Profile cover photo
Profile photo
Hitoshi Kokumai
14 followers -
Advocate of Expanded Password System
Advocate of Expanded Password System

14 followers
About
Posts

Post has attachment
< Little-Known Real Solution to Cyber Predicament by Text-Only Password Systems >


You are probably aware of the huge data breach that a student brought about in Germany. We expect not a few security professionals and tech/biz media to be loudly suggesting such half-baked solutions as

1. throwing away easy-to-remember passwords and do what humans are unable to do.

2. adopting biometrics, not stating that they are deployed with a fallback password/PIN in a security-ruining 'multi-entrance' method

3. adopting a password-manager, not stating that it could create a single point of failure.

4. adopting a multi-factor authentication, not stating that the password would be the last resort when something-to-possess is broken, left behind, lost, copied and stolen.

5. eliminating passwords altogether, not stating that we would then be brought into a 1984-like dystopia.

However, the real picture is actually so plain and clear; the current password predicament is caused by the conventional password systems that do not accept anything but numbers/characters.

There exists an incredibly simple solution to it.



#identity #authentication #login #password #biometrics #vulnerability
#risk #threat #crime #hacking #security #safety #ExpandedPasswordSystem #cybersecurity #infosec #cybercrime #cyberattack #cyberdefense #web #online #internet #network #telecom #mobile #business #fintech #commerce #payments #bankcard #creditcard #technology #digital #cto #cio #cso #government #defense #law #justice #education #banking #finance #insurance #investment #news #report #media #press #privacy #fact #truth #integrity #ethics #governance #journalism #democracy #infrastructure
Add a comment...

Post has attachment
< Horrific Distinction between ‘Multi-Layer’ and ‘Multi-Entrance’ Deployments >

‘Multi-Layer’ is also represented by ‘In-Series’, ‘In-Addition-To’, ‘All/BothAnd’ and ‘Conjunction’ in logic,
- while
‘Multi-Entrance’ by ‘In-Parallel’, ‘In-Stead-Of’, ‘EitherOr’ and ‘Disjunction’.

Misinformation, once integrated into our long-term memory, becomes very difficult to correct, particularly when it was spread by big names. Below is a plain riddle to help judge how free you are from a very serious misinformation spreading in the sphere of identity assurance and cybersecurity.

Assuming that a mobile device sends out a private key (or a digital certificate signed by the private key) upon verification of the user by 'Either a biometrics Or a fallback password/PIN' to the authentication server where the corresponding public key is stored, we count 3 factors in this scheme- what you have, what your body features are and what you know/remember.

Is this scheme
1. a 3-factor authentication?
2. a 2-factor authentication?
3. neither a 3-factor nor a 2-factor authentication?

Which of (1), (2) and (3) do you think is the correct answer?

This video offers a clue to the answer.
https://youtu.be/wuhB5vxKYlg


#identity #authentication #login #password #biometrics #vulnerability
#risk #threat #crime #hacking #security #safety #ExpandedPasswordSystem #cybersecurity #infosec #cybercrime #cyberattack #cyberdefense #web #online #internet #network #telecom #mobile #business #fintech #commerce #payments #bankcard #creditcard #technology #digital #cto #cio #cso #government #defense #law #justice #education #banking #finance #insurance #investment #news #report #media #press #privacy #fact #truth #integrity #ethics #governance #journalism #democracy #infrastructure
Photo
Add a comment...

Post has attachment
OASIS Open Projects & Expanded Password System


Welcome to the Expanded Password System - a new and improved password system that would radically improve password retention and safety worldwide


We announced we had been working on an OASIS Open Projects (1) for our Expanded Password System (*2) at Consumer Identity World 2018 (*3) in Seattle and Amsterdam. We are excited to share with you that the project is in the ‘Draft Proposal’ stage and we would like a feedback from more of you who are involved in identity assurance and cybersecurity.

At this point, fifty plus people have joined the project; now we need corporate support to get the ball rolling. Our Draft Charter (*4) for the project incorporates the takeaways from discussions in Seattle and Amsterdam (*5).

We believe the business benefits are tremendous, including a sizeable reduction in identity management overhead, and in breach impact, to boot. There is no need to replace any system you've already implemented. They can be augmented by Expanded Password System, whether you use FIDO, OAuth, OpenID Connect or whatever else.

