Hitoshi Kokumai

4年前 · 7 分の読書時間 · ~10 ·

ブログ作成
>
ブログ Hitoshi
>
What Our Episodic Memory Brings for Identity Assurance

What Our Episodic Memory Brings for Identity Assurance

 

Abstract

 Three big myths are rampant in the sphere of digital identity. These are ‘Higher security achieved by removal of password’, ‘Passwords killed by the biometrics that is dependent on passwords' and ‘Passwords displaced by PIN that is no more than a weak form of numbers-only password’.

 Unraveling these myths, we come to the conclusions that we must look for something really valid in the sphere of ‘Non-Text Password’ and that the identity of 'citizens' cannot be separated from their volition and memory while the identity of 'things' can be handled only technologically.

he lock authenticates the key.
The key authenticates the lock.

  

Does the key authenticate
the person who holds it?

Our own autobiographic memory, especially episodic memory, enables us to come up with the most reliable digital identity platform, bidding farewell to the unsafe and torturous identity proofing.


‘Text-Password’ is subordinate to ‘Password’

 The word ‘password’ is poly-semantic and context-dependent. Sometimes it’s narrowly interpreted as ‘remembered text password’ and sometimes it’s taken broadly as ‘whatever we remember as secret credentials’. This situation drives some people to allege that the ‘text password’ is hard to manage so the ‘password’ should be removed from digital identity altogether by relying on ‘physical tokens’, ‘biometrics’ and ‘PIN’.

 We could, however, draw a totally different observation from the same assumption that the text password is hard to manage. That is, the text password is hard to manage so we ought to think about ‘non-text passwords’ in our efforts towards an easier-to-manage and yet more secure password system.

Could the physical token be a solution to the password headache?

 We do not need to take much space to explain the security effect of authentication by a physical token. This scheme may be enough.

93

LE

This cartoon published14 years ago might also help.

Could biometrics solve the password headache?

Passwords and physical tokens can be deployed on their own and also with other authenticators in the security-enhancing multi-layer’ method, whereas the biometrics cannot be deployed on its own. It can be deployed only in the security-lowering ‘multi-entrance’ method along with a fallback measure.

 Biometrics used with a fallback measure (Password/PIN in most cases) provide the security lower than that of the fallback measure” as outlined in this video.             

                       

Can a paper-knife do

what the knife cannot do?

                                               

Houses with One Entrance and Two Entrances


Which house is easier to sneak into?

 


Alleging that biometrics which needs to rely on a password can displace the password is not different to alleging that a baby who needs to rely on its mother can displace the mother.

 With so much money invested and so many products sold, it may be hard to admit ‘Biometrics has actually brought down security’. But an alternative fact cannot displace the fact for long.

Anyway, the number of possible combinations of authenticators would be reduced and the seemingly complicated situation would be much simpler when security-lowering biometrics gets removed from the security-oriented multi-factor authentication schemes. 

 Could PIN displace the password?

  Some people thought of declaring that a PIN is not the password. Say, the password should be removed but the PIN could stay for use on its own or as a fallback measure for biometrics.

 In this world where we live, PIN is no more than a weak form of numbers-only password. When the password (superordinate/generic concept) was removed, the PIN (subordinate/specific concept) has also been removed.

Secret Credenti

 
   
 

Memories

Episodic Memory

In a parallel world where those people live, the PIN (subordinate concept) can do what the password (superordinate concept) cannot do, as a paper-knife should be able to do something that the knife cannot do.

 ‘PIN-dependent Password-less Authentication’ may not be a day dream for them, but it is exactly a day dream. 

 Isn’t there something else?

Hard-to-break long password written on a memo?

- It belongs to the physical token that we had analyzed.

Pattern-on-Grid?

- It is hard to use multiple hard-to-break patterns without confusion.

ID federations like single-sign-on services and password management tools?

 - Centralization creates a single point of failure. If modestly decentralized, multiple reliable master passwords are necessary.

Two/Multi-factor authentications?

 - They need a reliable password as one of the factors for each scheme..

 Why sticking to the memory of characters and numbers?

 The part of our memory for characters and numbers, which we categorize as ‘text memory’ is just a small segment of our overall memory capacity. 


“Expanded Password System

Bans & Only I can select all of
BL] them correctly

Broader choices with both images and characters accepted

i

 

 

 

 

Easy 10 manage reletons between accounts and corresponding passwords.

&

Torturous login is hstory. Login is now comfortable, relaxing and heaing

SRO
250
8

We have a huge memory capacity for non-text memories – visual, audio, tactile, gustatory, olfactory, which have supported our history over hundreds of millions of years – besides the text memory humans acquired only hundreds of years ago among the large parts of the population.


