The document discusses a suggestion submitted to NIST regarding their digital authentication guidelines. The suggestion involved clarifying that using biometrics with a secondary authenticator via an OR operation provides lower security than using the secondary authenticator alone. However, NIST abruptly closed the discussion thread without clear explanation. The author is looking for help understanding NIST's perspective on allowing OR operations.
Till Altmann - Industrial Designer in Unisto (Switzerland)Ramses Cabello
Till Altmann, speaker at H4G 2014, and me work together into a presentation for his own work life. He brought the contents and the ideas and I help him organise the presentation.
It gives a quick insight into how ups and downs through work life can lead to success. Use your downs to be able to go higher on your ups.
I love to work as a Team with him on this project.
Enjoy :)
Visual Summary of Egocentric Photostreams by Representative KeyframesMarc Bolaños Solà
Presentation of the 1st International Workshop on Wearable and Ego-vision Systems for Augmented Experience (WEsAX), ICME, Turin, Italy (July 3rd, 2015).
Till Altmann - Industrial Designer in Unisto (Switzerland)Ramses Cabello
Till Altmann, speaker at H4G 2014, and me work together into a presentation for his own work life. He brought the contents and the ideas and I help him organise the presentation.
It gives a quick insight into how ups and downs through work life can lead to success. Use your downs to be able to go higher on your ups.
I love to work as a Team with him on this project.
Enjoy :)
Visual Summary of Egocentric Photostreams by Representative KeyframesMarc Bolaños Solà
Presentation of the 1st International Workshop on Wearable and Ego-vision Systems for Augmented Experience (WEsAX), ICME, Turin, Italy (July 3rd, 2015).
A survey on security and policy aspects of blockchain technologyTELKOMNIKA JOURNAL
This survey talks about the problem of security and privacy in the blockchain ecosystem which is currently a hot issue in the blockchain community. The survey intended to study this problem by considering different types of attacks in the blockchain network with respect to algorithms presented. After a preliminary literature review it seems that some focus has been given to study the first use case while, to the best of my knowledge, the second use case requires more attention when blockchain is applied to study it. The research is also interested in exploring the link between these two use cases to study the overall data ownership preserving accountable system which will be a novel contribution of this work. However, due to the subsequent government mandated secrecy around the implementation of data encryption standard (DES), and the distrust of the academic community because of this, a movement was spawned that put a premium on individual privacy and decentralized control. This movement brought together the top minds in encryption and spawned the technology we know of as blockchain today. This survey explores the genesis of encryption, its early adoption, and the government meddling which eventually spawned a movement which gave birth to the ideas behind blockchain.
Deployment of Biometrics & Password - NIST63BHitoshi Kokumai
When 'a physical authenticator PLUS password' is less complicated, less costly and more secure than 'a physical authenticator PLUS <password OR biometrics>', I wonder where there is a merit of involving the problem-ridden biometrics.
A decentralized consensus application using blockchain ecosystem IJECEIAES
The consensus is a critical operation of any decision-making process. It involves a set of eligible members; whose decision need to be honored by taking their acknowledgment before making any decision. The traditional consensus process follows centralized architecture, the members need to rely on and trust this architecture. The proposed system aims to develop a secure decentralized consensus application in the untrusted environment by making use of blockchain technology along with smart contract and interplanetary file system (IPFS).
A survey on security and policy aspects of blockchain technologyTELKOMNIKA JOURNAL
This survey talks about the problem of security and privacy in the blockchain ecosystem which is currently a hot issue in the blockchain community. The survey intended to study this problem by considering different types of attacks in the blockchain network with respect to algorithms presented. After a preliminary literature review it seems that some focus has been given to study the first use case while, to the best of my knowledge, the second use case requires more attention when blockchain is applied to study it. The research is also interested in exploring the link between these two use cases to study the overall data ownership preserving accountable system which will be a novel contribution of this work. However, due to the subsequent government mandated secrecy around the implementation of data encryption standard (DES), and the distrust of the academic community because of this, a movement was spawned that put a premium on individual privacy and decentralized control. This movement brought together the top minds in encryption and spawned the technology we know of as blockchain today. This survey explores the genesis of encryption, its early adoption, and the government meddling which eventually spawned a movement which gave birth to the ideas behind blockchain.
