Successfully reported this slideshow.
Your SlideShare is downloading. ×

Fend Off Cybercrime with Episodic Memory

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Fend Off Cybercrime by Citizens’
Non-Volatile Episodic Memory
with the values of democracy
29th July, 2022
Mnemonic Identi...
Problem to Solve
Passwords are
Hard to manage
And yet, absolutely
necessary
Identity theft and
security breaches
are proli...
Basics of Authentication Factors
‘Yes or No’ on feeding correct passwords and ‘Yes or No’ on presenting correct tokens
are...
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Loading in …3
×

Check these out next

1 of 32 Ad

Fend Off Cybercrime with Episodic Memory

Download to read offline

An updated version is available from 30/Aug/2022 at https://www.slideshare.net/HitoshiKokumai/slide-share-updated-fend-off-cybercrime-with-episodic-memory-29aug2022

..................................................

Digital Transformation would be a pipe dream if it’s not supported by a practicable means of identity authentication that is secure and yet stress-free, desirably giving us joy and fun

<Reference URL>

- Video
90-second introductory video; Fend Off Cybercrime by Episodic Memory  (4/Feb/2022) https://youtu.be/T1nrAlmytWE

90-second demonstration video: Mnemonic Gateways (10/Feb/2022)
https://youtu.be/0nNIU4uYl94

- Blog collections

Power of Citizens’ Episodic Memory
https://www.linkedin.com/pulse/power-citizens-episodic-memory-hitoshi-kokumai/

LOSS of Security Taken for GAIN of Security
https://www.linkedin.com/pulse/loss-security-taken-gain-hitoshi-kokumai/

Biometrics Unravelled | password-dependent password-killer
https://www.linkedin.com/pulse/biometrics-unravelled-password-dependent-hitoshi-kokumai/

- Hitoshi Kokumai's profile
https://www.linkedin.com/in/hitoshikokumai/






An updated version is available from 30/Aug/2022 at https://www.slideshare.net/HitoshiKokumai/slide-share-updated-fend-off-cybercrime-with-episodic-memory-29aug2022

..................................................

Digital Transformation would be a pipe dream if it’s not supported by a practicable means of identity authentication that is secure and yet stress-free, desirably giving us joy and fun

<Reference URL>

- Video
90-second introductory video; Fend Off Cybercrime by Episodic Memory  (4/Feb/2022) https://youtu.be/T1nrAlmytWE

90-second demonstration video: Mnemonic Gateways (10/Feb/2022)
https://youtu.be/0nNIU4uYl94

- Blog collections

Power of Citizens’ Episodic Memory
https://www.linkedin.com/pulse/power-citizens-episodic-memory-hitoshi-kokumai/

LOSS of Security Taken for GAIN of Security
https://www.linkedin.com/pulse/loss-security-taken-gain-hitoshi-kokumai/

Biometrics Unravelled | password-dependent password-killer
https://www.linkedin.com/pulse/biometrics-unravelled-password-dependent-hitoshi-kokumai/

- Hitoshi Kokumai's profile
https://www.linkedin.com/in/hitoshikokumai/






Advertisement
Advertisement

More Related Content

Similar to Fend Off Cybercrime with Episodic Memory (20)

Recently uploaded (20)

