What We Know for Certain about Authentication Factors
We are often asked to confirm that Expanded Password System that we advocate is more secure or more user-friendly than text password, physical token and biometrics.
My answer is “It is unknowable. It’s in the sphere of agnosticism”.
A very poorly designed, implemented and operated Expanded Password System (EPS) could possibly be less secure and less user-friendly than other solutions that are wisely designed, implemented and operated.
Besides that, what is known to us for certain by logic about various authenticators are
A: ‘Yes/No’ on feeding correct passwords/EPS and ‘Yes/No’ on presenting correct tokens are deterministic, whereas biometrics which measures unpredictably variable body features of living animals in changing environments is probabilistic.
B: It is practically impossible to compare the security of a strong or silly password with that of a poorly or wisely deployed physical token even though both passwords and tokens are deterministic,
C: Direct comparison of something deterministic and something probabilistic would absolutely bring us nowhere.
D: Deterministic authenticators can be used on its own, whereas a probabilistic authenticator would lose its availability when used on its own.
E: Deterministic authenticators can be used together in a security-enhancing ‘multi-layer’ deployment, whereas probabilistic authenticators can be used with another authenticator only in a security-lowering ‘multi-entrance’ deployment unless we can forget the availability.
F: Removal of the password brings a catastrophic loss of security. It also makes a grave threat to democracy.
G: PIN belongs to the family of password as a numbers-only password; displacing a password by a PIN is like displacing the ‘knife family’ by a ‘paper knife’.
H: Password/EPS, token and biometrics are ‘authenticators’, while two/multi-factor schemes, decentralized/distributed digital identity, single-sign-on schemes and password management tools are all ‘deployment of authenticators’; We would obtain nothing by comparing the former with the latter.
I have heard many different observations from a number of security professionals. I will certainly welcome refutations.
We have the knowhow to have Expanded Password System wisely designed, implemented and operated, with the rich experience of building the image-to-code conversion software modules for re-generating cryptographic keys on-the-fly from our episodic image memory.
< Videos on YouTube>