Deployment of Biometrics & Password - NIST63BHitoshi Kokumai
When 'a physical authenticator PLUS password' is less complicated, less costly and more secure than 'a physical authenticator PLUS <password OR biometrics>', I wonder where there is a merit of involving the problem-ridden biometrics.
A decentralized consensus application using blockchain ecosystem IJECEIAES
The consensus is a critical operation of any decision-making process. It involves a set of eligible members; whose decision need to be honored by taking their acknowledgment before making any decision. The traditional consensus process follows centralized architecture, the members need to rely on and trust this architecture. The proposed system aims to develop a secure decentralized consensus application in the untrusted environment by making use of blockchain technology along with smart contract and interplanetary file system (IPFS).
BITCOIN CLASSIC HAS TURNED THE WORLD UPSIDE DOWN!Steven Rhyner
Thirty-six days have already passed since the new hard fork of Bitcoin, under the name Bitcoin Classic, came into being. The core developers believe that a hard fork is a last resort, something that you shouldn’t do unless you have to.
The business world has been abuzz about blockchain technology across many industries, ranging from finance to healthcare. Blockchain appears to have significant potential to add a new element to the revered double-entry accounting method on which the accounting industry is based. Bitcoin/cryptocurrency is one of the application of broader blockchain technology or ‘the blockchain’.
Blockchain is an online register or a ledger of digitally recorded transactions which is encrypted in the form of blocks where each block is connected by a network of computers which store these blocks, together forming the Blockchain. Bitcoin was the first blockchain technology created in 2009, as a kind of virtual currency database, where all the transactions could be stored without any banks or governments involved. And at present, several corporates, startups, government and other agencies are looking for similar databases-often independent of virtual/crypto currency to solve some of the most intractable issues facing society. Many sectors such as finance, mobile app, healthcare, real estate, fintech, regulatory, insurance and others have a huge market potential for blockchain technology.
HypeProfit is an advanced decentralized finance ecosystem built on Tron and BNB technology. It enables staking, trading, lending and online gaming to grow your future and offers high returns on your money
Image data of a picture that the user picks up will be hashed by the likes of Sha256
Sha-hashed data of the selected several pictures will be put together and hashed by the likes of Argon2id
The Argon2id-hashed data will be outputted as the code to be used as a password, a crypto key, a master-password or something else depending on use cases.
With unique salts added, a number of derivative codes can be automatically generated from the first code in a single process
Here are the discussions that are mentioned in P19 of "Fend Off Cyberattack with Episodic Memory"
https://www.slideshare.net/HitoshiKokumai/fend-off-cyberattack-with-episodic-memory-24feb2023
Fend Off Cyberattack with Episodic Memory (24Feb2023)Hitoshi Kokumai
This is a slide with script presented at Conference On Cyber Security In Financial Institutions by Banking Association of Central and East Europe on 24th February 2023 - https://baceeconference.com/cyber-security-conference/
The issues mentioned on P19 are discussed here - "More Issues on Digital Identity"
https://www.slideshare.net/HitoshiKokumai/more-issues-on-digital-identity-24feb2023
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022Hitoshi Kokumai
Digital Transformation would be a pipe dream if it’s not supported by a practicable means of identity authentication that is secure and yet stress-free, desirably giving us joy and fun
Our company, Mnemonic Identity Solutions Limited (MIS), set up in August 2020 in United Kingdom for global operations, is a Start-Up as a corporation but it’s more than a Start-Up as a business entity. We set it up in order to globally expand what its predecessor named Mnemonic Security, Inc. started in Japan in late 2001.
We have a 20 years long pre-history of technology development, product making and commercial implementations with some US$1 million sales. Our champion use case is Japanese Army deploying our product on field vehicles since 2013 and still using it.
At MIS we are now going to help global citizens fend off cybercrime by their non-volatile episodic memory, with the values of democracy.