Advertisement

Fend Off Cybercrime with Episodic Memory

  1. 1. Fend Off Cybercrime by Citizens’ Non-Volatile Episodic Memory with the values of democracy 29th July, 2022 Mnemonic Identity Solutions Limited 90-second introductory video Hello, Digital Transformation would be a pipe dream if it’s not supported by a practicable means of identity authentication that is secure and yet stress-free, desirably giving us joy and fun I am Hitoshi Kokumai, advocate of ‘Identity Assurance by Our Own Volition and Memory’. I’ve been promoting this principle for 21 years now. Our company, Mnemonic Identity Solutions Limited (MIS), set up in August 2020 in United Kingdom for global operations, is a Start-Up as a corporation but it’s more than a Start-Up as a business entity. We set it up in order to globally expand what its predecessor named Mnemonic Security, Inc. started in Japan in late 2001. We have a 20 years long pre-history of technology development, product making and commercial implementations with some US$1 million sales. Our champion use case is Japanese Army deploying our product on field vehicles since 2013 and still using it. At MIS we are now going to help global citizens fend off cybercrime by their non- volatile episodic memory, with the values of democracy. Let me present a 90-second introductory video
  2. 2. Problem to Solve Passwords are Hard to manage And yet, absolutely necessary Identity theft and security breaches are proliferating Critical problem requiring valid and practical solutions 2 1. We have a big headache. Passwords are hard to manage, and yet, the passwords are absolutely necessary. 2. Democracy would be lost where the password was lost and we were deprived of the chances and means of getting our own volition confirmed in having our identity authenticated. When authentication happens without our knowledge or against our will, it is a 1984- like Dystopia. 3. Identity theft and security breaches are proliferating. 4. This critical problem requires solid and practical solutions.
  3. 3. Basics of Authentication Factors ‘Yes or No’ on feeding correct passwords and ‘Yes or No’ on presenting correct tokens are deterministic, whereas biometrics which measures unpredictably variable body features of living animals in changing environments is probabilistic. It is practically impossible to compare the security of a strong or silly password with that of a poorly or wisely deployed physical token even though both passwords and tokens are deterministic, Deterministic authenticators can be used on its own, whereas a probabilistic authenticator would lose its availability when used on its own. Direct comparison of something deterministic and something probabilistic would absolutely bring us nowhere. Deterministic authenticators can be used together in a security-enhancing ‘multi-layer’ deployment, whereas probabilistic authenticators can be used with another authenticator only in a security-lowering ‘multi-entrance’ deployment unless we can forget the availability as illustrated here. Password, token and biometrics are ‘authenticators’, while two/multi-factor schemes, decentralized/distributed digital identity, single-sign-on schemes and password management tools are all ‘deployment of authentication factors’; We would obtain nothing by comparing the former with the latter. Well, removal of the password brings a catastrophic loss of security. It also makes a grave threat to democracy. We will separately talk this issue later.
  4. 4. Volition and Memory (1) Volition of the User – with Self-Determination (2) Practicability of the Means – for Use by Homo sapiens (3) Confidentiality of the Credentials – by ‘Secret’ as against ‘Unique’ We are of the belief that there must be three prerequisites for identity assurance. 1. First of all, identity assurance with NO confirmation of the user’s volition would lead to a world where criminals and tyrants dominate citizens. Democracy would be dead where our volition was not involved in our identity assurance. We must be against any attempts to do without what we remember, recall , recognize and feed to login volitionally. 2. Secondly, mathematical strength of a security means makes sense so long as the means is practicable for us Homo sapiens. A big cake could be appreciated only if it’s edible. 3. Thirdly, being ‘unique’ is different from being ‘secret’. ‘Passwords’ must not be displaced by the likes of ‘User ID’. I mean, we should be very careful when using biometrics for the purpose of identity authentication, although we don’t see so big a problem when using biometrics for the purpose of individual identification. Identification is to give an answer to the question of “Who are they?”, whereas authentication is to give the answer to the question of “Are they the persons who claim to be?” Authentication and identification belong to totally different categories. The answer for the former can only be given somewhere in between very probable and very improbable, whereas the answer for the latter should given definitively ‘Yes, accept’ or ‘No, reject’. Mixing the two up and we will see a very bad confusion.