We would like you to have a say in this project, and welcome your knowledge, insights and expertise. You can start by telling us what you think of our Charter; and whether better, easier-to-remember and easier-to-manage passwords for the global consumer is something you want to be part of. Feel free to reach out to us.

Hitoshi Kokumai (*6)
kokumai@mneme.co.jp

………………………

*1 Slide: Identity Assurance by Our Own Volition and Memory
https://www.slideshare.net/HitoshiKokumai/further-update-identity-assurance-by-our-own-volition-and-memory (P14 of 23)

*2 OASIS Open Projects
https://oasis-open-projects.org/

*3 Presentation and Panel at Consumer Identity World 2018
https://www.kuppingercole.com/events/ciwusa2018/speakers/1896 (Seattle)
https://www.kuppingercole.com/events/ciweu2018/speakers/1896 (Amsterdam)

*4 Draft Charter
https://docs.google.com/document/d/1lHFWGMmFHN4xwm9q6ajQ1vZtFFaKNNgHJKHMnvcNS0s/edit

*5 Articles published on media
- 'Weak Panel’And Weak Lock/Key System’Of‘Weak Door’
https://www.valuewalk.com/2018/11/expanded-password-system/
- Four Puzzling Issues Of Identity Authentication
https://www.valuewalk.com/2018/10/kyc-identity-authentication/

*6 Profile https://www.linkedin.com/in/hitoshikokumai/



#identity #authentication #login #password #biometrics #vulnerability
#risk #threat #crime #hacking #security #safety #ExpandedPasswordSystem #cybersecurity #infosec #cybercrime #cyberattack #cyberdefense #web #online #internet #network #telecom #mobile #business #fintech #commerce #payments #bankcard #creditcard #technology #digital #cto #cio #cso #government #defense #law #justice #education #banking #finance #insurance #investment #news #report #media #press #privacy #fact #truth #integrity #ethics #governance #journalism #democracy #infrastructure
Photo
Add a comment...

Post has attachment
< What could happen where a specific concept is represented by a generic concept? >

I attended a FIDO Alliance seminar on 7/Dec in Tokyo, where I heard FIDO staff confirm that, when they said “Password-less Authentication”, “Password” actually meant “Password Used Online” That is, at FIDO Alliance, “Password-less Authentication” means “OnlinePassword-less Authentication”

Passwords used locally on devices are outside the scope of FIDO’s “Password-less Authentication”. As a matter of fact, FIDO people are apparently aware that the password is heavily relied upon and is actually being broadly used as a fallback means against false rejection of biometrics as well as on its own.

It is not certain, though, whether vendors of FIDO-certified products are aware and accordingly explain to consumers that the biometrics used with a fallback password brings down the security that the password-only authentication has so far provided.
https://youtu.be/wuhB5vxKYlg

I could not find on FIDO-related publications a clear-cut distinction between “multi-entrance/in-stead-of/in-parallel/disjunction/EitherOr” and “multi-layer/in-addition-to/in-series/conjunction/AllAnd” for the deployment of multiple authentication factors.

Anyway, where “OnlinePassword-less Authentication is represented by “Password-less Authentication”, “Elderly People” could be represented by “People” and “Cybercrime” by “Crime”, , couldn’t it?. Leaving this kind of awkward rhetoric to smalltime politicians, I would expect the people in charge to do the needful to sort out this confusing situation.


Remark: The phrase 'in addition to' used in NIST Guidelines (*) obviously has the same meaning as 'multi-layer/in-series/conjunction/AllAnd'.
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf

On Page 17

* "When biometric authentication meets the requirements in Section 5.2.3, the device has to be authenticated in addition to the biometric — a biometric is recognized as a factor, but not recognized as an authenticator by itself."

