor Authentication Factor 1 – Password Remembered (what we know/remember) Factor 2 – Password Written Down or Physically Stored (what we have/possess) Effect - A ‘boring legacy password system’ turning into a no-cost light-duty two-factor authentication system made of ‘what we know’ and ‘what we have’. 13/Nov/2018
Wrap-Up Expanded Password System that drastically alleviates the password fatigue is supportive of - Biometrics that require passwords as a fallback means against false rejection - Two/multi-factor authentications that require passwords as one of the factors - ID federations such as password managers and single-sign-on services that require passwords as the master-password -Simple pictorial/emoji-passwords and patterns-on- grid that can all be deployed on our platform * All with the effects that handling memorable images makes us feel pleasant and relaxed 13/Nov/2018 Furthermore, - Nothing would be lost for the people who want to keep using textual passwords - It enables us to turn a low-entropy password into a high-entropy authentication data - It is easy to manage the relation between accounts and the corresponding passwords - It helps deter various phishing attacks - Lastly but not the least, it is democracy-compatible by way of providing the chances and means to get our own volition confirmed in our identity assurance. * It is the obligation of democratic societies to provide citizens with the choice to adopt a secure and yet stress-free identity authentication means that is practicable in any circumstances, panicky situations in emergencies in particular .
As such, there exists a secure and yet stress- free means of democracy-compatible identity authentication. That is Expanded Password System. Thank You Hitoshi Kokumai President, Mnemonic Security, Inc. kokumai@mneme.co.jp 13/Nov/2018

Empfohlen

Image-to-Code Converter 31July2023.pptx
Image-to-Code Converter 31July2023.pptxImage-to-Code Converter 31July2023.pptx
Image-to-Code Converter 31July2023.pptxHitoshi Kokumai
 
More Issues on Digital Identity (24Feb2023)
More Issues on Digital Identity (24Feb2023)More Issues on Digital Identity (24Feb2023)
More Issues on Digital Identity (24Feb2023)Hitoshi Kokumai
 
Fend Off Cyberattack with Episodic Memory (24Feb2023)
Fend Off Cyberattack with Episodic Memory (24Feb2023)Fend Off Cyberattack with Episodic Memory (24Feb2023)
Fend Off Cyberattack with Episodic Memory (24Feb2023)Hitoshi Kokumai
 
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022Hitoshi Kokumai
 
Fend Off Cybercrime with Episodic Memory
Fend Off Cybercrime with Episodic MemoryFend Off Cybercrime with Episodic Memory
Fend Off Cybercrime with Episodic MemoryHitoshi Kokumai
 
Bring healthy second life to legacy password system
Bring healthy second life to legacy password systemBring healthy second life to legacy password system
Bring healthy second life to legacy password systemHitoshi Kokumai
 
Intriguing Evlolution from One to Two and Back to One
Intriguing Evlolution from One to Two and Back to OneIntriguing Evlolution from One to Two and Back to One
Intriguing Evlolution from One to Two and Back to OneHitoshi Kokumai
 
Cyber Predicament by Text-Only Password Systems
Cyber Predicament by Text-Only Password SystemsCyber Predicament by Text-Only Password Systems
Cyber Predicament by Text-Only Password SystemsHitoshi Kokumai
 

Empfohlen

Image-to-Code Converter 31July2023.pptx
Image-to-Code Converter 31July2023.pptxImage-to-Code Converter 31July2023.pptx
Image-to-Code Converter 31July2023.pptxHitoshi Kokumai
 
More Issues on Digital Identity (24Feb2023)
More Issues on Digital Identity (24Feb2023)More Issues on Digital Identity (24Feb2023)
More Issues on Digital Identity (24Feb2023)Hitoshi Kokumai
 
Fend Off Cyberattack with Episodic Memory (24Feb2023)
Fend Off Cyberattack with Episodic Memory (24Feb2023)Fend Off Cyberattack with Episodic Memory (24Feb2023)
Fend Off Cyberattack with Episodic Memory (24Feb2023)Hitoshi Kokumai
 
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022Hitoshi Kokumai
 
Fend Off Cybercrime with Episodic Memory
Fend Off Cybercrime with Episodic MemoryFend Off Cybercrime with Episodic Memory
Fend Off Cybercrime with Episodic MemoryHitoshi Kokumai
 