< Video Link >
Fend Off Cybercrime by Episodic Memory (90 seconds) https://youtu.be/T1nrAlmytWE
MnemonicGateways (90 seconds)
https://youtu.be/0nNIU4uYl94
High-Security Operation on PC for managers (4m28s)
https://www.youtube.com/watch?v=UO_1fEp2jFo
< Document Link >
Power of Citizens’ Episodic Memory
https://www.linkedin.com/pulse/power-citizens-episodic-memory-hitoshi-kokumai/
LOSS of Security Taken for GAIN of Security
https://www.linkedin.com/pulse/loss-security-taken-gain-hitoshi-kokumai/
An updated version is available from 30/Aug/2022 at https://www.slideshare.net/HitoshiKokumai/slide-share-updated-fend-off-cybercrime-with-episodic-memory-29aug2022
..................................................
Digital Transformation would be a pipe dream if it’s not supported by a practicable means of identity authentication that is secure and yet stress-free, desirably giving us joy and fun
<Reference URL>
- Video
90-second introductory video; Fend Off Cybercrime by Episodic Memory (4/Feb/2022) https://youtu.be/T1nrAlmytWE
90-second demonstration video: Mnemonic Gateways (10/Feb/2022)
https://youtu.be/0nNIU4uYl94
- Blog collections
Power of Citizens’ Episodic Memory
https://www.linkedin.com/pulse/power-citizens-episodic-memory-hitoshi-kokumai/
LOSS of Security Taken for GAIN of Security
https://www.linkedin.com/pulse/loss-security-taken-gain-hitoshi-kokumai/
Biometrics Unravelled | password-dependent password-killer
https://www.linkedin.com/pulse/biometrics-unravelled-password-dependent-hitoshi-kokumai/
- Hitoshi Kokumai's profile
https://www.linkedin.com/in/hitoshikokumai/
Bring healthy second life to legacy password systemHitoshi Kokumai
Passwords are said to be too vulnerable to theft and too hard to manage. Many people sound as if the password were an enemy of people. Some people even allege that removal of the password would improve the security of digital identity. Let us examine how valid such views are.
More information at https://www.mnemonicidentitysolutions.com/
Cyber Predicament by Text-Only Password SystemsHitoshi Kokumai
The current password predicament is caused by the conventional password systems that do not allow people to use anything but numbers/characters. But we do not have to despair. There exists an incredibly simple solution to it, though little known to the public as yet.
Updated: Presentation with Scripts at CIW2018Hitoshi Kokumai
The volitional password is absolutely necessary where the democratic values matter (*1). whereas the conventional password is hated as everybody agrees.
This observations lead us to conclude that we should agree that we have to find the sort of password system that is not hated. Logic tells that there can be no other choice.
We came up with the way out. It is Expanded Password System that accepts images as well as texts/characters.
This is the updated version of the slide used for the presentation on 30/Oct/2018 at KuppingerCole's Consumer Identity World Europe 2018 in Amsterdam (*2). P20 for "Deterrence to Targeted Phishing" has been added.
*1 Where authentication of our identity happens without our knowledge or against our will, it is a 1984-like Dystopia.
*2 https://www.kuppingercole.com/events/ciweu2018/agenda_overview
<Link to Videos >
80-second video
https://www.youtube.com/watch?v=ypOnKTTwRJg&feature=youtu.be
30-second video
https://www.youtube.com/watch?v=7UAgtPtmUbk&feature=youtu.be
The volitional password is absolutely necessary(where the democratic values matter *1). whereas the conventional password is hated (as everybody agrees).
This observations lead us to conclude that we should agree that we have to find the sort of password system that is not hated. Logic tells that there can be no other choice.
We came up with the way out. It is Expanded Password System that accepts images as well as texts/characters.
This slide was used for the presentation on 30/Oct/2018 at KuppingerCole's Consumer Identity World Europe 2018 in Amsterdam *2
*1 Where authentication of our identity happens without our knowledge or against our will, it is a 1984-like Dystopia.
*2 https://www.kuppingercole.com/events/ciweu2018/agenda_overview
<Link to Videos >
80-second video
https://www.youtube.com/watch?v=ypOnKTTwRJg&feature=youtu.be
30-second video
https://www.youtube.com/watch?v=7UAgtPtmUbk&feature=youtu.be
Updated: Identity Assurance by Our Own Volition and MemoryHitoshi Kokumai
The volitional password is absolutely necessary(where the democratic values matter *1). whereas the conventional password is hated (as everybody agrees).