On Page 37

5.2.3 Use of Biometrics The use of biometrics (something you are) in authentication includes both measurement of physical characteristics (e.g., fingerprint, iris, facial characteristics) and behavioral characteristics (e.g., typing cadence). Both classes are considered biometric modalities, although different modalities may differ in the extent to which they establish authentication intent as described in Section 5.2.9. For a variety of reasons, this document supports only limited use of biometrics for authentication. These reasons include:
- The biometric False Match Rate (FMR) does not provide confidence in the authentication of the subscriber by itself. In addition, FMR does not account for spoofing attacks.
- *Biometric comparison is probabilistic, whereas the other authentication factors are deterministic. *
- *Biometric template protection schemes provide a method for revoking biometric credentials that is comparable to other authentication factors (e.g., PKI certificates and passwords). However, the availability of such solutions is limited, and standards for testing these methods are under development. *
- *Biometric characteristics do not constitute secrets. They can be obtained online or by taking a picture of someone with a camera phone (e.g., facial images) with or without their knowledge, lifted from objects someone touches (e.g., latent fingerprints), or captured with high resolution images (e.g., iris patterns). While presentation attack detection (PAD) technologies (e.g., liveness detection) can mitigate the risk of these types of attacks, additional trust in the sensor or biometric processing is required to ensure that PAD is operating in accordance with the needs of the CSP and the subscriber *

Therefore, the limited use of biometrics for authentication is supported with the following requirements and guidelines: Biometrics SHALL be used only as part of multi-factor authentication with a physical authenticator (something you have).


#identity #authentication #login #password #biometrics #vulnerability
#risk #threat #crime #hacking #security #safety #ExpandedPasswordSystem #cybersecurity #infosec #cybercrime #cyberattack #cyberdefense #web #online #internet #network #telecom #mobile #business #fintech #commerce #payments #bankcard #creditcard #technology #digital #cto #cio #cso #government #defense #law #justice #education #banking #finance #insurance #investment #news #report #media #press #privacy #fact #truth #integrity #ethics #governance #journalism #democracy #infrastructure

https://www.sbbit.jp/eventinfo/42434/
Add a comment...

Post has attachment
< ‘Enhancing Lock/Key System’ of ‘Weak Door’ >

Enhancing ‘Weak Panel’ does not make an alternative to enhancing ‘Weak Lock/Key’ system of ‘Weak Door’, but so many solution providers are crowding ‘Weak Panel’ and generating a Red Ocean while very few are actually tackling ‘Weak Lock/Key’ issue.

Expanded Password System that we advocate enhances the analogous lock/key system with the following features

- It offers joy and fun

- It turns a weak password into a high-entropy credential

- It reduces the burden of managing the relation between accounts and the corresponding passwords

- It deters hard-to-defend phishing attacks

- It can be deployed in panicky situations

- It is supportive of biometrics, two/multi-factor authentications, password managers and single-sign-on services as well as simple pictorial/emoji-passwords and patterns-on-grids

- Its applications are to be found wherever people have been using text passwords and numerical PINs

- And, nothing would be lost for the people who want to keep using textual passwords

- Lastly but not the least, it is democracy-compatible by way of providing the chances and means to get our own volition confirmed in our identity assurance.

Linked below is my latest media article.
https://www.valuewalk.com/2018/11/expanded-password-system/

#identity #authentication #login #password #biometrics #vulnerability
#risk #threat #crime #hacking #security #safety #ExpandedPasswordSystem #cybersecurity #infosec #cybercrime #cyberattack #cyberdefense #web #online #internet #network #telecom #mobile #business #fintech #commerce #payments #bankcard #creditcard #technology #digital #cto #cio #cso #government #defense #law #justice #education #banking #finance #insurance #investment #news #report #media #press #privacy #fact #truth #integrity #ethics #governance #journalism #democracy #infrastructure
Add a comment...

Post has attachment

Post has attachment
< Targeted/Spear Phishing and Expanded Password System >

Expanded Password System was not designed against phishing attacks, but deploying it wisely would help us deter not only indiscriminate mass phishing but also targeted/spear phishing attacks as one of its secondary effects.

Where users are encouraged to create their own unique image matrices with Expanded Password System, criminals would feel discouraged about the indiscriminate mass phishing because of its heavy costs of capturing and activating thousands, millions or billions of image matrices all unique to different UserIDs.

2-Channel Expanded Password System presented in the previous page could discourage targeted phishing because the criminals would have to place both of the two channels under their control simultaneously before starting the phishing trial.

Alternatively, we could think of adding a second step of Expanded Password System, making it 'Selective 2-step EPS' for the users who opt for it, which makes criminals’ jobs extremely heavy and complicated.

Criminals who persistently chase really valuable information assets could be discouraged if we deploy the 2-step EPS coupled with the 2-Channel method.