Bring healthy second life to legacy password system
Bring healthy second life to legacy password systemBring healthy second life to legacy password system
Bring healthy second life to legacy password systemHitoshi Kokumai
 
Intriguing Evlolution from One to Two and Back to One
Intriguing Evlolution from One to Two and Back to OneIntriguing Evlolution from One to Two and Back to One
Intriguing Evlolution from One to Two and Back to OneHitoshi Kokumai
 
Cyber Predicament by Text-Only Password Systems
Cyber Predicament by Text-Only Password SystemsCyber Predicament by Text-Only Password Systems
Cyber Predicament by Text-Only Password SystemsHitoshi Kokumai
 
Updated: Presentation with Scripts at CIW2018
Updated: Presentation with Scripts at CIW2018Updated: Presentation with Scripts at CIW2018
Updated: Presentation with Scripts at CIW2018Hitoshi Kokumai
 
Presentation with Scripts at CIWEU2018
Presentation with Scripts at CIWEU2018Presentation with Scripts at CIWEU2018
Presentation with Scripts at CIWEU2018Hitoshi Kokumai
 
Updated: Identity Assurance by Our Own Volition and Memory
Updated: Identity Assurance by Our Own Volition and MemoryUpdated: Identity Assurance by Our Own Volition and Memory
Updated: Identity Assurance by Our Own Volition and MemoryHitoshi Kokumai
 
Deployment of Biometrics & Password - NIST63B
Deployment of Biometrics & Password - NIST63BDeployment of Biometrics & Password - NIST63B
Deployment of Biometrics & Password - NIST63BHitoshi Kokumai
 
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...Hitoshi Kokumai
 
Help unravel the conundrum over NIST authentication guideline
Help unravel the conundrum over NIST authentication guidelineHelp unravel the conundrum over NIST authentication guideline
Help unravel the conundrum over NIST authentication guidelineHitoshi Kokumai
 
Business Dimension of Expanded Password System
Business Dimension of Expanded Password SystemBusiness Dimension of Expanded Password System
Business Dimension of Expanded Password SystemHitoshi Kokumai
 
Expanded password system - Reliable Identity Assurance
Expanded password system - Reliable Identity AssuranceExpanded password system - Reliable Identity Assurance
Expanded password system - Reliable Identity AssuranceHitoshi Kokumai
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 

Weitere ähnliche Inhalte

Mehr von Hitoshi Kokumai

Updated: Presentation with Scripts at CIW2018
Updated: Presentation with Scripts at CIW2018Updated: Presentation with Scripts at CIW2018
Updated: Presentation with Scripts at CIW2018Hitoshi Kokumai
 
Presentation with Scripts at CIWEU2018
Presentation with Scripts at CIWEU2018Presentation with Scripts at CIWEU2018
Presentation with Scripts at CIWEU2018Hitoshi Kokumai
 
Updated: Identity Assurance by Our Own Volition and Memory
Updated: Identity Assurance by Our Own Volition and MemoryUpdated: Identity Assurance by Our Own Volition and Memory
Updated: Identity Assurance by Our Own Volition and MemoryHitoshi Kokumai
 
Deployment of Biometrics & Password - NIST63B
Deployment of Biometrics & Password - NIST63BDeployment of Biometrics & Password - NIST63B
Deployment of Biometrics & Password - NIST63BHitoshi Kokumai
 
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...Hitoshi Kokumai
 
Help unravel the conundrum over NIST authentication guideline
Help unravel the conundrum over NIST authentication guidelineHelp unravel the conundrum over NIST authentication guideline
Help unravel the conundrum over NIST authentication guidelineHitoshi Kokumai
 
Business Dimension of Expanded Password System
Business Dimension of Expanded Password SystemBusiness Dimension of Expanded Password System
Business Dimension of Expanded Password SystemHitoshi Kokumai
 
Expanded password system - Reliable Identity Assurance
Expanded password system - Reliable Identity AssuranceExpanded password system - Reliable Identity Assurance
Expanded password system - Reliable Identity AssuranceHitoshi Kokumai
 

Mehr von Hitoshi Kokumai (8)

Updated: Presentation with Scripts at CIW2018
Updated: Presentation with Scripts at CIW2018Updated: Presentation with Scripts at CIW2018
Updated: Presentation with Scripts at CIW2018
 
