On Devastating Effect of Removing Password

Below are some of my writings on the fantastically negative security effects of removing secret credentials.

Removal of Passwords and Its Security Effect

What does not exist will never be stolen and abused

Meaningless Comparison of Different Authenticators

What you ignore does not exist

Expanded Password System to Complement FIDO2

Assume that the password has been removed from digital identity. Then digital identity platforms would have only two authenticators - physical tokens and biometrics.

 Biometrics by its nature requires a fallback measure against false rejection, and only the physical token could be the fallback measure for biometrics in this situation. Here we have only two scenarios.

 (1) authentication by a physical token, with an option of adding another token. Its security effect is plainly illustrated above and below.

 (2) authentication by a biometrics deployed in ‘multi-entrance’ method with a physical token as the fallback measure, with an option of adding another token. Its security is even lower than (1) as quantitatively examined at "Quantitative Examination of Multiple Authenticator Deployment"

 We reckon that quite a few professionals of cyber security and identity management are well aware of these facts but something seems to prevent them from speaking out. Possibly, once they had touted those powerless solutions and recommendations to millions of clients, it might be embarrassing to admit the facts.

 But it’s never too late to return. They are expected to speak out.