#identity #authentication #login #password #biometrics #vulnerability
#risk #threat #crime #hacking #security #safety #ExpandedPasswordSystem #cybersecurity #infosec #cybercrime #cyberattack #cyberdefense #web #online #internet #network #telecom #mobile #business #fintech #commerce #payments #bankcard #creditcard #technology #digital #cto #cio #cso #government #defense #law #justice #education #banking #finance #insurance #investment #news #report #media #press #privacy #fact #truth #integrity #ethics #governance #journalism #democracy #infrastructure
Add a comment...

Post has attachment
< Takeaways from Consumer Identity World Europe 2018 >

I made the presentation of ‘Identity Assurance by Our Own Volition and Memory’ along with the related issues such as ‘Password-less Authentication’, ‘Biometrics’, ‘Multi-factor Authentications’, ‘ID Federations’, Brain-Machine-Interface as well as our proposition of ‘Expanded Password System’ and ‘OASIS Open Projects’ in Amsterdam on 30th October. ( Photo https://pbs.twimg.com/media/Dqv02H1UUAAkDZV.jpg )

* Presentation Slide
https://www.slideshare.net/HitoshiKokumai/updated-identity-assurance-by-our-own-volition-and-memory
* Narration Script
https://www.slideshare.net/HitoshiKokumai/presentation-with-scripts-at-ciweu2018

Gist of Presentation

- Observations (1): The conventional password is hated as everybody agrees, whereas the volitional password is absolutely necessary where the democratic values matter. Where authentication of our identity happens without our knowledge or against our will, it is a 1984-like Dystopia

- Progress (*2): We believe that we came up with the way out. It is Expanded Password System that accepts images/pictures as well as texts/characters.

…………….

*1 These observations, which I believe is very compelling, lead us to conclude that we have to find the sort of password system that is not hated. Logic tells that there can be no other choice. Actually I saw nobody who was explicitly against these observations while I stayed in Amsterdam.

*2 Not a few people who agree to (*1) observations, however, would not agree.to (2) this belief of ours.

They seem to be assuming that better approaches could be found somewhere in the spheres of PKI, OTP, block-chain or the likes of artificial intelligence although it is like talking about a weak door and proposing to enhance the weak panel as a solution to the weak lock/key.

Below are some more takeaways from the conference.

- Conflicts between Security and Privacy

Many people reckon that security and privacy are mutually exclusive unconditionally. But we need to be aware that all depend on the context.

Security for authoritarian regimes may well be mutually exclusive to privacy of citizens to a very large extent or completely. Even in democratic countries, security for society and privacy of citizens are often mutually exclusive as found in the case of disputes between FBI and Apple. But, when this theme is discussed in terms of GDPR, it cannot be mutually exclusive, since the subject is always ‘Citizen’. The security for citizens must be mutually inclusive of the privacy of citizens and vice versa.

- On-the-fly Generation of Cryptographic Keys from Our Episodic Memory

When decryption keys are suspected to have been stolen together with the encrypted data, we cannot rely on the data protection by encryption. I announced in Amsterdam that we had come up with a proposition for this problem 14 years ago as per
https://www.slideshare.net/HitoshiKokumai/onthefly-key-generation-from-our-memory

- Sensible Use Case of Behavioral Biometrics for Identity Authentication

I agree that the idea of deploying the behavioral biometrics as an early warning system is very sensible. After the login by a password, the user will be placed under the constant monitoring of their unconscious behavior like typing patterns mouse-moving patters and so on. When any irregular patterns get detected, the system requires the user to feed their password. It will be effective to prevent the hijacking of the device after the login by the legitimate user.

It should be noted that the behavioral biometrics is expected to work as an enhancement of password protection, not as an alternative to the password.

- Three-Factor Authentication Weaker Than Two-Factor Authentication

There is a voice to claim that deploying biometrics with a fallback password on a mobile device makes a 3-factor authentication (biometrics as ‘what your body features are’, password as ‘what you know’ and device as ‘what you have’. Even when the user gets falsely rejected by biometrics and required to use the password as the fallback means, the user is still protected by the two factors of ‘password’ and ‘device’, so the failure of biometrics does not mean the decrease of security. This is their voice.