 Why don’t we think of making use of these deep-inscribed memory capacities, particular the visual memories? We know that the latest computers and phones are so good at handling visual images.

Among the image memories we could focus on the images linked to our autobiographic memory, episodic memory in particular.

Relation of Accounts & Passwords

   

* Unique matrices of images allocated to different accounts.

+ Ata glance you will immediately realize what images you should pick
up as your passwords for this or that account.

Secret credentials made from episodic memory are ‘panic-proof’. Identity authentication measures practicable in panicky situation are easily practicable in everyday life. The reverse is not true.


Our Proposition - Make Use of Our Own Episodic Memory

 In the matrix, there are several known images. We can easily find all of them right away. Or, rather, these known images jump into our eye.  And, only we are able to select all of them correctly. This is Expanded Password System.

If only textand # are OK |3UV B99 KUW

 

to memorize 10 lighten the load of to make use of
text/number passwords text passwords memorized images

{Text Mode] {Graphics Mode] (Original Picture Mode]
Recall the remembered Recognize the pictures Recognize the unforgettable
password remembered in stories pictures of episodic memories |
012345 @ 0% 8 sROaw
crreas YE
CDEFGH 8 4 &

nr HER

OPQRST

UvwXxYz ICR WA
Low memory ceiling High memory ceiling Very high memory ceiling

Think of all those ladders you have to cmb in Donkey Kong ;-)

We can use both images and characters. It’s easy to manage the relation between accounts and the corresponding passwords. Comfortable and even fun.

 The idea of using pictures for passwords is not new. It’s been around for more than two decades but the simple forms of pictorial passwords were not as useful as had been expected. Unknown pictures we manage to remember afresh are still easy to forget or get confused, if not as badly as random alphanumeric characters.

 Expanded Password System is new in that it offers a choice to make use of known images that are associated with our autobiographic/episodic memories.                                                      

Since these images are the least subject to the memory interference, it enables us to manage dozens of unique strong passwords without reusing the same password across many accounts or carrying around a memo with passwords on it. And, handling memorable images makes us feel comfortable, relaxed and even healed. Torturous login is history.

 Well, let us talk about some major problems that use of our own episodic memory enables us to solve.

 Accounts & Corresponding Passwords

 Being able to recall strong passwords is one thing. Being able to recall the relation between accounts and the corresponding passwords is another.

 When unique matrices of images are allocated to different accounts, those unique image matrices will be telling you what images you should pick up as your password for this or that account.

Distracted “A

 When using images of our episodic memories, Expanded Password System will thus free us from the burden of managing the relation between accounts and the corresponding passwords.

 Entropy

 Hard-to-break text passwords are hard-to-remember. But it’s not the fate of all the secret credential. It would be easily possible to safely manage many of high-entropy passwords with Expanded Password System that handles characters as images.

 Each image or character is presented by the image identifier data which can be of any length. Assume that your password is “CBA123” and that the image ‘C’ is identified as X4s& eI0w, and so on. 

 When you input CBA123, the authentication data that the server receives is not the easy-to-break“CBA123”, but something like “X4s&eI0wdoex7RVb%9Ub3mJvk”,  which could be automatically altered periodically or at each access where desired

Choices

 So far, only texts have been accepted. It was, as it were, we have no choice but to walk up a long steep staircase. With Expanded Password System, we could imagine a situation that escalators and elevators are provided along with the staircase. Or, some of us could think of all those ladders we have for climbing in Donkey Kong. 


a8cdde96.png

 Where we want to continue to use text passwords, we could opt to recall the remembered passwords, although the memory ceiling is very low, Most of us can manage only up to several of them.

 We could opt to recognize the pictures remembered in stories where we want to reduce a burden of textual passwords. The memory ceiling is high, that is, we would be able to manage more and more of them.

 Where we choose to make use of episodic image memory, we would only need to recognize the unforgettable images, say, known images. There is virtually no memory ceiling, that is, we would be able to manage as many passwords as we like, without any extra efforts.

 Security of Brain-Computer/Machine-Interface

 A simple brain-monitoring has a problem in security. The authentication data, if wiretapped by criminals, can be replayed for impersonation straight away. Therefore the data should desirably be randomized as the onetime disposable ones.

An idea is that the authentication system allocates random numbers or characters to the images shown to the users. The users focus their attention on the numbers or characters given to the images they had registered.  

 The monitoring system will collect the brain-generated onetime signals  corresponding to the registered images.  Incidentally, the channel for showing the pictures is supposed to be separate from the channel for brain-monitoring.

 If intercepting successfully, criminals would be unable to impersonate the users because the intercepted data has been disposed of. 