This observations lead us to conclude that we should agree that we have to find the sort of password system that is not hated. Logic tells that there can be no other choice.
We came up with the way out. It is Expanded Password
System that accepts images as well as texts/characters.
This is the slide I used for the presentation on 30/Oct/2018 at KuppingerCole's Consumer Identity World Europe 2018 in Amsterdam *2
*1 Where authentication of our identity happens without our knowledge or against our will, it is a 1984-like Dystopia.
*2 https://www.kuppingercole.com/events/ciweu2018/agenda_overview
<Link to Videos >
80-second video
https://www.youtube.com/watch?v=ypOnKTTwRJg&feature=youtu.be
30-second video
https://www.youtube.com/watch?v=7UAgtPtmUbk&feature=youtu.be
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...Hitoshi Kokumai
So long as the biometrics is backed up by a fallback password, irrespective of which are more accurate than the others, its security is lower than that of a password-only authentication. Then, we have to wonder why and how the biometrics has been touted as a security-enhancing tool for so long, with so many security professionals being silent about the fact.
It appears that we may have got some clues to this conundrum.
Business Dimension of Expanded Password SystemHitoshi Kokumai
We are in the middle of the decades-long game of having the finalist candidates chosen for the legitimate successors not just to the decades-old character passwords but to the centuries or millennia-old seals and signatures, which will make the basic foundation for the real/cyber-fused society that may well last for more than generations or even centuries for the whole global population.
With billions of people suffering the same big headache, the problem to be addressed by our solution is huge, Substantial revenues will be expected for the business of providing the most practicable solution.
Please join us and support us for this nice exciting enterprise.
Expanded password system - Reliable Identity AssuranceHitoshi Kokumai
Security of the real/cyber-fused society hinges on “Assured Identity”, which hinges on “Shared Secrets” in cyberspace. The text password has been the shared secrets for many decades. We now need a successor to the text password. There exists a promising candidate, an Expanded Password System which accepts images as well as characters and which generates a high-entropy password from a hard-to-forget password.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Help unravel the conundrum over NIST authentication guideline
1. - Help unravel the conundrum over NIST’s Guideline -
I submitted the following suggestion on NIST's Draft Digital Authentication Guideline
on August 2.
……………………
5.2.3 reads "(The biometric system SHALL allow no more than 10 consecutive failed
authentication attempts.) Once that limit has been reached, the claimant SHALL be
required to use a different authenticator or to activate their authenticator with a
different factor such as a memorized secret."
It is desirable to see the above sentence in 5.2.3 followed by such a footnote as "It should
be noted that the security in such cases is necessarily lower than when the second
authenticator alone is used".
--------------------------
NIST abruptly closed the thread of my suggestion registered as #193 for the reasons
which are just unintelligible to me after the exchange of a couple of odd messages as
outlined below.
--------------------------------------------------
First, a NIST person indicated in their reply that NIST allows or even forces the
OR/Disjunction operation adding "it is still two-factor". I submitted a suggestion on
the assumption that NIST allows OR/Disjunction operation.
The person’s second reply said "If two-factors are required, 2-factors need to be
authenticated or the claimant will not get access." It led me to assume that NIST does
not allow OR/Disjunction and forces AND/Conjunction. I submitted a new suggestion
accordingly.
Then, the second NIST person abruptly stepped in and closed this thread after
supposedly alleging that the OR/Disjunction operation is valid for security. My appeal
for continuing the discussion was met with silence and the thread was finally locked.
2. -------------------------------------------------------
I am unable to follow their logic for justifying the closure of this thread. I wonder if
some of you can help unravel this conundrum for me.
Hitoshi Kokumai
< Epilogue >
Following the abrupt closure of the above thread, I tried to submit a fresh suggestion
reading
"It is desirable to see the above sentence in 5.2.3 followed by such a footnote as "This
way of operating biometrics with a second authenticator by OR/Disjunction shall be
recommend where convenience matters, not where security matter since the security in
such cases is necessarily lower than when the second authenticator alone is used. It is
convenience that is improved by this way of operating biometrics and a fallback means,
and this improvement is obtained by the sacrifice of security".