Presentation with Scripts at CIWEU2018
Presentation with Scripts at CIWEU2018Presentation with Scripts at CIWEU2018
Presentation with Scripts at CIWEU2018
 
Updated: Identity Assurance by Our Own Volition and Memory
Updated: Identity Assurance by Our Own Volition and MemoryUpdated: Identity Assurance by Our Own Volition and Memory
Updated: Identity Assurance by Our Own Volition and Memory
 
Deployment of Biometrics & Password - NIST63B
Deployment of Biometrics & Password - NIST63BDeployment of Biometrics & Password - NIST63B
Deployment of Biometrics & Password - NIST63B
 
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
 
Help unravel the conundrum over NIST authentication guideline
Help unravel the conundrum over NIST authentication guidelineHelp unravel the conundrum over NIST authentication guideline
Help unravel the conundrum over NIST authentication guideline
 
Business Dimension of Expanded Password System
Business Dimension of Expanded Password SystemBusiness Dimension of Expanded Password System
Business Dimension of Expanded Password System
 
Expanded password system - Reliable Identity Assurance
Expanded password system - Reliable Identity AssuranceExpanded password system - Reliable Identity Assurance
Expanded password system - Reliable Identity Assurance
 

Kürzlich hochgeladen

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 

Kürzlich hochgeladen (20)

