Four Puzzling Issues of Identity Authentication

Four Puzzling Issues of Identity Authentication

– Takeaways from Consumer Identity World USA 2018 –

Introduction

The so-called password-less authentication, if implemented literally, would lead us to a world where we are deprived of the chances and means to get our volition confirmed in having our identity authenticated. It would be a 1984-like world. The values of democratic societies are not compatible.

Some people allege that passwords can and will be eliminated by biometrics or PIN. But logic tells that it can never happen because the former requires a password/PIN as a fallback means and the latter is no more than the weakest form of numbers-only password.

Various debates over ‘password-less’ or ‘beyond-password’ authentications only make it clear that the solution to the password predicament could be found only inside the family of broadly-defined passwords.

Four Puzzling Issues

In our earlier article we referred to Consumer Identity World USA 2018, which the writer participated as both a speaker and a panel, making the presentation of ‘Identity Assurance by Our Own Volition and Memory’..

We had noticed that there were strong voices proposing:

  1. Password-less Authentication
  2. Use of PIN to eliminate passwords
  3. Biometrics in two/multi-factor authentication for better security
  4. Advantage of physical tokens as against one time codes by SMS

What puzzles us are:

  1. Doesn’t ‘Password-less’ mean ‘Volition-less’?
  2. Isn’t ‘PIN’ the weakest form of numbers-only passwords?
  3. Isn’t biometrics deployed with a fallback password ‘in parallel’, not ‘in series’?
  4. What if we have dozens of accounts to protect?

Below are a few of our observations

  1. Password-less Authentication:  The term of ‘password’ is poly-semantic and context-dependent. So is ‘password-less’. If ‘password-less authentication’ means ‘authentication without depending solely on hard-to-manage text passwords, we would be generally agreeable.

If, however, it means ‘authentication without what we remember altogether’, we must be against it. If implemented literally, it would lead us to a world where we are no longer allowed to get our volition confirmed in our own identity assurance. We call such a world ‘Dystopia’

  1. PIN as against Passwords:  If PIN or PINCODE, which is the weakest form of numbers-only password, had the power to kill the password, a small sedan should be able to kill the automobile.

Advocates of this idea seem to claim that a PIN is stronger than a password when it is linked to a device versus a password which is not linked to a device.

  1. Biometrics in two/multi-factor authentications:  All the factors of multi-factor schemes must be deployed ‘in-series’, not ‘in-parallel’. When two factors are deployed in-parallel, what is achieved is better convenience whereas security is brought down.

In reality biometrics is usually deployed with a password as a fallback means against false rejection, and biometrics and fallback passwords are used in-parallel, not in-series. This means that biometrics brings down the security of the password that was provided. It’s incompetent to recommend biometrics for higher level of security.

  1. Advantage of physical tokens:  It is said that using physical tokens is more secure than using phones for receiving one time code by SMS. If this is the case, the use of physical tokens brings its own headache. What shall we do if we have dozens of accounts that require the protection by two/multi-factor schemes?

Carrying around dozens of physical tokens? Re-using the same tokens across multiple accounts? The former would be too cumbersome and would too easily attract the attention of bad guys, while the latter would be very convenient but bring the likes of a single point of failure.

What can we do?

  1. Password-less Authentication: A secure and yet stress-free means of democracy-compatible identity authentication is proposed. It is the Expanded Password System that accepts both images and characters. It is now acknowledged as ‘Draft Proposal’ for OASIS Open Projects.
  2. PIN to eliminate passwords:  We could simply forget it.
  3. Biometrics in two/multi-factor authentication:  Biometrics could be recommended for better convenience, but must not be recommended where security matters.
  4. Advantage of physical tokens:  We could think of two new possibilities – one for better convenience and one for better security.

The former handles two different types of passwords, one recalled volitionally and the one physically possessed. The latter  involves the images to which random numbers or characters are allocated and shown to the users through a mobile device. Users who recognize the registered images will feed the numbers or characters given to those images on a main device. We do not depend on the vulnerable one time code sent through SMS and a phone copes with dozens of accounts.

In part 2, we will discuss some of the other related issues pertaining to password authenticity…

By Hitoshi Kokumai

Disaster Recovery Plan.png
Data Bed.png
The Manuscript.png
Holiday Access.png
JK Chelladurai
Maintain telecom tax compliance The Telecommunications industry is one of the most heavily taxed service industries. In countries such as the United States, providers have to keep on top of Federal, State, and District taxes, ...
Episode 16: Bigger is not always better: the benefits of working with smaller cloud providers
The benefits of working with smaller cloud providers A conversation with Ryan Pollock, VP Product Marketing and Developer Relationships for Vultr.com - Everyone knows who the big players are in the cloud business. But sometimes, ...
Mitigation Security
Data scraping solutions When people hear the term data scraping, their first thought is often about how companies use this technology for competitive reasons – specifically to pull publicly-available data from millions of websites in ...
Louis
Why cybersecurity spending Is resilient Cybersecurity tech stacks must close the gaps that leave human and machine endpoints, cloud infrastructure, hybrid cloud and software supply chains vulnerable to breaches. The projected fastest-growing areas of cybersecurity ...
Crozdesk Business Software
B2B SaaS Comparison Platforms B2B SaaS Comparison Platforms are designed for buyers looking for additional information on a particular vendor and service. These sites help ease the complexities for buyers by providing a detailed breakdown ...
  • Plural Site

    Pluralsite

    Pluralsight provides online courses on popular programming languages and developer tools. Other courses cover fields such as IT security best practices, server infrastructure, and virtualization.

  • Isc2

    ISC2

    (ISC)² provides IT training, certifications, and exams that run online, on your premises, or in classrooms. Self-study resources are available. You can also train groups of 10 or more of your employees. If you want a job in cybersecurity, this is the route to take.

  • App Academy

    App Academy

    Immersive software engineering programs. No experience required. Pay $0 until you're hired. Join an online info session to learn more

  • Cybrary

    Cybrary

    CYBRARY Open source Cyber Security learning. Free for everyone, forever. The world's largest cyber security community. Cybrary provides free IT training and paid IT certificates. Courses for beginners, intermediates, and advanced users are available.