NIST closed this new thread (#286) the following day without any comment whatsoever.
Attachments
1. The whole history of the #193 thread (P3)
2. The whole text of the new suggestion #286 (P9)
3. < The whole history of the #193 thread >
hitoshikokumai commented 20 days ago
Organization:3
Type: Security design
Document (63-3, 63A, 63B, or 63C):63B
Reference (Include section and paragraph number):5.2.3
Comment (Include rationale for comment): It reads "(The biometric system SHALL
allow no more than 10 consecutive failed authentication attempts.) Once that limit has
been reached, the claimant SHALL be required to use a different authenticator or to
activate their authenticator with a different factor such as a memorized secret."
This implies that the second authenticator(factor) and the biometrics are used by
OR/Disjunction, which necessarily makes the security lower than that of the second
factor alone. In other words, the security is better when the second factor alone is used.
There is a 2-minute video outlining the rationale.
Biometrics in Cyber Space - "below-one" factor authentication
https://youtu.be/wuhB5vxKYlg
This article may also help.
Misuse of Biometrics Technology
http://www.paymentsjournal.com/Content/Blogs/Industry_Blog/30986/
Biometrics authentications are good for physical security but ruin the security of
password protection and generate a false sense of security in cyber space. Deployed with
a fallback password against false rejection, they provide the level of security that is
even poorer than a password-only authentication.
Suggested Change: It is desirable to see the above sentence in 5.2.3 followed by such a
4. footnote as "It should be noted that the security in such cases is necessarily lower than
when the second authenticator alone is used".
Organization: 1 = Federal, 2 = Industry, 3 = Other
hitoshikokumai referenced this issue 9 days ago
Open Suggestion for AAL 2 #221
“A NIST person” commented 6 days ago
Thank you for your review. The intention behind the draft of 800-63-3-B's inclusion of
biometrics is that they are always used with a second factor. If the biometric check fails,
a different second factor has to be used. In other words, if users/attackers are locked out
of the biometric check, they could be offered an alternative second factor. It's still two
factor. If the wording needs to be fixed to reflect this, please suggest an alternative
because the interpretation that a failure of the biometric check means no second factor
check is not what we were allowing in the text.
hitoshikokumai commented 5 days ago
Thanks for taking up my suggestion for consideration.
There should be nothing wrong in operating biometrics with a second factor by
OR/Disjunction PROVIDED the people concerned are all accurately aware of its
consequences and all the users explicitly informed. Most important is to avoid the false
sense of security trapping the users in it.
If allowed, I would like to suggest such an alternative as follows:
The biometric system SHALL allow no more than 10 consecutive failed authentication
attempts. Once that limit has been reached, the claimant SHALL be required to use a
different authenticator or to activate their authenticator with a different factor such as
a memorized secret.
It should be noted, however, that the security in such cases is necessarily lower than
when the second authenticator(factor) alone is used like a house with two entrances
5. placed in parallel (not in tandem) is more vulnerable to burglars than a house with one
entrance.
Remark: Two different factors can be operated in two ways - (1) by AND/Conjunction
(we need to go through both of the two) or (2) by OR/Disjunction (we need only to go
through either of the two). Operation of two factors by (1) AND/Conjunction provides
higher security and lower convenience while that by (2) OR/Disjunction provides higher
convenience and lower security.
People who wish to use biometrics for achieving the level of security higher than
passwords are advised to operate the biometrics and passwords by (1) AND/Conjunction
and inform the users that they will be able to enjoy better security although they will
have to give up the access altogether if rejected by biometrics even when they are able to
feed the correct passwords.
People who wish to use biometrics for better convenience are advised to operate the
biometrics and passwords (fallback means against false rejection) by (2) OR/Disjunction
and inform the users that they will be able to enjoy better convenience although the
level of security that they can expect is necessarily lower than that of password-only
authentication.
Should you want to see a more comprehensive and explanatory alternative, I would be
ready to compress my article published on the likes of Payments Journal.
