Hitoshi Kokumai

1年前 · 1 分の読書時間 · visibility ~10 ·

chat 著者への問い合わせ

thumb_up 関連性 message コメント

What does not exist will never be stolen

What does not exist will never be stolenhe lock authenticates the key.<br />
The key authenticates the lock.<br />
<br />
  <br />
<br />
Does the key authenticate<br />
the person who holds it?

I added a new message "What does not exist will never be stolen" at the end of this article - 

“Removal of Passwords and Its Security Effect”.

..........................................

What does not exist will never be stolen

Removing what can be stolen from the picture can indeed ensure that what can be stolen will never be stolen and abused.

 Removing the password from digital identity can obviously ensure that the password will never be stolen and abused. Then, exactly by the same logic, removing the cryptographic-enabled physical token can also ensure that the cryptographic-enabled physical token will never be stolen and abused.

This cartoon produced 15 years ago will hopefully help to unravel this seemingly complicated but actually simple problem.

 I am very curious to know what the promoters of 'token-based password-less authentication' have to say.

..........................................

Assume that the password has been removed from digital identity. Then digital identity platforms would have only two authenticators - physical tokens and biometrics.

 Biometrics by its nature requires a fallback measure against false rejection, and only the physical token could be the fallback measure for biometrics in this situation. Here we have only two scenarios.

 (1) authentication by a physical token, with an option of adding another token. Its security effect is plainly illustrated above.

 (2) authentication by a biometrics deployed in ‘multi-entrance’ method with a physical token as the fallback measure, with an option of adding another token. Its security is even lower than (1) as quantitatively examined at https://www.linkedin.com/pulse/quantitative-examination-multiple-authenticator-hitoshi-kokumai

 We reckon that quite a few professionals of cyber security and identity management are well aware of these facts but something seems to prevent them from speaking out. Possibly, once they had touted those powerless solutions and recommendations to millions of clients, it might be embarrassing to admit the facts.

 But it’s never too late to return. They are expected to speak out.



thumb_up 関連性 message コメント
コメント
Debesh Choudhury

Debesh Choudhury

1年前 #1

Very well articulated Hitoshi Kokumai .. If we kill the "passwords", then there is no bad chance of losing the "passwords". But there is a good chance of losing the "passwordless" accounts.

その他の記事 Hitoshi Kokumai

ブログを見る