I am certain that those people do not welcome my view that a straightforward 2-factor authentication made of ‘device’ and ‘password’ would have been less expensive, less difficult to implement and more secure. Multi-Entrance solutions cannot displace Multi-Layer solutions..

* The difference between ‘in-series’ and ‘in-parallel’ (multi-layer and multi-entrance) deployments of two/multi factors is plainly demonstrated here https://youtu.be/wuhB5vxKYlg

- Informed Misinformed and Disinformed Consent

It goes without saying that obtaining the informed consent from consumers is very important when collecting their personal information. Perhaps more important is trying to not obtain the misinformed consent. Disinformed consent, if obtained, should be viewed as a crime issue.

* Some of you might notice that I am raising this issue with respect to the broad adoption among consumers of security-lowering face and finger scans due to the informed, misinformed or disinformed consent.

** The insurance industry is expected to help mitigate the damages brought by the consequences of misinformed or disinformed consent by way of providing economic incentives or penalties.

-------------------

Coupled with the earlier takeaways () from the Seattle conference, we may now have got a much more comprehensive understanding of all those enigmatic problems around cybersecurity and identity management.
https://www.valuewalk.com/2018/10/kyc-identity-authentication/


#identity #authentication #login #password #biometrics #vulnerability
#risk #threat #crime #hacking #security #safety #ExpandedPasswordSystem #cybersecurity #infosec #cybercrime #cyberattack #cyberdefense #web #online #internet #network #telecom #mobile #business #fintech #commerce #payments #bankcard #creditcard #technology #digital #cto #cio #cso #government #defense #law #justice #education #banking #finance #insurance #investment #news #report #media #press #privacy #fact #truth #integrity #ethics #governance #journalism #democracy #infrastructure
Photo
Add a comment...

Post has attachment

< Takeaways from Consumer Identity World USA 2018 >

The so-called password-less authentication, if implemented literally, would lead us to a world where we are deprived of the chances and means to get our volition confirmed in having our identity authenticated. It would be a 1984-like world. The values of democratic societies are not compatible.

Some people allege that passwords can and will be eliminated by biometrics or PIN. But logic tells that it can never happen because the former requires a password/PIN as a fallback means and the latter is no more than the weakest form of numbers-only password.

Various debates over ‘password-less’ or ‘beyond-password’ authentications only make it clear that the solution to the password predicament could be found only inside the family of broadly-defined passwords.

https://www.valuewalk.com/2018/10/kyc-identity-authentication/



#identity #authentication #login #password #biometrics #vulnerability
#risk #threat #crime #hacking #security #safety #ExpandedPasswordSystem #cybersecurity #infosec #cybercrime #cyberattack #cyberdefense #web #online #internet #network #telecom #mobile #business #fintech #commerce #payments #bankcard #creditcard #technology #digital #cto #cio #cso #government #defense #law #justice #education #banking #finance #insurance #investment #news #report #media #press #privacy #fact #truth #integrity #ethics #governance #journalism #democracy #infrastructure
Add a comment...

Post has attachment
< Four Puzzling Issues of Identity Authentication >

At Consumer Identity World 2018 in Seattle that I participated as a speaker, I noted that there were strong voices of proposing

1. Password-less Authentication
2. Use of PIN to eliminate passwords
3. Biometrics in two/multi-factor authentication for better security
4. Dilemma in physical tokens

What puzzled me were

1. Doesn’t ‘Passwordless’ mean ‘Volitionless’?
2. Isn’t ‘PIN’ the weakest form of numbers-only passwords?
3. Isn’t biometrics deployed with a fallback password ‘in parallel’, not ‘in series’?
4. What if we have dozens of accounts to protect heavily?

Below are my views expressed at the Seattle conference.



#identity #authentication #login #password #biometrics #vulnerability #risk #threat #crime #hacking #security #safety #cybersecurity #infosec #cybercrime #cyberattack #cyberdefense #web #online #internet #network #telecom #mobile #business #fintech #commerce #payments #bankcard #creditcard #technology #digital #cto #cio #cso #government #defense #law #justice #education #banking #finance #insurance #investment #news #report #media #press #privacy #cyber #fact #truth #integrity #ethics #cyberwar #infrastructure #ciso #governance #journalism #democracy
Add a comment...
Wait while more posts are being loaded