Summary and Brief History - Expanded Password System

‘Easy-to-Remember’ is one thing. ‘Hard-to-Forget’ is another - The observation that Images are easy to remember has been known for many decades; it is not our theme.

 What we discuss is that ‘images of our emotion-coloured episodic memory’ is ‘Hard to Forget’ to the extent that it is ‘Panic-Proof’; images of toys, dolls, dogs and cats, for example, that our children used to love for years would jump into our eye even when we are placed in heavy pressure and caught in severe panic.

 Expanded Password System (EPS), which accepts images, especially the unforgettable images of our own emotion-coloured episodic memory, as well as conventional characters and numbers, is intended to be a legitimate successor to the time-honored seals, autographs and text-only password systems for safe digital identity over many generations to come, In the present-day world, safely protected teleworking, telemedicine and many other tele-something in the stressful pandemic situations as well as many natural and manmade disasters is among the imminent objectives.

 Hitoshi Kokumai, inventor of EPS, is not a technology man, graduated from Economics Faculty of Kyoto University and having worked in international business, assisting a UK company to achieve some ￡100 million worth exports to Japanese clients over the two decades of service, before getting suddenly hit by an inspiration of the core concept of EPS in 2000.

 Joined by Ryuhei Masuno, graduated from Law Faculty of the same university, Hitoshi has since progressed the development and theorization of EPS from the view point that identity assurance or secured digital identity is the issue of philosophy, psychology, sociology, economics and history as well as technology.

 We launched the business operations in 2001 under the name of Mnemonic Security, Inc, which was the world’s first company to provide the software products that offer ‘Hard-to-Forget’, ‘Hard-to-Break’ and ‘Panic-Proof’ digital identity authentication. The business progressed successfully with US$1m commercial adoptions over the first several years.

 We started, however, to feel the painful headwind from around 2008 because people got carried away by the hype of wrongly-used biometrics, particularly overwhelming in Japan, even though the versatile practicability of our software was demonstrated by the 5-year use by 140, 000 online shoppers. After struggling in vain for several years, we chose to get out of Japan. 

 We have successfully made a tangible progress since then. The solid theory of our EPS proposition is made clear by OASIS recognition as a standard candidate, publishing by Taylor & Francis, selection as a finalist by Financial Data and Technology Association for ‘Summit and Awards 2019’ in Edinburgh and adoption by AFCEA for ‘2020 Solution Review Problem Sets’. We are steadily getting recognized as Pioneer and Thought Leader in this domain.

 As for the use cases, we are now able to also refer to the 6-year use by 1,200 employees for a corporate network and the trouble-free defense use by army soldiers in the field from 2013 till now with the users increasing 10-fold and set to increase further, which were both achieved in very adverse circumstances of biometrics-dominated Japan.

 Now we have come to setting up a company in UK as our global headquarters. We plan to name it 'Mnemonic Identity Solution Limited' with the mission of globally promoting 'identity assurance by our own volition and memory' for 'secure digital identity in post-pandemic cyberspace'. 

The aim of our enterprise is to make EPS solutions readily available to all the global citizens: rich and poor, young and old, healthy and disabled, literate and illiterate, in peace and in disasters.

We expect EPS to stay with us over many generations, rather than a decade or so, until humans discover something better than the 'digital identity' for our safe and orderly societal life. We look for the people who share such a long-term view and support us as such.

Updated on 4/Aug/2020

Our global headquarters is now registered as Mnemonic Identity Solutions Limited (Code: 12788178) in the region of Thames Valley of United Kingdom.

A crowdfunding will be organised in due course for anyone to have an opportunity to join us for the social good as well as economic benefits. We will welcome technical contributions as well.

PS

Theory and Implementation

 Expanded Password System, however solid the theory is, would be vulnerable to attacks when it is poorly implemented.

 Very fortunately, our first client in Japan who adopted Expanded Password System for 140,000 shoppers (designed for one million users) was extremely demanding about the good implementation. We had to satisfy them and actually satisfied them with the very solid implementation. The latest client is Japan's Self-Defense Ground Forces (aka Army). We naturally had to be very confident about the good implementation.