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 

Further Update: Identity Assurance by Our Own Volition and Memory

  • 1. Identity Assurance by Our Own Volition and Memory The safety of our cyber life depends on identity assurance which in turn relies on remembered passwords Hitoshi Kokumai President, Mnemonic Security, Inc. kokumai@mneme.co.jp Enabling Self-Sovereign Identity 13/Nov/2018 Our identity as human being is made of our autobiographic memory
  • 2. The problem: passwords could work – but they need help Passwords are Hard to manage And yet, absolutely necessary Identity theft and security breaches are proliferating A critical problem requiring urgent practical solutions 13/Nov/2018
  • 3. There are several known pictures in the matrix I can easily find all of them right away Only I can select all of them correctly Expanded Password System Broader choices: images AND characters Torturous login is history. Login is now comfortable, relaxing and healing. Easy to manage relations between accounts and corresponding passwords. There are several known pictures in the matrix I can easily find all of them right away Only I can select all of them correctly Expanded Password System Broader choices: images AND characters Torturous login is history. Login is now comfortable and even fun. Easy to manage relations between accounts and corresponding passwords. 13/Nov/2018
  • 4. A Fun Way to Enhance Your Passwords A fun first step • Get the images in your password matrix registered. It’s easy. Huge Improvement • Password fatigue alleviated for all • Better security for password-managers and SSO services • Even better security for two/multi-factor authentications • Less vulnerable security for biometric products Backward-Compatible • Nothing lost for users who wish to keep using text passwords. 13/Nov/2018
  • 5. We Need a Broader Choice If only text and # are OK It’s a steep climb … to memorize text/number passwords to lighten the load of text passwords to make use of memorized images 3UVB9KUW 【Text Mode】 【Graphics Mode】 【Original Picture Mode】 Recall the remembered password Recognize the pictures remembered in stories Recognize the unforgettable pictures of episodic memories Think of all those ladders you have to climb in Donkey Kong ;-) Low memory ceiling Very high memory ceilingHigh memory ceiling + + 13/Nov/2018
  • 6. Volition and Memory (1) Volition of the User – with Self-Determination (2) Practicability of the Means – for Use by Homo sapiens (3) Confidentiality of the Credentials – by ‘Secret’ as against ‘Unique’ 13/Nov/2018
  • 7. What’s New? The idea of using pictures has been around for two decades. New is encouraging people to make use of episodic image memories. 80-second video YouTube Keyword – Smallest Interference of Memory 13/Nov/2018
  • 8. Isn’t Episodic Memory Changeable? We know that episodic memories can change easily. … But that doesn’t matter for authentication. It could even help. 13/Nov/2018
  • 9. What about Entropy? A PASSWORD LIKE ‘CBA123’ IS ABSURDLY WEAK. WHAT IF ‘C’ AS AN IMAGE GETS PRESENTED BY SOMETHING LIKE ‘X4S&EI0W’ ? WHAT IF ‘X4S&EIWDOEX7RVB%9UB3MJVK’ INSTEAD OF ‘CBA123’ GETS HASHED? 13/Nov/2018
  • 10. Relation of Accounts & Passwords Account A Account B Account C Account D Account E, F, G, H, I, J, K, L----------- • Unique matrices of images allocated to different accounts. • At a glance you will immediately realize what images you should pick up as your passwords for this or that account. 13/Nov/2018
  • 11. In the Field Practicable with both hands busy ? In panic? With injuries? Seizure of memos, devices, tokens Seizure of body features With protection gear on? Disaster Recovery Cards and tokens possessed? Biometrics practicable? Even in severe panic, we can quickly recognize unforgettable images of episodic memories. Identity Assurance in Emergencies 13/Nov/2018
  • 12. Competition or Opportunity Biometrics? Passwords required as a backup means: Opportunity. Password-managers, single-sign-on service? Two/multi-factor authentication? Passwords required as one of the factors: Opportunity. Pattern-on-grid, emoji, conventional picture passwords? Deployable on our platform: Opportunity. Passwords required as the master-password: Opportunity. 13/Nov/2018
  • 13. Client Software for Device Login Applications Login Image-to-Code Conversion Server Software for Online-Access 2-Factor Scheme Open ID Compatible Data Encryption Software with on-the-fly key generation Single & Distributed Authority Unlimited Use Cases 13/Nov/2018
  • 14. OASIS Open Projects • Proposition of Expanded Password System at ‘Draft Proposal’ stage • With 56 individual participants • Going to secure some more participants • Corporate members in particular 13/Nov/2018
