We have periodically talked about the sorcery-like illogical arguments haunting the domain of identity assurance. We now hardly see the people who insist that the password can be displaced by two/multi-factor authentications or ID federations. The voice is now much smaller that PIN (numbers-only weak password) can displace the password. However, we know that there are still a lot of people who loudly allege that the password can be displaced by the biometrics operated in cyberspace together with a fallback password. Many of them are found at world famous corporations like Microsoft, Apple, Google and a number of government agencies and financial institutions in addition to the very vendors of biometric solutions. Most worryingly, not a few security experts appear to have opted to be in silence. We wonder if we would be able to prevent the security fiasco before it is too late.

1. User-Friendly or Criminal-FriendlyUser-Friendly or Criminal-Friendly
- Possibility of Security Fiasco -- Possibility of Security Fiasco -
Undue user-friendliness could often please criminals above all.
Beware of biometrics operated in cyberspace together with a
fallback password registered in case of false rejection.
11th January, 2016
Mnemonic Security, Inc., Japan/UK

2. What is the issue?What is the issue?
Biometric solutions deployed in cyberspace are generallyBiometric solutions deployed in cyberspace are generally
operated together with a fallback password.operated together with a fallback password.
When those solutions are offered explicitly as the tools forWhen those solutions are offered explicitly as the tools for
better convenience, there would be no problem at all. Webetter convenience, there would be no problem at all. We
could welcome them.could welcome them.
If, however, offered explicitly as the tools for “better security”,If, however, offered explicitly as the tools for “better security”,
we would need to worry a lot. It could well end up pleasingwe would need to worry a lot. It could well end up pleasing
criminals through a false sense of security.criminals through a false sense of security.

3. What is the prospect?What is the prospect?
It is very worrying that “quasi-security solutions” that couldIt is very worrying that “quasi-security solutions” that could
please criminals are reportedly welcomed by a number ofplease criminals are reportedly welcomed by a number of
people at government agencies and financial institutions whopeople at government agencies and financial institutions who
need to be most security-conscious.need to be most security-conscious.
The situation seems to be getting worse with not a few securityThe situation seems to be getting worse with not a few security
experts being in silence and the misguided media reportersexperts being in silence and the misguided media reporters
adding fuels to the fire. We raise this theme yet again,adding fuels to the fire. We raise this theme yet again,
expecting to help prevent the security fiasco.expecting to help prevent the security fiasco.
For more information, have a quick look atFor more information, have a quick look at
http://www.slideshare.net/HitoshiKokumai/password-dependent-passwordkiller-46151802http://www.slideshare.net/HitoshiKokumai/password-dependent-passwordkiller-46151802
http://www.slideshare.net/HitoshiKokumai/biometrics-false-sense-of-securityhttp://www.slideshare.net/HitoshiKokumai/biometrics-false-sense-of-security
Thank youThank you