Democracy must require the individuals to have the rights not to get their identity authenticated without their knowingly confirming it. This volitional process can be achieved only with volitional identity authentication made possible by memorised secrets, ie, passwords.
Democracy is dead where the password is killed
Some security people are advocating that the password should be killed dead. I wonder if they are aware of what they mean by what they say. A society where login without users' volition is allowed would be a society where democracy is dead. It's a tyrant's utopia.
We know that the password is an indispensable factor for multi-factor schemes and that the security of password managers and single-sign-on schemes needs to hinge on the reliability of the master-password. Biometrics, which relies on a backup password, can by no means be an alternative to the password,
The password as a memorised secret is absolutely necessary. We must not accept any form of password-less login.
We could also look at the situation where we cannot rely on anything but the password.
Identity assurance in emergencies
What is practicable in a calm indoor environment is not necessarily practicable in the turbulent outdoor environment, although the reverse can be said. The difference would be most striking in the cases of battlefield and disaster recovery.
Can we take it for granted that the people in such emergencies will be able to hold the cards and tokens for their identity authentication?
Can we be certain that the biometrics measures, whether static or behavioural, are practicable for people who are injured or caught in panic?
It is the obligation of democratic societies to provide the citizens with identity authentication measures that are practicable in emergencies.
We could look at this subject from a different angle; Whether or not the password must stay with us is one thing. Whether or not the password can be killed is another.
Biometrics touted as Password-Killer
Some people, including not a few security experts, appear to believe that biometrics is capable of displacing the password. They are misguided. It is logically impossible for biometrics to displace the password so long as it requires the password as a fallback means.
Because of its inherent characteristics, biometrics depends on a fallback means in case of false rejection. In physical security, it could be handled by personnel in charge other than the user. In cyber-security, however, it needs to be handled by the user themselves, in most cases by way of a password that the user themselves needs to feed.
Tech media seem busy arguing which biometrics system is better than the others. But it is all nonsense from security's point of view. We should instead ask why security-lowering measures have been touted as security-enhancing solutions.
Whether dead or alive, conscious or unconscious, individuals could be identified by biometrics. However, a good identification does not make a valid authentication. It would be a misuse of biometrics, which follows 'unique (not secret) features', if deployed for security of the identity authentication.
In other words, so long as the biometrics is backed up by a fallback password, irrespective of which are more accurate than the others, its security is lower than that of a password-only authentication as illustrated in this video.
Then, we have to wonder why and how biometrics has been touted as a security-enhancing tool for so long, with so many security professionals being silent about the fact.
There could be various explanations – from agnotology, neuroscience, psychology to sociology, behavioural economics and so on. This phenomenon will perhaps be found to have provided excitingly rich material for a number of scientists and researchers in those fields.
Also see related articles “False sense of security spreading on a gigantic scale” and “Mix up 'Unique' with 'Secret' and confuse 'Identification' with 'Authentication'?”
Coming back assuredly to the absolute necessity of the password for both societal and technical reasons, we cannot be indifferent to the latest NIST password guidelines.
NIST password guidelines
This article talks about the old and new NIST password guidelines.
It is nice to see repeal of odd recommendations like complicated hard-to-recall passwords, which result in reusing the same password across many accounts, and regular password change, which results in using the easiest-to-guess passwords. It is not nice, however, to see ‘passphrase' and ‘password manager'being touted so naively. Caveats should come with these recommendations.
Passphrase: It could be longer and yet easier to remember but it does not necessarily mean a higher entropy despite the trouble of tiresome typing. It is generally made of known words that are just as vulnerable to automated dictionary attacks.
The cartoon shown in the linked article reads that a 44-bit entropy is hard to guess. It may be extremely hard for humans to guess, but it would be so easy a prey for criminals who possess the automated attack software with the intelligent dictionaries.
Password Manager: It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked. It should be operated in a decentralised formation or should be considered mainly for low-security accounts, not for the high-security business accounts that should preferably be protected by different strong passwords unique to each account.
Then, what else?
Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.
At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than five text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly unforgettable images, as well as conventional texts.
Contributed by Hitoshi Kokumai, founder, Mnemonic Security, Inc.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.