Archive — Discussions over Digital Identity on LinkedIn up to April/2019

Discussions since May/2019 is stored here —


People who are sold on ‘password-less authentication’ appear to assume that they do not easily lose their physical tokens. Those who believe in ‘biometrics as the password-killer’ appear to assume that they do not easily lose their body features.

Digital identity in emergencies is apparently not in their sight; can we assume that physical tokens will stay in the hands of panicked people or biometrics will work for injured people?

It’s the obligation of democratic societies to provide citizens with the identity authentication measures that are practicable in emergencies, bearing it in mind that what is practicable in panicky situations is easily practicable in everyday life, but the reverse is not always true.

Click the link for more

< Never too late to return! #1 >

Security professionals would be advised to refrain from referring to the biometrics as if it were a valid security factor equal to the passwords/PIN and the certified token.

The token and the password/PIN can be deployed on its own and also with other valid authenticators in the security-enhancing ‘multi-layer’ methods, whereas the biometrics generally cannot be deployed on its own. It can be deployed only in the security-lowering ‘multi-entrance’ methods along with a fallback measure.

- Quantitative Examination of Multiple Authenticator Deployment

When referring to the use of biometrics, security professionals should stipulate appropriate caveats to consumers; “Biometrics used with a fallback measure (Password/PIN in most cases) provide the security lower than that of the fallback measure”.

So much money invested and so many products sold, it may be hard to admit ‘It brought down security’. But, it’s never too late to return.

< Never too late to return! #2–1 >

Security professionals would be advised to refrain from implying that better security can be achieved by removing the password. What can be achieved by removing the password is increased convenience, not security!

While detrimental features should be removed, insufficient ones can be supplemented and enhanced. Mixing up the former and the latter, we would witness a very bizarre situation. What is to be enhanced gets removed, with the ‘blind eye’ toward a specific frailty that afflicts.

- Intriguing Evolution from One to Two and Back to One

More significantly, the password-less (will/volition-less authentication) is not consistent with the value of democracy. It would be a 1984-like Dystopia if our identity is authenticated without our knowledge or against our will,.

Those who have supported the concept of ‘better security achieved by removing the password’ may find it very hard to withdraw their remarks. But, it’s never too late to return.

< Never too late to return! #2–2 >

This is a simple thought experiment.

Where the password was kicked out, security providers would be given only the token and the biometrics as security factors. Biometrics requires a fallback measure against false rejection. With the password removed, nothing but the token could be the fallback measure. Then system designer could have only the two choices as follows.

(1) authentication by the token alone, with an option of adding another token. Its security effect is highlighted in this cartoon published14 years ago,

(2) authentication by the biometrics deployed in ‘multi-entrance’ method with the token as a fallback measure, security of which is lower than (1) irrespective of however called it may be, with an option of adding another token.

A barren desert!

< Never too late to return! #3 >

Where the password was removed from the digital identity, security providers would have only the token and the biometrics as security factors. This makes it just infeasible for anyone to come up with a reliable identity authentication system as discussed in the previous #2–2 post.

It appears that some people thought that this predicament could go away if they declared that the PIN was not the password. Say, the password should be removed but the PIN could stay for use on its own or as a fallback measure for biometrics.

In this world where we live, the PIN is no more than a weak form of numbers-only password. Therefore, when the password (superordinate/generic concept) is removed, the PIN (subordinate/specific concept) is also removed. To the contrary, in a parallel world where those people live, the PIN (subordinate concept) can do what the password (superordinate concept) cannot do, as a paper-knife should be able to do what the knife cannot do.

Security professionals would be expected to firmly reject such an unearthly conception as a ‘PIN-dependent Password-less Authentication’.


A single factor authentication by a password was a norm until some years ago. Recently, in view of the rampant password phishing and data breach, two factor authentications by the password and something possessed have been recommended where security matters.

Now some people recommend the removal of the password altogether from the 2 factor schemes and go back to a single factor authentication, this time, by only something possessed with PKI or onetime code.

It appears that corporations are obsessed with ‘low friction customer experience’. There would be nothing wrong with it if consumers are accurately informed that the security is sacrificed in return for the lower friction experience when it is actually achieved by sacrificing security.

It would be a devastating mistake, however, if consumers are misled to believe that the lower friction experience is achieved without damaging security when the security is actually damaged. The consumers could well get trapped in a serious false sense of security, which is even worse than lack of security.

Click the link for more about the token-only single factor authentication

< ‘Password-less Authentication’ and ‘Biometrics as a Password-Killer’ >

These are two of the major distracters in digital identity, which have been absorbing the people’s attention and deflecting them from focusing on the truly valid digital identity solutions.

