Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Further Update: Identity Assurance by Our Own Volition and Memory

353 views

Published on

The volitional password is absolutely necessary where the democratic values matter (*1). whereas the conventional password is hated as everybody agrees.

This observations lead us to conclude that we should agree that we have to find the sort of password system that is not hated. Logic tells that there can be no other choice.

We came up with the way out. It is Expanded Password System that accepts images as well as texts/characters.

This is the updated version of the slide used for the presentation on 30/Oct/2018 at KuppingerCole's Consumer Identity World Europe 2018 in Amsterdam (*2). P20 for "Deterrence to Targeted Phishing" has been added.

*1 Where authentication of our identity happens without our knowledge or against our will, it is a 1984-like Dystopia.

*2 https://www.kuppingercole.com/events/ciweu2018/agenda_overview

<Link to Videos >

80-second video
https://www.youtube.com/watch?v=ypOnKTTwRJg&feature=youtu.be

30-second video
https://www.youtube.com/watch?v=7UAgtPtmUbk&feature=youtu.be

Published in: Technology
  • Login to see the comments

Further Update: Identity Assurance by Our Own Volition and Memory

  1. 1. Identity Assurance by Our Own Volition and Memory The safety of our cyber life depends on identity assurance which in turn relies on remembered passwords Hitoshi Kokumai President, Mnemonic Security, Inc. kokumai@mneme.co.jp Enabling Self-Sovereign Identity 13/Nov/2018 Our identity as human being is made of our autobiographic memory
  2. 2. The problem: passwords could work – but they need help Passwords are Hard to manage And yet, absolutely necessary Identity theft and security breaches are proliferating A critical problem requiring urgent practical solutions 13/Nov/2018
  3. 3. There are several known pictures in the matrix I can easily find all of them right away Only I can select all of them correctly Expanded Password System Broader choices: images AND characters Torturous login is history. Login is now comfortable, relaxing and healing. Easy to manage relations between accounts and corresponding passwords. There are several known pictures in the matrix I can easily find all of them right away Only I can select all of them correctly Expanded Password System Broader choices: images AND characters Torturous login is history. Login is now comfortable and even fun. Easy to manage relations between accounts and corresponding passwords. 13/Nov/2018
  4. 4. A Fun Way to Enhance Your Passwords A fun first step • Get the images in your password matrix registered. It’s easy. Huge Improvement • Password fatigue alleviated for all • Better security for password-managers and SSO services • Even better security for two/multi-factor authentications • Less vulnerable security for biometric products Backward-Compatible • Nothing lost for users who wish to keep using text passwords. 13/Nov/2018
  5. 5. We Need a Broader Choice If only text and # are OK It’s a steep climb … to memorize text/number passwords to lighten the load of text passwords to make use of memorized images 3UVB9KUW 【Text Mode】 【Graphics Mode】 【Original Picture Mode】 Recall the remembered password Recognize the pictures remembered in stories Recognize the unforgettable pictures of episodic memories Think of all those ladders you have to climb in Donkey Kong ;-) Low memory ceiling Very high memory ceilingHigh memory ceiling + + 13/Nov/2018
  6. 6. Volition and Memory (1) Volition of the User – with Self-Determination (2) Practicability of the Means – for Use by Homo sapiens (3) Confidentiality of the Credentials – by ‘Secret’ as against ‘Unique’ 13/Nov/2018
  7. 7. What’s New? The idea of using pictures has been around for two decades. New is encouraging people to make use of episodic image memories. 80-second video YouTube Keyword – Smallest Interference of Memory 13/Nov/2018
  8. 8. Isn’t Episodic Memory Changeable? We know that episodic memories can change easily. … But that doesn’t matter for authentication. It could even help. 13/Nov/2018
  9. 9. What about Entropy? A PASSWORD LIKE ‘CBA123’ IS ABSURDLY WEAK. WHAT IF ‘C’ AS AN IMAGE GETS PRESENTED BY SOMETHING LIKE ‘X4S&EI0W’ ? WHAT IF ‘X4S&EIWDOEX7RVB%9UB3MJVK’ INSTEAD OF ‘CBA123’ GETS HASHED? 13/Nov/2018
  10. 10. Relation of Accounts & Passwords Account A Account B Account C Account D Account E, F, G, H, I, J, K, L----------- • Unique matrices of images allocated to different accounts. • At a glance you will immediately realize what images you should pick up as your passwords for this or that account. 13/Nov/2018
  11. 11. In the Field Practicable with both hands busy ? In panic? With injuries? Seizure of memos, devices, tokens Seizure of body features With protection gear on? Disaster Recovery Cards and tokens possessed? Biometrics practicable? Even in severe panic, we can quickly recognize unforgettable images of episodic memories. Identity Assurance in Emergencies 13/Nov/2018
  12. 12. Competition or Opportunity Biometrics? Passwords required as a backup means: Opportunity. Password-managers, single-sign-on service? Two/multi-factor authentication? Passwords required as one of the factors: Opportunity. Pattern-on-grid, emoji, conventional picture passwords? Deployable on our platform: Opportunity. Passwords required as the master-password: Opportunity. 13/Nov/2018