  5. 5. What’s New? The idea of using pictures has been around for two decades. New is encouraging people to make use of citizens’ non-volatile episodic image memories. 1, The idea of using pictures for passwords is not new. It’s been around for well more than two decades, but the simple forms of pictorial passwords were not as useful as had been expected. UNKNOWN pictures we manage to remember afresh are still easy to forget or get confused. Expanded Password System is new in that it offers a choice to make use of KNOWN images that are associated with our autobiographic/ episodic memories, as you saw earlier in the introductory video. 2. Since the images of episodic memory are not only Non-Volatile but also are the least subject to INTERFERENCE of MEMORY, 3. it enables us to manage dozens of unique strong passwords without reusing the same password across many accounts or carrying around a memo or storage with passwords on it. Furthermore, watching memorable images makes us feel comfortable, relaxed and even healed.
  6. 6. Broader Choice If only text and # are OK It’s a steep climb … to memorize text/number passwords to lighten the load of text passwords to make use of memorized images 3UVB9KUW 【Text Mode】 【Graphics Mode】 【Original Picture Mode】 Recall the remembered password Recognize the pictures remembered in stories Recognize the unforgettable pictures of episodic memories Think of all those ladders you have to climb in Donkey Kong ;-) Low memory ceiling Very high memory ceiling High memory ceiling + + 6 Shall we have a bit closer look at what it offers? So far, only texts have been accepted for password systems. It was, as it were, we have no choice but to walk up a long steep staircase. With Expanded Password System, we could imagine a situation that escalators and elevators are provided along with the staircase. Where we want to continue to use text passwords, we could opt to recall the remembered passwords, although the memory ceiling is very low,. Most of us can manage only up to several of them. We could opt to recognize the pictures remembered in stories where we want to reduce the burden of text passwords. The memory ceiling is high, say, we would be able to manage more and more of them. Where we choose to make use of episodic image memory, we would only need to recognize the unforgettable images, say, UNFORGETTABLE images. There is virtually no memory ceiling, that is, we would be able to manage as many passwords as we like, without any extra efforts.
  7. 7. Relation of Accounts & Passwords Account A Account B Account C Account D Account E, F, G, H, I, J, K, L----------- Unique matrices of images allocated to different accounts. At a glance you will immediately realize what images you should pick up as your passwords for this or that account. 7 Being able to recall strong passwords is one thing. Being able to recall the relation between accounts and the corresponding passwords is another. When unique matrices of images are allocated to different accounts, those unique image matrices will be telling you what images you should pick up as your password for this or that account. When using images of our episodic memories, the Expanded Password System will thus free us from the burden of managing the relation between accounts and the corresponding passwords.
  8. 8. Isn’t Episodic Memory Malleable? We know that episodic memories can change easily. … But that doesn’t matter for authentication. It could even help. 8 It’s known that episodic memories are easily changeable. What we remember as our experience may have been transformed and not objectively factual. But it would not matter for identity authentication. What we subjectively remember as our episodic memory could suffice. From confidentiality’s point of view, it could be even better than objectively factual memories since no clues are given to attackers.
  9. 9. What about Entropy ‘CBA123’ IS ABSURDLY WEAK. WHAT IF ‘C’ AS AN IMAGE GETS PRESENTED BY SOMETHING LIKE ‘X4S&EI0W’ ? WHAT IF ‘X4S&EIWDOEX7RVB%9UB3MJVK’ INSTEAD OF ‘CBA123’ GETS HASHED? 9 Generally speaking, hard-to-break passwords are hard-to-remember. But it’s not the fate of what we remember. It would be easily possible to safely manage many of high-entropy passwords with Expanded Password System that handles characters as images. Each image or character is represented by the image identifier data which can be of any length. 1. Assume that your password is “CBA123” 2. and that the image ‘C’ is identified as X4s& eI0w, and so on. 3. When you input CBA123, the authentication data that the server receives is not the easy-to-break “CBA123”, but something like “X4s&eI0wdoex7RVb%9Ub3mJvk”, which could be automatically altered periodically or at each access where desired. By the way, threats of 'visual-manual attacks on display’ are very different to 'automated brute force attacks’. A figure of ’20-bit’, for instance, would be just a bad joke against automated attacks, whereas it would make a pretty tall wall against visual-manual attacks on display.
  10. 10. A Huge Improvement • Password fatigue alleviated for all • Better security for password-managers and SSO services • Even better security for two/multi-factor authentications • Less vulnerable security for biometric products Backward-Compatible • Nothing lost for users who wish to keep using text passwords Enjoyable Login • Get the images in your matrix registered. It’s easy and joyful. 10 What to Gain Passwords are now both secure and stress-free. People who enjoy handling images will gain both better security and better convenience. The only extra effort required is to get these images registered; but people already do that across social media platforms and seem to love it. Then, huge improvement. 1 .Password fatigue would be alleviated for all. 2. Better security for password mangers and single-sign-on services. 3. Even better security for multi-factor authentications. 4. Less vulnerable security for biometrics. 5. And, It’s backward-compatible. Nothing would be lost for the people who wish to keep using text passwords. 6. On top of all these gains, enhancing your passwords itself is now fun.