Something detrimental should be removed, whereas something insufficient could be supplemented and enhanced. Mixing up the former and the latter would bring a very queer situation in which something detrimental is enhanced and something insufficient is removed.

In cyberspace there are people who allege that something insufficient should be removed. With the password removed, the identity authentication would become much more convenient indeed, for not only citizens but also criminals. Sadly, the chief beneficiaries could well be criminals rather than citizens.

As for ‘Biometrics as Password-Killer’, this myth would be killed in 2 minutes with this video

Recently we have noticed a ‘wrong interpretation’ of Risk Based Authentication as another distracter in digital identity, though not as worrying as the above two hypes.

Visit the link for more.

< Departure from Text Passwords >

We are witnessing a critical turning point in the history of identity assurance — departure from the time-honored seals, autographs and textual passwords towards the next generation authentication.

Although it is obvious that we can no longer continue to rely on the conventional text-based passwords, we do not support the idea of ‘password-less’ (will/volition-less) identity authentication, which is not compatible with the values of democracy.

Nor do we support the idea of involving biometrics as a security tool, since the biometrics has to be deployed in ‘multi-entrance’ method with the password/PIN as a fallback means against false rejection in cyberspace. Such a deployment brings down the security that the conventional password/PIN authentication has so far provided.

Expanded Password System that accepts images as well as texts will help where ‘will/volition-confirmed identity authentications’ are needed. If packaged as an ‘image-to-text converter’ module, it can be easily, quickly and cheaply incorporated into the ubiquitous conventional text password systems.

< Farewell to Text Password >

Here is my latest article on Expanded Password System published at a security media.

The worst part of the global password predicament will melt away when people are offered a broader password choice.

Known technical programs related to digital identity, for instance, OAuth 2/3, OpenID Connect, FIDO 2, eIDAS and so on, are all complementary to Expanded Password System.

Expanded Password System can be flexibly implemented in various ways. If packaged as an ‘image-to-text converter’, it can be most easily incorporated into the existing textual password systems.


1. The password predicament remains unsolved until the password system gets expanded to offer a broader password choice.

2. Don’t be trapped in the myth of “password-less” authentication. Volition-less authentication could bring us into a 1984-like Dystopia.

3. Don’t be trapped in the false sense of security (illusion of safety) brought by biometrics used in ‘multi-entrance’ method with a fallback password/PIN

4. Watch what is happening with Expanded Password System and help with it where possible.

Click the link for more.


Vulnerability (attack surface) of an authenticator is generally presented as a figure between 0 and 1. The larger the figure is, the larger the attack surface is, i.e., the more vulnerable. Assume, for instance, as just a thought experiment, that the vulnerability of the PKI-enabled token (x) be 1/10,000 and that of the password (y) be 10 times more vulnerable, say. 1/1,000. When the two are deployed in ‘multi-layer’ method, the total vulnerability (attack surface) is the product of the two, say, (x) and (y) multiplied. The figure of 1/10,000,000 means it is 1,000 times more secure than (x) alone.

On the other hand, when the two authenticators are deployed in ‘multi-entrance’ method, the total vulnerability is obtained by (x) + (y) — (xy), approximately 0.0011. It is about 11 times less secure than (x) alone.

As such ‘Multi-Layer’ and ‘Multi-Entrance’ must be distinctly separated when talking about security effects of multiple authenticators.

Click the link for the meaning of (xy) being deducted from (x)+(y).

< No Need to Wait >

Biometrics is already defeated by itself where it has to depend on a password/PIN as a fallback means against false rejection as explained in this article

And yet, it is reported that consumers are still adopting fingerprints and selfies, presumably because

1 placing a finger on a sensor and taking a selfie look far simpler and easier than feeding PIN/passwords for consumers

2. consumers are not informed that the biometrics and the PIN/password they had registered are deployed in ‘multi-entrance’ method that brings down the security to the level lower than a PIN/password-only login. (Reversely ‘multi-layer’ deployment brings up security)

While informed consent must be respected, misinformed consent must be corrected and disinformed consent punished, particularly when it brings a serious case of the false sense of security (illusion of safety).

Biometrics vendors are expected to tell the consumers expressly that biometrics is a tool to improve convenience and must be used with a yet stronger password if they do not want to ruin the security.


Here is our answer to the question asked in the linked article.

(3) is correct, i.e., it is neither a 3-factor nor a 2-factor authentication. It actually is a ‘below-2’-factor authentication because two of the 3 factors were assumed to be deployed in ‘Multi-Entrance’ (EitherOr/in-parallel) method, not in ‘Multi-Layer’ (BothAnd/in-series) method, in my question.