  • 15. How We Position Our Proposition We make identity authentication schemes better by leveraging the time-honored tradition of seals and autographs The underpinning principle of Expanded Password System will not go away so long as people want our own volition and memory to remain involved in identity authentication. 13/Nov/2018
  • 16. Some More Topics about Identity • Isn’t Biometrics killing Passwords? • Brain-Machine-Interface • 2-Channel Expanded Password System • Deterrence to Targeted Phishing • No-Cost 2-Factor Authentication 13/Nov/2018
  • 17. Isn’t Biometrics killing Passwords? Fact 1: Biometrics used with a fallback password brings down the security that the password has provided. 30-second Video YouTube Specifically, old iPhones with PINCODE only were safer than newer iPhones featuring TouchID and FaceID. What has improved is convenience, not security. Fact 2: Biometrics dependent on a password as a fallback means cannot kill the password dead. Fact 3: A false acceptance rate does not make sense unless it comes with the corresponding false rejection rate. 13/Nov/2018
  • 18. Brain-Machine-Interface Random numbers or characters allocated to the images. Ask the users to focus their attention on the numbers or characters given to the registered images. A simple brain-monitoring is vulnerable to wiretapping. The monitoring system will then collect the brain-generated onetime signal corresponding to these numbers or characters. 13/Nov/2018
  • 19. 13/Nov/2018 2-Channel Expanded Password System Conventional 2-factor authentication systems are effective only against abuse of the device/phone. 2-factor Expanded Password System enables the user to produce a onetime identity authentication data, i.e., a real onetime password.
  • 20. 13/Nov/2018 Deterrence to Targeted Phishing Genuine or Fake? Fake or Genuine? Though not designed against phishing attacks, wise deployment of Expanded Password System helps us deter not only indiscriminate mass phishing but also targeted phishing attacks as one of its secondary effects. Against Mass Phishing: Where users are encouraged to create their own unique image matrices with Expanded Password System, criminals would feel discouraged because of its heavy costs of capturing and activating thousands, millions or billions of image matrices all unique to different UserIDs. Against Targeted/Spear Phishing : ‘2-Channel Expanded Password System’ presented in the previous page could discourage targeted phishing because the criminals would have to place both of the two channels under their control simultaneously before starting the phishing trials. Alternatively, we can add a second step of Expanded Password System, making it 'Selective 2-step Authentication' for the users who opt for it, which makes criminals’ jobs extremely heavy and complicated. Against Persistent Targeted/Spear Phishing: Criminals who persistently chase really valuable information assets could be discouraged if we deploy the 2-step EPS coupled with the 2-Channel method.
  • 21. No-Cost 2-Factor Authentication Factor 1 – Password Remembered (what we know/remember) Factor 2 – Password Written Down or Physically Stored (what we have/possess) Effect - A ‘boring legacy password system’ turning into a no-cost light-duty two-factor authentication system made of ‘what we know’ and ‘what we have’. 13/Nov/2018
  • 22. Wrap-Up Expanded Password System that drastically alleviates the password fatigue is supportive of - Biometrics that require passwords as a fallback means against false rejection - Two/multi-factor authentications that require passwords as one of the factors - ID federations such as password managers and single-sign-on services that require passwords as the master-password -Simple pictorial/emoji-passwords and patterns-on- grid that can all be deployed on our platform * All with the effects that handling memorable images makes us feel pleasant and relaxed 13/Nov/2018 Furthermore, - Nothing would be lost for the people who want to keep using textual passwords - It enables us to turn a low-entropy password into a high-entropy authentication data - It is easy to manage the relation between accounts and the corresponding passwords - It helps deter various phishing attacks - Lastly but not the least, it is democracy-compatible by way of providing the chances and means to get our own volition confirmed in our identity assurance. * It is the obligation of democratic societies to provide citizens with the choice to adopt a secure and yet stress-free identity authentication means that is practicable in any circumstances, panicky situations in emergencies in particular .
  • 23. As such, there exists a secure and yet stress- free means of democracy-compatible identity authentication. That is Expanded Password System. Thank You Hitoshi Kokumai President, Mnemonic Security, Inc. kokumai@mneme.co.jp 13/Nov/2018