  11. 11. Typical Use Case Japan’s Army adopted our product for accepting ‘Panic- Proof’ and yet ‘Hard-to- Break’ credentials. Japan Ground Self-Defense Force, aka, Army is using Expanded Password System for authentication of the personnel who handle the encrypted data exchange between commanders and field communications vehicles since 2013. Some 460 licenses were offered to each field communications vehicle. With each vehicle shared by multiple soldiers, the number of people who use our solution are now supposed to be in many thousands. The number of licenses increased more than 10-fold over the 9-year period of use from 2013. We humbly assume that they are well satisfied with us.
  12. 12. Client Software for Device Login Applications Login Image-to-Code Conversion Server Software for Online-Access 2-Factor Scheme Open ID Compatible Data Encryption Software with on-the-fly key generation Single & Distributed Authority Unlimited Use Cases 12 Applications of Expanded Password System will be found Wherever people have been dependent on text passwords and numerical PINS, Wherever people need some means of identity authentication, even if we still do not know what it will be.
  13. 13. How We Position Our Proposition The underpinning principle of Expanded Password System will not go away so long as people want their own volition and memory to remain involved in identity authentication. 13 It’s Legitimate Successor to Seals and Autographs More on the Power of Citizens’ Non-Volatile Episodic Memory Starting with the perception that our continuous identity as human being is made of our autobiographic memory, we are making identity authentication schemes better by leveraging the time-honored tradition of seals and autographs The underpinning principle of Expanded Password System shall not go away so long as people want our own volition and memory to remain involved in identity assurance.
  14. 14. Competition or Opportunity Password-managers, single-sign-on service? Passwords required as the master-password: Opportunity. Two/multi-factor authentication? Passwords required as one of the factors: Opportunity. Pattern-on-grid, emoji, conventional picture passwords? Deployable on our platform: Opportunity. Biometrics? Passwords required as a backup means: Opportunity. What can be thought of as competition to Expanded Password System? 1. Password-managers and single-sign-on services require passwords as the master- password. 2. Two/Multi-factor authentications require passwords as one of the factors. 3. Pattern-on-grid, conventional picture passwords and emoji-passwords can all be deployed on our platform. 4. Biometrics requires passwords as a fallback means. As such, competition could be thinkable only among the different products of the family of Expanded Password System. By the way, some people claim that PIN can eliminate passwords, but logic dictates that it can never happen since PIN is no more than a weak form of numbers-only password. Neither can Passphrase, which is no more than a long password. There are also some people who talk about the likes of PKI and onetime passwords as an alternative to passwords. But it is like talking about a weak door and proposing to enhance the door panel as an alternative to enhancing the lock and key.
  15. 15. Exciting Scenery of Digital Identity What about “Passwordless” Authentication “LOSS of Security Taken for GAIN of Security” - https://www.linkedin.com/pulse/loss-security-taken-gain-hitoshi-kokumai/ We look tiny and sound feeble. They look massive and sound mighty. We are made of logical fact-based non-flammable graphene. They are made of illogical fallacy-based inflammable paper. ‘We’ mean the forces who advocate the digital identity for which citizens’ volition and memory play a critical role, supporting the solid identity security and the values of democracy. ‘They’ mean the forces who advocate the digital identity from which citizens’ volition and memory are removed, damaging the identity security and the values of democracy. Big names like GAFAM are found as part of the paper elephant, which make them look really massive and sound extremely loud. Whether looking tiny or massive, whether sounding feeble or mighty, it does not matter. It’s fact and logic that decides the endgame. We will prevail in due course.
  16. 16. Launching Global Operation Following experimental successes in Japan, we set up our global headquarters as Mnemonic Identity Solutions Limited (MIS) in United Kingdom in August 2020 - https://www.mnemonicidentitysolutions.com/ With the sales of some US$1 million and a successful adoption by Japan’s military in 2013 at our Japanese entity named Mnemonic Security, Inc., we came to realise that it will not be in Japan but the global market that decides the future of our endeavour. We set up Mnemonic Identity Solutions Limited with British colleagues in UK in 2020 for launching the global operations.
