Big Myths in Digital Identity
(A) What can we make of ‘Password-Dependent Password-Killer’?
(B) What happens where a factor to be enhanced gets removed?
(C) What does ‘PIN-dependent Password-less Authentication’ mean?
- --------------> ’Illusion of Safety’ and 'Cognitive Dissonance'
(A) Security professionals would be advised to refrain from referring to the biometrics as if it were a valid security factor equal to the passwords/PIN and the certified token.
The token and the password/PIN can be deployed on its own and also with other valid authenticators in the security-enhancing ‘multi-layer’ methods, whereas the biometrics generally cannot be deployed on its own. It can be deployed only in the security-lowering ‘multi-entrance’ methods along with a fallback measure.
When referring to the use of biometrics, security professionals should stipulate appropriate caveats to consumers; “Biometrics used with a fallback measure (Password/PIN in most cases) provide the security lower than that of the fallback measure” as outlined in this video.
So much money invested and so many products sold, it may be hard to admit ‘It brought down security’. But, it’s never too late to return.
(B) Security professionals would be advised to refrain from implying that better security can be achieved by removing the password. What can be achieved by removing the password is increased convenience, not security!
While detrimental features should be removed, insufficient ones can be supplemented and enhanced. Mixing up the former and the latter, we would witness a very bizarre situation. What is to be enhanced gets removed, with the 'blind eye' toward a specific frailty that afflicts.
More significantly, the password-less (will/volition-less authentication) is not consistent with the value of democracy. It would be a 1984-like Dystopia if our identity is authenticated without our knowledge or against our will,.
Those who have supported the concept of ‘better security achieved by removing the password’ may find it very hard to withdraw their remarks. But, it’s never too late to return.
By the way, this is a simple thought experiment.
Where the password was kicked out, security providers would be given only the token and the biometrics as security factors. Biometrics requires a fallback measure against false rejection. With the password removed, nothing but the token could be the fallback measure. Then system designer could have only the two choices as follows.
(1) authentication by the token alone, with an option of adding another token. Its security effect is highlighted in this cartoon published14 years ago,
(2) authentication by the biometrics deployed in ‘multi-entrance’ method with the token as a fallback measure, security of which is lower than (1) irrespective of however called it may be, with an option of adding another token.
A barren desert!
(C) As discussed earlier, removal of the password from the digital identity, makes it just infeasible for anyone to come up with a reliable identity authentication system
It appears that some people thought that this predicament could go away if they declared that the PIN was not the password. Say, the password should be removed but the PIN could stay for use on its own or as a fallback measure for biometrics.
In this world where we live, the PIN is no more than a weak form of numbers-only password. Therefore, when the password (superordinate/generic concept) is removed, the PIN (subordinate/specific concept) is also removed. To the contrary, in a parallel world where those people live, the PIN (subordinate concept) can do what the password (superordinate concept) cannot do, as a paper-knife should be able to do what the knife cannot do.
Security professionals would be expected to firmly reject such an unearthly conception as a ‘PIN-dependent Password-less Authentication’.
Then, we will be free from ‘Illusion of Safety’ and ‘Cognitive Dissonance’
< Related Articles, Video and Cartoon >
- Digital Identity and Democracy
- Quantitative Examination of Multiple Authenticator Deployment
Distracters in Digital Identity
- Intriguing Evolution from One to Two and Back to One
- Biometrics in Cyber Space - "below-one" factor authentication
- Entangled thinking makes everything more entangled