Hinweis der Redaktion

  1. Hello, I am Hitoshi Kokumai, advocate of ‘Identity Assurance by Our Own Volition and Memory’. I’ve been promoting this principle for 17 years now. And, this principle now makes the foundation for the emerging concept of Self-Sovereign Identity. However, this principle would be a pipe dream if it is not supported by a practicable means of identity authentication that is secure and yet stress-free, desirably giving us joy and fun.
  2. We have a big headache. Passwords are hard to manage, and yet, the passwords are absolutely necessary. Why? That’s because democracy would be lost where the password was lost and we were deprived of the chances and means of getting our own volition confirmed in having our identity authenticated. When authentication happens without our knowledge or against our will, it is a 1984-like Dystopia. It seems that the word ‘password’ is poly-semantic and context-dependent. Sometimes it’s narrowly interpreted as ‘remembered text password’ and sometimes it’s taken broadly as ‘whatever we remember for authentication’. Please interpret this word ‘password’ from the context in my presentation as well. Identity theft and security breaches are proliferating. This critical problem requires urgent practical solutions.  
  3. Our proposition is Expanded Password System. In the matrix, there are several KNOWN images. I can easily find all of them right away. Or, rather, the KNOWN images jump into my eye. And, only I can select all of them correctly. We can use both images and characters. It’s easy to manage the relation between accounts and the corresponding passwords. Torturous login is history. It’s now comfortable and even fun. I’ll talk more about these points later.
  4. Indispensable though unloved. Passwords could be both secure and stress-free. It’s a fun way to enhance your passwords. Get the images in your matrix registered. It’s easy. People who enjoy handling images will gain both better security and better convenience. The only extra effort required is to get these images registered; but people already do that across social media platforms and seem to love it.  Then, huge improvement. Password fatigue would be alleviated for all. Better security for password mangers and single-sign-on services. Even better security for multi-factor authentications. Less vulnerable security for biometrics. And, It’s backward-compatible. Nothing would be lost for the people who wish to keep using text passwords.
  5. Shall we have a bit closer look at what it offers? So far, only texts have been accepted. It was, as it were, we have no choice but to walk up a long steep staircase. With Expanded Password System, we could imagine a situation that escalators and elevators are provided along with the staircase. Or, some of us could think of all those ladders we have for climbing in Donkey Kong. Where we want to continue to use textual passwords, we could opt to recall the remembered passwords, although the memory ceiling is very low,. Most of us can manage only up to several of them. We could opt to recognize the pictures remembered in stories where we want to reduce the burden of textual passwords. The memory ceiling is high, say, we would be able to manage more and more of them. Where we choose to make use of episodic image memory, we would only need to recognize the unforgettable images, say, KNOWN images. There is virtually no memory ceiling, that is, we would be able to manage as many passwords as we like, without any extra efforts.
  6. We are of the belief that there must be three prerequisites for identity assurance. First of all, identity assurance with NO confirmation of the user’s volition would lead to a world where criminals and tyrants dominate citizens. Democracy would be dead where our volition was not involved in our identity assurance. We must be against any attempts to do without what we remember, recall , recognize and feed to login volitionally. Secondly, mathematical strength of a security means makes sense so long as the means is practicable for us Homo sapiens. A big cake could be appreciated only if it’s edible. Thirdly, being ‘unique’ is different from being ‘secret’. ‘Passwords’ must not be displaced by the likes of ‘User ID’. I mean, we should be very careful when using biometrics for the purpose of identity authentication, although we don’t see so big a problem when using biometrics for the purpose of personal identification. Identification is to give an answer to the question of “Who are they?”, whereas authentication is to give the answer to the question of “Are they the persons who claim to be?” Authentication and identification belong to totally different domains.    
  7. The idea of using pictures for passwords is not new. It’s been around for more than two decades but the simple forms of pictorial passwords were not as useful as had been expected. UNKNOWN pictures we manage to remember afresh are still easy to forget or get confused, if not as badly as random alphanumeric characters. Expanded Password System is new in that it offers a choice to make use of KNOWN images that are associated with our autobiographic/ episodic memories. Please have a look at this 80-second video? Since these images are the least subject to the INTERFERENCE of MEMORY, it enables us to manage dozens of unique strong passwords without reusing the same password across many accounts or carrying around a memo with passwords on it. And, handling memorable images makes us feel comfortable, relaxed and even healed.
  8. It’s known that episodic memories are easily changeable. What we remember as our experience may have been transformed and not objectively factual. But it would not matter for Expanded Password System. What we subjectively remember as our episodic memory could suffice. From confidentiality’s point of view,  it could be even better than objectively factual memories since no clues are given to attackers.
  9. Generally speaking, hard-to-break passwords are hard-to-remember. But it’s not the fate of what we remember. It would be easily possible to safely manage many of high-entropy passwords with Expanded Password System that handles characters as images. Each image or character is presented by the image identifier data which can be of any length. Assume that your password is “CBA123” and that the image ‘C’ is identified as X4s& eI0w, and so on. When you input CBA123, the authentication data that the server receives is not the easy-to-break “CBA123”, but something like “X4s&eI0wdoex7RVb%9Ub3mJvk”, which could be automatically altered periodically or at each access where desired.
  10. Being able to recall strong passwords is one thing. Being able to recall the relation between accounts and the corresponding passwords is another. When unique matrices of images are allocated to different accounts, those unique image matrices will be telling you what images you should pick up as your password for this or that account. When using images of our episodic memories, the Expanded Password System will thus free us from the burden of managing the relation between accounts and the corresponding passwords.
  11. How can we login reliably in a panicky situation? Do we assume that people never forget to possess cards and tokens? Do we assume that biometrics is practicable for injured or panicked people? Do we assume that panicked people can recall strong text passwords right away? It’s the obligation of the democratic societies to provide the citizens with identity authentication measures that are practicable in these emergencies. Using unforgettable images WILL help.
