– Takeaways from Consumer Identity World USA 2018 –
The so-called password-less authentication, if implemented literally, would lead us to a world where we are deprived of the chances and means to get our volition confirmed in having our identity authenticated. It would be a 1984-like world. The values of democratic societies are not compatible.
Some people allege that passwords can and will be eliminated by biometrics or PIN. But logic tells that it can never happen because the former requires a password/PIN as a fallback means and the latter is no more than the weakest form of numbers-only password.
Various debates over ‘password-less’ or ‘beyond-password’ authentications only make it clear that the solution to the password predicament could be found only inside the family of broadly-defined passwords.
In our earlier article we referred to Consumer Identity World USA 2018, which the writer participated as both a speaker and a panel, making the presentation of ‘Identity Assurance by Our Own Volition and Memory’..
We had noticed that there were strong voices proposing:
What puzzles us are:
If, however, it means ‘authentication without what we remember altogether’, we must be against it. If implemented literally, it would lead us to a world where we are no longer allowed to get our volition confirmed in our own identity assurance. We call such a world ‘Dystopia’
Advocates of this idea seem to claim that a PIN is stronger than a password when it is linked to a device versus a password which is not linked to a device.
In reality biometrics is usually deployed with a password as a fallback means against false rejection, and biometrics and fallback passwords are used in-parallel, not in-series. This means that biometrics brings down the security of the password that was provided. It’s incompetent to recommend biometrics for higher level of security.
Carrying around dozens of physical tokens? Re-using the same tokens across multiple accounts? The former would be too cumbersome and would too easily attract the attention of bad guys, while the latter would be very convenient but bring the likes of a single point of failure.
The former handles two different types of passwords, one recalled volitionally and the one physically possessed. The latter involves the images to which random numbers or characters are allocated and shown to the users through a mobile device. Users who recognize the registered images will feed the numbers or characters given to those images on a main device. We do not depend on the vulnerable one time code sent through SMS and a phone copes with dozens of accounts.
In part 2, we will discuss some of the other related issues pertaining to password authenticity…
By Hitoshi Kokumai