  13. 13. Client Software for Device Login Applications Login Image-to-Code Conversion Server Software for Online-Access 2-Factor Scheme Open ID Compatible Data Encryption Software with on-the-fly key generation Single & Distributed Authority Unlimited Use Cases 13/Nov/2018
  14. 14. OASIS Open Projects • Proposition of Expanded Password System at ‘Draft Proposal’ stage • With 56 individual participants • Going to secure some more participants • Corporate members in particular 13/Nov/2018
  15. 15. How We Position Our Proposition We make identity authentication schemes better by leveraging the time-honored tradition of seals and autographs The underpinning principle of Expanded Password System will not go away so long as people want our own volition and memory to remain involved in identity authentication. 13/Nov/2018
  16. 16. Some More Topics about Identity • Isn’t Biometrics killing Passwords? • Brain-Machine-Interface • 2-Channel Expanded Password System • Deterrence to Targeted Phishing • No-Cost 2-Factor Authentication 13/Nov/2018
  17. 17. Isn’t Biometrics killing Passwords? Fact 1: Biometrics used with a fallback password brings down the security that the password has provided. 30-second Video YouTube Specifically, old iPhones with PINCODE only were safer than newer iPhones featuring TouchID and FaceID. What has improved is convenience, not security. Fact 2: Biometrics dependent on a password as a fallback means cannot kill the password dead. Fact 3: A false acceptance rate does not make sense unless it comes with the corresponding false rejection rate. 13/Nov/2018
  18. 18. Brain-Machine-Interface Random numbers or characters allocated to the images. Ask the users to focus their attention on the numbers or characters given to the registered images. A simple brain-monitoring is vulnerable to wiretapping. The monitoring system will then collect the brain-generated onetime signal corresponding to these numbers or characters. 13/Nov/2018
  19. 19. 13/Nov/2018 2-Channel Expanded Password System Conventional 2-factor authentication systems are effective only against abuse of the device/phone. 2-factor Expanded Password System enables the user to produce a onetime identity authentication data, i.e., a real onetime password.
  20. 20. 13/Nov/2018 Deterrence to Targeted Phishing Genuine or Fake? Fake or Genuine? Though not designed against phishing attacks, wise deployment of Expanded Password System helps us deter not only indiscriminate mass phishing but also targeted phishing attacks as one of its secondary effects. Against Mass Phishing: Where users are encouraged to create their own unique image matrices with Expanded Password System, criminals would feel discouraged because of its heavy costs of capturing and activating thousands, millions or billions of image matrices all unique to different UserIDs. Against Targeted/Spear Phishing : ‘2-Channel Expanded Password System’ presented in the previous page could discourage targeted phishing because the criminals would have to place both of the two channels under their control simultaneously before starting the phishing trials. Alternatively, we can add a second step of Expanded Password System, making it 'Selective 2-step Authentication' for the users who opt for it, which makes criminals’ jobs extremely heavy and complicated. Against Persistent Targeted/Spear Phishing: Criminals who persistently chase really valuable information assets could be discouraged if we deploy the 2-step EPS coupled with the 2-Channel method.
  21. 21. No-Cost 2-Factor Authentication Factor 1 – Password Remembered (what we know/remember) Factor 2 – Password Written Down or Physically Stored (what we have/possess) Effect - A ‘boring legacy password system’ turning into a no-cost light-duty two-factor authentication system made of ‘what we know’ and ‘what we have’. 13/Nov/2018
  22. 22. Wrap-Up Expanded Password System that drastically alleviates the password fatigue is supportive of - Biometrics that require passwords as a fallback means against false rejection - Two/multi-factor authentications that require passwords as one of the factors - ID federations such as password managers and single-sign-on services that require passwords as the master-password -Simple pictorial/emoji-passwords and patterns-on- grid that can all be deployed on our platform * All with the effects that handling memorable images makes us feel pleasant and relaxed 13/Nov/2018 Furthermore, - Nothing would be lost for the people who want to keep using textual passwords - It enables us to turn a low-entropy password into a high-entropy authentication data - It is easy to manage the relation between accounts and the corresponding passwords - It helps deter various phishing attacks - Lastly but not the least, it is democracy-compatible by way of providing the chances and means to get our own volition confirmed in our identity assurance. * It is the obligation of democratic societies to provide citizens with the choice to adopt a secure and yet stress-free identity authentication means that is practicable in any circumstances, panicky situations in emergencies in particular .
  23. 23. As such, there exists a secure and yet stress- free means of democracy-compatible identity authentication. That is Expanded Password System. Thank You Hitoshi Kokumai President, Mnemonic Security, Inc. kokumai@mneme.co.jp 13/Nov/2018

×