Please let me have your feedback.
Hitoshi Kokumai
PS I would appreciate it if you could also have a quick look at my recent short writing
posted at
http://www.slideshare.net/HitoshiKokumai/discussed-on-elseviers-btt-62502162?qid=8c
c17e97-6fa9-4ac6-a470-bac14aada916&v=&b=&from_search=1
http://www.slideshare.net/HitoshiKokumai/appeal-to-media-writers-over-security-misco
nception?qid=8cc17e97-6fa9-4ac6-a470-bac14aada916&v=&b=&from_search=3
6. “The same NIST person” commented 3 days ago
We are not allowing biometrics to be used as a single factor for multiple reasons,
summarized in 800-63-3. I believe your suggested text is allowing that by adding an
option for "OR." Since we do not want to allow that, there is no need for the sentence to
say "OR/Disjuntion" is lower security. If two-factors are required, 2-factors need to be
authenticated or the claimant will not get access.
hitoshikokumai commented 3 days ago • edited
This latest comment of yours seems to make sense. But it does not appears to be
compatible with your original draft which sounds to allow or even force the operation of
two factors by OR/Disjunction.
The original statement "the claimant SHALL be required to use a different
authenticator or to activate their authenticator with a different factor such as a
memorized secret." appears to be forcing or allowing the claimant to use a second
authenticator/factor as a fallback means against false rejection. This is no different to
using the biometrics and the second authenticator/factor (as fallback means) by
OR/Disjunction.
If your intention was to allow the operation of biometrics and the second factor only by
AND/Conjunction, your draft could simply be altered to
"Once that limit has been reached, the claimant SHALL not get an access. Rescue
means SHALL be considered separately from this particular process of access trials".
It would also be desirable to refer to the merits and demerits of the operation of two
factors by OR/Disjunction in view of the observation that we are actually watching
many such cases on the market.
hitoshikokumai commented 3 days ago
Whether explicitly called as the fallback means or not, a fallback means for rescue of the
claimant who gets rejected by the first factor is nothing but a second factor operated by
7. OR/Disjunction.
I hope you are with me.
“The second NIST person” commented 2 days ago
While having two means of activating a multi-factor authenticator is theoretically
weaker than having only one means of activation, the threat profiles of biometric vs.
memorized secret activation are considerably different. For example, a user in a public
place would probably be well advised to use a biometric to activate their mobile device
rather than type a PIN to unlock it where it can be readily observed by others. Having a
choice of activation methods is therefore not necessarily weaker than having a
memorized secret only.
Note also that the association of multiple authenticators with a subscriber account is
encouraged. This could also be seen as being weaker than having only a single
authenticator, but it mitigates the real-world problems of authenticator loss, breakage,
and theft. Currently, account recovery practices are often a weak point in
authentication systems and are rarely multi-factor. The benefit of making account
recovery less frequent (and more stringent) outweighs the risks associated with having
a reasonable number of authenticators associated with the account.
In both cases, there is sufficient margin built into entropy, biometric performance, and
throttling requirements to provide sufficient security given the existence of multiple
authenticators and activation modes.
“This NIST person” closed this 2 days ago
hitoshikokumai commented 2 days ago
I would appreciate it if you could reconsider about the closure of this thread for the
following reasons.
It would be fruitless to spend time for comparing the strength of biometrics used on its
own with that of passwords used on its own. There are no objective data on the
vulnerability of biometric products (not just false acceptance rate when false rejection is
8. sufficiently low but also the risk of forgery of body features and the risk of use when the
user is unconscious) and that of the passwords (not only that the entropy may be as low
as 10 bits or as high as 100 bits but also that it can be stolen and leaked.)
Even assuming that biometrics were though to be 10 times less vulnerable than
memorized secrets despite the abovementioned observation, the operation of those two
factors by OR/Disjunction would necessarily result in the overall security being lower
than that of the memorized secrets as well as that of the biometrics. Given that the
biometrics has the (x) vulnerability, a very weak fallback password has (y1)
vulnerability and a very strong fallback password having (y2), the math of vulnerability
(x + y - xy) > y leads us to (x + y1- xy1) > (y1) and (x + y2 - xy2) > (y2). This means that
we are safer when we use only the very weak password than when we use the
biometrics with the very weak fallback password, and that we are also safer when we
use only the very strong password than when we use the biometrics with the very strong
fallback password.