  17. 17. First Global Project “Mnemonic Gateways” Leak-proof Password Manager powered by citizens’ non-volatile episodic image memory 90-second demonstration video What if we come up with a password manager powered by citizens’ non-volatile episodic memory? It is ‘leak-proof’; the passwords, which are generated and re-generated on-the-fly by our image-to-code converter from users' hard-to-forget episodic image memory, will be deleted from the software along with the intermediate data when it is shut down. The merits of episodic image memory enable us to easily handle multiple password managing modules with multiple unique sets of images; it helps us avoid creating a single point of failure. Login to the software by picking up your registered images. When logged-in, a seed data is generated/re-generated from the image data on the fly. Select the account requiring a password from the account list and the software will generate/re-generate a unique password for the target account and send out the user ID and password to the login page. Please watch a quick 90-second demonstration video. This makes the first product for our global operations. We will expect the revenue from the sales of high-security versions for tens of millions of professional users, while offering a standard version to billions of global consumers at no cost.
  18. 18. Goal Make Expanded Password System solutions readily available to all the global citizens – rich and poor, young and old, healthy and disabled, literate and illiterate, in peace and in disaster – over many generations until humans discover something other than 'digital identity' for safe and orderly societal life. Our mission is 1. to make Expanded Password System solutions readily available to all the global citizens – 2. rich and poor, young and old, healthy and disabled, literate and illiterate, in peace and in disaster – 3. over many generations until humans discover something other than 'digital identity' for safe and orderly societal life.
  19. 19. There exists a secure and yet stress- free means of democracy-compatible identity authentication. That is Expanded Password System Thank You for Your Time Hitoshi Kokumai Founder & Chief Architect Mnemonic Identity Solutions Limited Profile https://www.linkedin.com/in/hitoshikokumai/ hitoshi.kokumai@mnemonicidentitysolutions.com kokumai@mneme.co.jp 19 As such, there exists a secure and yet stress free means of democracy-compatible identity authentication. That is Expanded Password System 2. Thank you very much for your time.
  20. 20. Some More Topics on Digital Identity 1 Cryptography for Digital Identity Impact of AI and Quantum-Computing 2-Channel Expanded Password System Secure Brain-Machine-Interface Hybrid Text Password More on “Passwordless” Authentication More on “Biometrics” Authentication Transparency and Integrity 25th July, 2022 Mnemonic Identity Solutions Limited Let me discuss some more topics on digital identity. It may well tell much more about the very broad scope of our business operations. They are Cryptography for Digital Identity Impact of AI and Quantum-Computing 2-Channel Expanded Password System Secure Brain-Machine-Interface Hybrid Text Password More on “Passwordless” Authentication More on “Biometrics” Authentication Transparency and Integrity
  21. 21. Cryptography and Digital Identity Protection by cryptography can’t be above protection by login credential Shall we consider a very typical case that a message is encrypted by a cryptographic module that can stand the fiercest brute forces attacks for trillions of years, while the digital identity of the recipient who is to decrypt the encrypted message is protected by a password that a PC can break in a matter of hours or even minutes? Protection by cryptography can’t be above protection by login credential, passwords in most cases. The lower of the two decides the overall protection level. This observation urges us to make the secret credentials the most solid and reliable where the data to protect is classified. Here we propose that we can make use of operators’ episodic memory that is firmly inscribed deep in their brains for their secret credentials.
  22. 22. Impact of AI and Quantum Computing https://aitechtrend.com/quantum-computing-and-password-authentication/ In its publication in autumn 2021 USA’s NSA said “We ‘don’t know when or even if’ a quantum computer will ever be able to break today’s public-key encryption” In view of that observation, in an article “Quantum Computing and Password Authentication” I wrote “Let us assume, however, that quantum computing has suddenly made a quantum leap and becomes able to break today’s public key schemes. Would we have to despair? We do not need to panic. Bad guys, who have a quantum computer at hand, would still have to break the part of user authentication, that is NOT dependent on the public- key scheme, prior to accessing the target data, in the normal environment where secret credentials, that is, remembered passwords, play a big role.” My article , published in early October 2021, became the ‘most trending’ at NY-based aiTech Trend in February 2022 and still retains that status. This phenomenon probably tells much on how concerned artificial intelligence people are about the issue of passwords and identity assurance with respect to the uncontrolled progress of AI and Quantum Computing.