  12. What can be thought of as competition to Expanded Password System? Biometrics requires passwords as a fallback means. Password-managers and single-sign-on services require passwords as the master-password. Multi-factor authentications require passwords as one of the factors. Pattern-on-grid, conventional picture passwords and emoji-passwords can all be deployed on our platform. So, competition could be thinkable only among the different products of Expanded Password System. By the way, some people claim that PIN can eliminate passwords, but logic dictates that it can never happen since PIN is no more than the weakest form of numbers-only password. Neither can Passphrase, which is no more than a long password. There are also some people who talk about the likes of PKI and onetime passwords as an alternative to passwords. But it is like talking about a weak door and proposing to enhance the door panel as an alternative to enhancing the lock and key.
  13. Applications of Expanded Password System will be found Wherever people have been using the text passwords and numerical PINS, Wherever people need a means of identity authentication even if we still do not know what it will be.
  14. The proposition of Expanded Password System that drastically alleviates the password fatigue is now acknowledged as a ‘Draft Proposal’ for OASIS Open Projects that OASIS has recently launched as a new standardization program. We have publicized a draft specification of Expanded Password System there. We are going to secure some more participants, corporate members in particular, who are looking for blue-ocean business opportunities in the expanding domain of identity assurance in cyberspace.
  15. Starting with the perception that our continuous identity as human being is made of our autobiographic memory, we are making identity authentication schemes better by leveraging the time-honored tradition of seals and autographs The underpinning principle of Expanded Password System shall not go away so long as people want our own volition and memory to remain involved in identity assurance.
  16. Well, let me talk about some more topics related to digital identity. They are Biometrics supposed to kill passwords The concept of Expanded Password System applied to BMI. Expanded Password System deployed on 2 channels Deterrence Effects against Targeted /Spear Phishing Two-factor authentication built on 2 kinds of passwords
  17. Every time I speak about Expanded Password System, I am flooded with this question. My answer is. Biometrics used with a fallback password brings down the security that the password has so far provided as outlined in this 30-second video. Specifically, old iPhones with PINCODE only were safer than newer iPhones featuring TouchID and FaceID. What has improved is convenience obtained at the sacrifice of security. In any case, biometrics that is dependent on a password as a fallback measures can by NO means kill the password. It’s logically obvious. By the way, a false acceptance rate makes sense only when it comes with the corresponding false rejection rate. I don’t understand why biometrics vendors don’t publicize both of the two simultaneously.
  18. A simple brain-monitoring has a problem in terms of security. The data, if wiretapped by criminals, can be replayed for impersonation straight away.  Therefore the data should be randomized as the onetime disposable ones. An idea is that the authentication system allocates random numbers or characters to the images shown to the users. The users focus their attention on the numbers or characters given to the images they had registered. The monitoring system will collect the brain-generated onetime signals corresponding to the registered images. Incidentally, the channel for showing the pictures is supposed to be separate from the channel for brain-monitoring. If intercepting successfully, criminals would be unable to impersonate the users because the intercepted data are onetime and disposable.
  19. Some people say that using physical tokens is more secure than using phones for receiving onetime code by SMS. If it is the case, the use of physical tokens brings its own headache. What shall we do if we have dozens of accounts that require the protection by two/multi-factor schemes? Carrying around a bunch of dozens of physical tokens? Or, re-using the same tokens across dozens of accounts? The former would be too cumbersome and too easily attract attention of bad guys, while the latter would be very convenient but brings the likes of a single point of failure. We have a third proposition. A matrix of the images, to which random onetime numbers or characters are allocated , are shown to the users through a mobile device, as in the use case of BMI mentioned a minute ago. Users who recognize the registered images will feed the numbers or characters given to those images on a main device. From those onetime data, the authentication server will tell the images that user had registered. What is needed at the users’ end is only a browser soft. Then, we do not depend on the vulnerable onetime code sent through SMS and a single phone can readily cope with dozens of accounts.
  20. Expanded Password System was not designed against phishing attacks, but deploying it wisely would help us deter not only indiscriminate mass phishing but also targeted/spear phishing attacks as one of its secondary effects. Where users are encouraged to create their own unique image matrices with Expanded Password System, we could assume that criminals feel discouraged about the indiscriminate mass phishing because of its heavy costs of capturing and activating thousands, millions or billions of image matrices all unique to different UserIDs. 2-Channel Expanded Password System presented in the previous page could discourage targeted phishing because the criminals would have to place both of the two channels under their control simultaneously before starting the phishing trial. Alternatively, we could think of adding a second step of Expanded Password System, making it 'Selective 2-step EPS' for the users who opt for it, which makes criminals’ jobs extremely heavy and complicated. Criminals who persistently chase really valuable information assets could be discouraged if we deploy the 2-step EPS coupled with the 2-Channel method.
  21. A very strong password supposed to not be remembered and written down on a memo should be viewed as 'what we have', definitely not 'what we remember', so it could be used as one of the two factors along with a remembered password. We could then turn a boring legacy password system into a two factor authentication system at no cost, just by verifying two passwords at a time, one volitionally recalled and the other one physically possessed. When those two different passwords are used as two factors, we could rely on the strength of a remembered password against physical theft and the strength of a physically possessed long password against brute force attack, although it is not as strong against wiretapping as token-based solutions armed with PKI or Onetime Password. This could be viewed just as a thought experiment or could actually be considered for practical application in between a single factor authentication and a costly heavily-armored 2-factor scheme, or, as a transition from the former to the latter. It goes without saying that Expanded Password System could be brought in for a good remembered password.
  22. As such, there exists a secure and yet stress free means of democracy-compatible identity authentication. That is Expanded Password System I would be happy if you will keep this in mind as one of the takeaways from this conference. ----------------------- If you have questions, feel free to catch me whenever you find me. Thank you very much for your time.