 Stopgap 2-Factor Authentication

 A very strong password supposed to not be remembered and written down on a memo  should be viewed as 'what we have', definitely not 'what we remember', so it could be used as one of the two factors along with a remembered password.

 We could then turn a boring legacy password system into a two factor authentication system at no cost, just by verifying two passwords at a time, one volitionally recalled and the other one physically possessed.

 When those two different passwords are used as two factors, we could rely on the strength of a remembered password against physical theft and the strength of a physically possessed long password against brute force attack, although it is not as strong against wiretapping as token-based solutions armed with PKI or Onetime Password.

 This configuration could be viewed just as a thought experiment or could actually be considered for practical application in between a single factor authentication and a costly heavily-armored 2-factor scheme, or, as a transition from the former to the latter.

 It goes without saying that Expanded Password System could be brought in for generating a remembered high-entropy password.


 Appendix - 

Fighting Threats to Security and Democracy from Within

 Where the digital identity platform was built without the secret credentials made from our memory, we would have to see the necessary level of security lost.

 Where the secret credentials, for which our will/volition is indispensable, are removed from the digital identity platform, we would have to see erosion of democracy that our ancestors have won through heavy sacrifices.

e6c00715.png

On this front we are not optimistic; too few people are taking the correct course towards the correct objectives. Too many people, with professionals, researchers, politicians and journalists included, are badly distracted and straying off the course.

More and more people are expected to join our efforts.


< Related Articles >

History, Current Status and Future Scenarios ofExpanded Password System

Big Myths in Digital Identity

Help Us Avert Erosion of Security and Democracy

Questions and Answers - Expanded Password System and Related Issues -


#identity #authentication #password #security #safety #ethic #privacy #civilrights #democracy #biometrics

コメント

Hitoshi Kokumaiの記事

ブログを見る
2年前 · 2 分の読書時間

We’ve come up with a slide presentation for “Bring a healthy second life to your legacy password sys ...

2年前 · 2 分の読書時間

We today take up this report “NSA: We 'don't know when or even if' a quantum computer will ever be a ...

2年前 · 2 分の読書時間

There is actually a valid methodology that enable us to maximize the entropy of the secret credentia ...

この職種に興味がある方はこちら

  • ガールズバー NAVY

    Tiktokの企画・撮影・編集

    次の場所にあります: Whatjobs JP C2 - 2日前


    ガールズバー NAVY Tokyo, 日本

    **ガールズバー NAVY** · ==================== · 募集要項 · ==================== · **月給32万~/渋谷駅から徒歩5分/経験者のみの採用。【TikTokの企画・撮影・編集と一連をお任せ**】** · **【雇用形態】** · 正社員 · **【給与】** · 月給 320,000円~ · - 随時昇給あり · - 日払い可 · **【勤務地】** · 東京都渋谷区渋谷1丁目47 パークアクシス渋谷4F · ==================== · 募集情報 · =============== ...

  • 有限会社浅見住設

    ユニットバス組立スタッフ

    次の場所にあります: Whatjobs JP C2 - 6日前


    有限会社浅見住設 稲城市, 日本

    【職種名】 · 経験者日給15000円~20000円◆休み重視か収入重視か働き方はあなた次第ユニットバス取り付け · **仕事内容**: · \ 経験者募集/ · 浅見住設での働き方はあなたに合わせてお選びいただくことが可能です(੭ु ́・ω・')੭ु)) · プライベート重視派さんには... · ➤月8日の休暇を確保できる · 【月給制】 · 収入重視派さんには... · ➤働いただけ収入になる · 【日給月給制】 · 《 仕事内容 》 · 関東全域の集合住宅や戸建てなどを中心に大手メーカーのユニットバス組立・仕上げをお願いします。 · 現場には誰もが ...

  • ニトリ 三木店

    家具・インテリア・雑貨専門店 家具スタッフ 遅番

    次の場所にあります: Talent JP C2 - 1週間前


    ニトリ 三木店 Kobe, 日本

    仕事情報 · ● 仕事内容 【店内での接客スタッフ】お客様へ家具のレイアウトのご相談や商品説明など、家具全般のアドバイスをして頂くお仕事。遅番は閉店作業として、家具商品の案内資料の補充や家具カウンター内での事務作業も行います。商品の品出し、季節に合わせた家具・インテリア雑貨の陳列、なども行っていただきます。 ●遅番での勤務 Wワークで働きたい方、夕方からの勤務で考えてみませんか?1ヶ月ごとのシフト作成なので、シフトを調整することが可能です。※Wワークの場合、両社合計で週40時間以下での勤務となります ●ホワイト500の認定企業 ホワイト500とは経済産 ...