  23. 23. 4 2-Channel Expanded Password System Using physical onetime tokens is said to be more secure than using phones for receiving onetime code via Short Message Service as one of the two authentication factors. However, the use of physical tokens brings its own headache. What shall we do if we have dozens of accounts that require two factor schemes? Carrying around a bunch of dozens of physical tokens? Or, re-using the same tokens across dozens of accounts? The former would be too cumbersome and too easily attract attention of bad guys, physically creating a single point of failure, while the latter would be very convenient but brings the similar single point of failure in another way. Well, what if random onetime numbers or characters are allocated to each image on the matrix shown on a user’s second device. Recognizing the registered images, the user will feed these numbers or characters on a main device. From those onetime data, the authentication server will tell the images that user is supposed to have registered as the credential. All that is needed at the users’ end is just a web browser on a second device. With all different sets of images for all different accounts, a single phone can readily cope with dozens of accounts without creating a single point of failure. This is not a hypothesis. We actually have a use case of commercial implementation.
  24. 24. Secure Brain-Machine-Interface Ask the users to focus their attention on the numbers or characters given to the registered images. A simple brain-monitoring is vulnerable to wiretapping. The monitoring system will then collect the brain-generated onetime signal corresponding to these numbers or characters. 5 Random numbers or characters allocated to the images. Neuro signals are monitored via a separate channel. A simple brain-monitoring has a security problem. The data, if wiretapped by criminals, can be replayed for impersonation straight away. The monitored brain data should be a onetime disposable code. An idea is that the authentication system allocates random numbers or characters to the images shown to the user. The user focuses their attention on the numbers or characters given to the images they had registered. The monitoring system will collect the brain-generated onetime signals corresponding to the registered images. Incidentally, the channel for showing the pictures is supposed to be separated from the channel for brain-monitoring. Even if intercepting successfully, criminals would be unable to impersonate the user because the intercepted data was onetime and disposed upon use.
  25. 25. Hybrid Text Password Factor 1 – Password Remembered (what we know/remember) Factor 2 – Password Written Down or Physically Stored (what we have/possess) 6 Effect - A ‘boring legacy password system’ turning into a no-cost hybrid password system made of ‘what we know’ and ‘what we have’. The problems that are caused by ‘hard-to-manage’ passwords will be drastically mitigated when we come up with “Mnemonic Gateways” password manager driven by Expanded Password System (EPS) and other EPS-based solutions with which the secret credentials for login can be generated and re-generated from non-volatile citizens episodic image memory. While we have to wait for it to happen, we are suggesting a stopgap measure of combining two kinds of passwords - one that we can easily remember and recall , with the other that is truly random and complex for electronical storage on a device. When in use, we recall and type the former and copy&paste the latter. We call it ‘Hybrid Text Password’. It is not as safe and simple as remembering the whole of it but much safer than storing the whole of it. But, would you be interested to talk about the size of a cake that we know is not edible? The hybrid password is what I myself have long been practicing for high-security accounts that accept only text-passwords.
  26. 26. More on ‘Passwordless’ Authentication Where removing the password increase security of digital identity, we would find such picture at every ATM . We would also hear “Remove the army and we will have a stronger national defense” We could accept “Passwordless” authentication without losing sanity if it comes with a transparent statement that it brings ‘better availability’ at the cost of losing security, helping people where availability and convenience, not security, matters most. The problem is that the “passwordless” promoters are adamantly alleging that the passwordless schemes are to increase security, thus spreading a false sense of security. The false sense of security is not only weakening the defence of democratic nations from within when we have to cope with the yet increasing cybersecurity threats from aggressive anti-democracy regimes, but also preventing global citizens from being better prepared against the threats by making good use of the defence surface of the password and its expanded developments.