We could consider the comparison between (x + y2 - xy2) and (y1) but it could lead us
nowhere. Whoever can manage a very strong password together with biometrics must
be able to manage the very strong password on its own. Then, again, we are safer when
we use only the very strong password. Moreover, rarely used/recalled passwords tend to
be very weak, i.e., what we actually get could well be (x + y1 - xy1) >>> (y2).
As such it is not possible to count a case that the biometrics used together with a
fallback password is stronger than a password used on its own.
“The third NIST person” locked the thread.
(The above was copied from the NIST site 6 days ago and persons’ names anonymized.)
9. < The whole text of the new suggestion #286 >
Title: Security effects of operation of two-factors by OR/Disjunction
**Reference (Include section and paragraph number)**: 5.2.3
**Comment (Include rationale for comment)**: It reads “The biometric system
SHALL allow no more than 10 consecutive failed authentication attempts. Once that
limit has been reached, the claimant SHALL be required to use a different
authenticator or to activate their authenticator with a different factor such as a
memorized secret” at another place.
There should be nothing wrong in operating biometrics with a second
authenticator/factor by OR/Disjunction (we need only to go through either of the two) as
against AND/Conjunction (we need to go through both of the two) PROVIDED the
people concerned are all accurately aware of its consequences and all the users
explicitly informed of them.
It should be noted that the security in such cases is necessarily lower than when the
second authenticator(factor) alone is used like a house with two entrances placed in
parallel (not in tandem) is more vulnerable to burglars than a house with one entrance.
This is logically proven as follows:
It would be fruitless to spend time for comparing the strength of biometrics used on its
own with that of passwords used on its own. There are no objective data on the
vulnerability of biometric products (not just false acceptance rate when false rejection is
sufficiently low but also the risk of forgery of body features and the risk of use when the
user is unconscious) and that of the passwords (not only that the entropy may be as low
as 10 bits or as high as 100 bits but also that it can be stolen and leaked.)
Even assuming that biometrics were thought to be 10 times less vulnerable than
memorized secrets despite the abovementioned observation, the operation of those two
factors by OR/Disjunction would necessarily result in the overall security being lower
than that of the memorized secrets as well as that of the biometrics. Given that the
biometrics has the (x) vulnerability, a very weak fallback password has (y1)
vulnerability and a very strong fallback password having (y2), the math of vulnerability
10. (x + y - xy) > y leads us to (x + y1- xy1) > (y1) and (x + y2 - xy2) > (y2). This means that
we are safer when we use only the very weak password than when we use the
biometrics with the very weak fallback password, and that we are also safer when we
use only the very strong password than when we use the biometrics with the very strong
fallback password.
We could consider the comparison between (x + y2 - xy2) and (y1) but it could lead us
nowhere. Whoever can manage a very strong password together with biometrics must
be able to manage the very strong password on its own. Then, again, we are safer when
we use only the very strong password. Moreover, rarely used/recalled passwords tend to
be very weak, i.e., what we actually get could well be (x + y1 - xy1) >>> (y2).
As such it is not possible to count a case that the biometrics used together with a
fallback password is stronger than a password used on its own.
Should NIST disagree to the logic of this suggestion, NIST would be expected to
logically demonstrate that a house with two entrances placed in parallel (not in tandem)
is not less vulnerable against burglars than a house with one entrance.
Most important is to avoid the false sense of security trapping the users in it.
**Suggested Change**: It is desirable to see the above sentence in 5.2.3 followed by
such a footnote as "This way of operating biometrics with a second authenticator by
OR/Disjunction shall be recommend where convenience matters, not where security
matter since the security in such cases is necessarily lower than when the second
authenticator alone is used. It is convenience that is improved by this way of operating
biometrics and a fallback means, and this improvement is obtained by the sacrifice of
security".
This new thread (#286) was unilaterally closed without any comment whatsoever.