 What enabled us to design the good implementation is the guidance we were given by Emeritus Prof. Hideki Imai of Tokyo University, who was the chairperson of Japan’s CRYPTREC when we first met in 2001. He pushed my back to move ahead confidently with promotion of Expanded Password System, and helped me a lot with several joint research programs until he retired from Tokyo University.

 He emphasized to me repeatedly how critical it is to design the good implementation. First of all, hashing the credential data is an absolute must whether on line or offline. It is also from him that I came to know about Deffie-Hellman Key Exchange, Elliptic Curve Cryptography and so on.

 As such, we are fully certain that not only the solid theory but also the good implementation is indispensable to have Expanded Password System correctly valued by the security-centric corporations and organizations wherever we go. 

Who Adopted Expanded Password System (EPS) and for What

A telecom company who built a payment system designed for a million online shoppers adopted EPS for accepting ‘Hard-to-Forget’ and yet ‘Hard-to-Break’ credentials and for reducing the helpdesk cost drastically. Actually 140,000 online shoppers enjoyed the no friction login before the payment system was closed in 2008.

An IT corporation who built a security-conscious corporate network adopted EPS-based 2-channel/2-factor authentication accepting ‘Hard-to-Break’ and yet ‘Hard-to-Forget’ credentials. 1,200 employees are still enjoying the good balance of security and usability.-

Japan’s Self-Defense Ground Forces, aka Army, adopted our product for accepting ‘Panic-Proof’ and yet ‘Hard-to-Break’ credentials. The number of licenses has increased more than 10-fold over the 7-year period from 2013 and is set to increase further.

We expect to see similar adoptions in hundreds or thousands of times larger scale once we start the operation in the global market from the quarters in UK.

Cryptography and Expanded Password System

As mentioned earlier, Prof. Hideki Imai pushed my back to move ahead confidently in 2001 when he was the chair of Japan’s CRYPTREC. He repeatedly emphasized to me how critical it is to hash the credential data whether online or offline. It is also from him that I came to know about the topics of Deffie-Hellman Key Exchange, Elliptic Curve Cryptography, etc. Let me talk about the 2002 – 2004 joint research projects we progressed.

 Firstly, we tried the methodology of using the high-entropy credential data generated by Expanded Password System (EPS) as the seed of RSA key pair. With the scheme, the user's private key does not physically exist anywhere in the universe, but it can be re-generated on-the-fly out of the images that the user picks up for authentication for each login. It proved to work on the internet. At that time I was told we should look at Elliptic Curve Cryptography in the future as a successor to RSA.

 Thereafter, we took up the experiment of incorporating Expanded Password System into PAKE (simplified version developed at Tokyo University).We were able to demonstrate that it worked with no friction in the lab environment.

 Both projects were financed by Japan’s government agencies, Unfortunately, however, the officials who received our reports showed no interest in a budget to enable us to expand the experiments further. We might have started these forward-looking projects a bit too early.

< References >

Image-to-Code Conversion by Expanded Password System

Proposition on How to Build Sustainable Digital Identity Platform

External Body Features Viewed as ‘What We Are’

 History, Current Status and Future Scenarios of Expanded Password System

Negative Security Effect of Biometrics Deployed in Cyberspace

Removal of Passwords and Its Security Effect

Availability-First Approach

Update: Questions and Answers - Expanded Password System and Related Issues (30/June/2020)

< Videos on YouTube>

Slide: Outline of Expanded Password System (3minutes 2seconds)

Demo: Simplified Operation on Smartphone for consumers (1m41s)

Demo: High-Security Operation on PC for managers (4m28s)

Demo: Simple capture and registration of pictures by users (1m26s)

Slide: Biometrics in Cyber Space - "below-one" factor authentication

< Latest Media Articles Published in 2020 Spring>

Digital Identity – Anything Used Correctly Is Useful https://www.valuewalk.com/2020/05/digital-identity-biometrics-use/

‘Easy-to-Remember’ is one thing ‘Hard-to-Forget’ is another https://www.paymentsjournal.com/easy-to-remember-is-one-thing-hard-to-forget-is-another/

Identity Assurance And Teleworking In Pandemic https://www.informationsecuritybuzz.com/articles/identity-assurance-and

#identity #authentication #password #security #biometrics #ethic #privacy #democracy #emergency #disaster #panic #defense #government #pandemic #teleworking