  27. 27. More on ‘Passwordless’ Authentication (1) Password-less + nothing else; the least secure (2) Password-less + something else; securer than (1) (3) Password + something else: point of arguments (1) Token-less + nothing else; the least secure (2) Token-less + something else; securer than (1) (3) Token + something else: point of arguments Let me try a breakdown of the passwordless concept. (1) Password-less + nothing else; the least secure (2) Password-less + something else; securer than (1) (3) Password + something else: here is the point of arguments By our criteria, the security increases from 1 to 3. However, by the “passwordless” folks’ criteria, the security of (2) is viewed as higher than (3), presumably because an attack surface of the password is removed in (2) whereas there is an attack surface on the password in (3). Well, let me try the same for “token-less” login. (1) Token-less + nothing else; the least secure (2) Token-less + something else; securer than (1) (3) Token + something else: here is the point of arguments By our criteria, the security increases from 1 to 3. However, by the “passwordless” folks’ criteria, the security of (2) should be viewed as higher than (3) because an attack surface of the token is removed in (2) whereas there is an attack surface on the token in (3). Did you find it fun or very worrying?
  28. 28. More on ‘Passwordless’ Authentication The ‘passwordless’ promoters might have been trapped in a cognitive pitfall. From my experience of debating with them, We suspect that there are three possible scenarios - (1) They may have taken 'what is not good and helpful enough' for 'what is ‘bad and harmful’. (2) They may have failed to notice that a token, whether PKI-based or otherwise, also carries the attack surface of being stolen or otherwise compromised. (3) They may have assumed that a defense surface is a part of an attack surface in the case of password. We wish that the ‘passwordless’ folks had listened to our advice.
  29. 29. More on ‘Biometrics’ Authentication 10 30-second Video YouTube Surprisingly many people are promoting, selling and adopting biometrics as a tool of identity authentication without the basic knowledge of the very technology. Get graphs to talk the nature of biometrics - By nature, whether static or behavioural, all the biometrics technologies are 'probabilistic' since it measures unpredictably variable body features of living animals in ever changing environments. - False Acceptance and False Rejection are not the variables that are independent from each other, but are dependent on each other. - The lower a False Acceptance Rate is, the higher the corresponding False Rejection Rate is. The lower a False Rejection Rate, the higher the corresponding False Acceptance Rate. - When a False Acceptance Rate is close to Zero, the corresponding False Rejection Rate is close to One. When an False Rejection Rate is close to Zero, the corresponding False Acceptance Rate is close to One. - The presence of False Rejection, however close to Zero, would require a fallback means against the False Rejection unless the user can forget the availability.
  30. 30. More on ‘Biometrics’ Authentication This house has added a new door with biometrics with near-zero false acceptance besides an old door with a weak password that the biometrics vendor ridiculed harshly. The client asks “The new door looks very impressive. But why does the old door stay?” The vendor replies “The new door rejects criminals so effectively that you might also be rejected occasionally” Shortly thereafter, a burglar is delighted to utter “Very convenient! I can attack both of the two” As such, biometrics used with a fallback password brings down the security that the password has provided. However powerful and influential the biometrics vendor may be, like Apple, Google and Microsoft are, they cannot change this fact. Incidentally, there would be nothing wrong in deploying biometrics with a default/fallback password if vendors state transparently that the benefit of biometrics used for authentication in cyberspace is ‘better availability’ obtained by sacrificing the security that the password on its own somehow provides. What is wrong is that they mislead the public to believe that it contributes to ‘better security’, thus spreading a false sense of security and thereby weakening the defence line of democratic nations from within when we have to face fierce cyberattacks from adversaries of democracy.
  31. 31. Transparency and Integrity Let me talk about the moral responsibility of those of us who have awoken Firstly, It would not be very wise to get the defence line weakened from within when facing formidable adversaries who are known to be making every effort to destroy the values of democracy. What I mean is the lack of transparency and integrity over the “passwordless” and “biometrics” authentication schemes that quite a few security professionals and big IT players are touting, as discussed earlier. We have been trying to stay tenacious since we awoke to this consequential problem, probably as one of the first few to have awoken to it. We do not want to be among those who knowingly turn a blind eye to the ongoing erosion of the democratic values due to a wrong design of digital transformation when facing the dreadful democracy-destroyers. Secondly, once we are awake to what role the power and merits of citizens’ non- volatile episodic memory can play for solid digital identity, it cannot be an option for us to be hesitant to press ahead proactively and energetically, especially in the current perilous circumstances. We would like to believe that our endeavour viewed as well the support of all the good citizens.

×