In an earlier article published last March for SC Media UK, “False sense of security spreading on a gigantic scale”, (compressed into this 30-second video “Turn off biometrics when security matters”) it was explained that using biometrics as a second method of access as an alternate independent access route actually weakens security.
Our observation is now backed up by the latest draft digital authentication guidelines of National Institute of Standards and Technology, which require in Clause 5.2.3 Use of Biometrics that, due to its inherent vulnerabilities, biometrics should be used with another authentication factor and it needs to depend on passwords as a recovery mechanism where practicality matters even if it means lower security due to the “larger attack surface” to borrow NIST's words..
The myth of biometrics is getting busted, we are now witnessing the increasing interest in a new class of memorised secrets that are expected to be both intuitive and secure.
Some people might say that multi-factor authentications or ID federations such as password managers and single-sign-on services could achieve the desired result. It is not easy, however, to conceive that the password could be displaced by the multi-factor schemes, for which one of the factors is a password or the ID federations, which require the most reliable password as the master-password.
Dreaming of a password-less life?
You could think “Not using any password altogether is the way to kill the password dead”. Yes, the password could then be killed off entirely, but it would be criminals rather than you that would be the beneficiaries of such a password-free cyber-space.
In a world where we live without passwords to recall, ie, where our identity is established without our volitional participation, we would only be able to sleep safely when we are alone in a firmly locked room. It would be a Utopia for criminals but a Dystopia for most of us.
However disliked, passwords as shared secrets are absolutely indispensable.
We are proposing an “Expanded Password System” designed to be both intuitive and secure at the same time by making the best use of our long-term memories called episodic/autobiographic memories and by elaborate design considerations of confidentiality.
We can remember and recall only five text passwords on average, not due to our silliness or laziness, but due to the cognitive phenomenon called "Interference of Memory".
Memories of numbers and alphabets, which contain very limited information, are subject to the severe interference of memory which causes terrible confusions in what we remember, whereas the memories of images and pictures, particularly those of episodic/autobiographic memories that contain a great deal of information with emotional feeling, are not.
This indicates that we can easily manage passwords well beyond five or 10 when we make good use of the episodic image memories. It could thus make an optimal alternative to textual passwords when we make sure that confidentiality is not lost.
Most humans are thousands of times better at dealing with image memories than text memories. The former is as old as humanity, while the latter is still very new to us. I wonder what merit we have in confining ourselves to the narrow corridor of text memories when CPUs are fast enough, bandwidth broad enough, memory storage cheap enough, and cameras built in to mobile devices.
The Expanded Password System is inclusive of textual as well as non-textual passwords. Users can retain the textual passwords as before while they expand their password memory to include the non-textual passwords without being impeded by the cognitive effect of “interference of memory”. It is extremely difficult to imagine that users would suffer disadvantage or inconvenience by taking up the Expanded Password System.
Being able to recall strong passwords is one thing. Being able to recall the relations between accounts and the corresponding passwords is another. When unique matrices of images are allocated to different accounts with the Expanded Password System, those unique matrices of images will be telling you what images you could pick up as your passwords. The Expanded Password System thus frees us from the burden of managing the relations between accounts and the corresponding passwords.
Use of images of beloved people, pets and various familiar objects could help make you feel comfortable and relaxed. Torturous login procdures that we have had to suffer for many decades will be history. And this bonus comes on top of the better balance of security and convenience made possible by the Expanded Password System (Whitepaper).
Contributed by Hitoshi Kokumai, president, Mnemonic Security, Inc.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.