Logic dictates that, when 2 authentication factors are deployed in ‘Multi-Layer’ method, security goes up while convenience goes down. On the other hand, security goes down while convenience goes up when deployed in ‘Multi-Entrance’ method as demonstrated in this video —

In cyberspace biometrics is usually deployed in ‘Multi-Entrance’ method with a password/PIN as a fallback measure against false rejection. Saying “Biometrics is more convenient than Password” is OK, while “Biometrics is more secure than Password” is simply false.

However inconvenient and embarrassing to the people who have been talking otherwise, this is the fact.

< Little-Known Real Solution to Cyber Predicament by Text-Only Password Systems >

You are probably aware of the huge data breach that a student brought about in Germany. We expect not a few security professionals and tech/biz media to be loudly suggesting such half-baked solutions as

1. throwing away easy-to-remember passwords and do what humans are unable to do.

2. adopting biometrics, not stating that they are deployed with a fallback password/PIN in a security-ruining ‘multi-entrance’ method

3. adopting a password-manager, not stating that it could create a single point of failure.

4. adopting a multi-factor authentication, not stating that the password would be the last resort when something-to-possess is broken, left behind, lost, copied and stolen.

5. eliminating passwords altogether, not stating that we would then be brought into a 1984-like dystopia.

However, the real picture is actually so plain and clear; the current password predicament is caused by the conventional password systems that do not accept anything but numbers/characters.

There exists an incredibly simple solution to it — Expansion of Password System.


‘Multi-Layer’ is also represented by ‘In-Series’, ‘In-Addition-To’, ‘All/BothAnd’ and ‘Conjunction’ in logic,

- while

‘Multi-Entrance’ by ‘In-Parallel’, ‘In-Stead-Of’, ‘EitherOr’ and ‘Disjunction’.

Misinformation, once integrated into our long-term memory, becomes very difficult to correct, particularly when it was spread by big names. Below is a plain riddle to help judge how free you are from a very serious misinformation spreading in the sphere of identity assurance and cybersecurity.

Assuming that a mobile device sends out a private key (or a digital certificate signed by the private key) upon verification of the user by ‘Either a biometrics Or a fallback password/PIN’ to the authentication server where the corresponding public key is stored, we count 3 factors in this scheme- what you have, what your body features are and what you know/remember.

Is this scheme

1. a 3-factor authentication?

2. a 2-factor authentication?

3. neither a 3-factor nor a 2-factor authentication?

Which of (1), (2) and (3) do you think is the correct answer?

This video offers a clue to the answer.

< OASIS Open Projects & Expanded Password System >

We announced we had been working on an OASIS Open Projects for our Expanded Password System at Consumer Identity World 2018. We are excited to share with you that the project is in the ‘Draft Proposal’ stage and we would like a feedback from more of you.

At this point, fifty plus people have joined the project; now we need corporate support to get the ball rolling. Our Draft Charter for the project incorporates the takeaways from discussions at CIW2018 in Seattle and Amsterdam.

We believe the business benefits are tremendous, including a sizeable reduction in identity management overhead, and in breach impact, to boot. There is no need to replace any system you’ve already implemented. They can be augmented by Expanded Password System, whether you use FIDO, OAuth, OpenID Connect or whatever else.

We would like you to have a say in this project, and welcome your knowledge, insights and expertise. You can start by telling us what you think of our Charter; and whether better, easier-to-remember and easier-to-manage passwords for the global consumer is something you want to be part of.

Visit the link for further information.

< Where a subordinate concept is represented by a superordinate concept >

I attended a FIDO Alliance seminar on 7/Dec in Tokyo, where I heard FIDO staff confirm that, when they said “Password-less Authentication”, “Password” actually meant “Password Used Online” That is, at FIDO Alliance, “Password-less Authentication” means “OnlinePassword-less Authentication”

Passwords used locally on devices are outside the scope of FIDO’s “Password-less Authentication”. As a matter of fact, FIDO people are apparently aware that the password is heavily relied upon and is actually being broadly used as a fallback means against false rejection of biometrics as well as on its own.

Where “OnlinePassword-less Authentication is represented by “Password-less Authentication”, “Elderly People” could be represented by “People” and “Cybercrime” by “Crime”, , couldn’t it?. Leaving this kind of awkward rhetoric to smalltime politicians, I would expect the people in charge to do the needful to sort out this confusing situation.

< Misinformation — Can ‘Multi-Entrance’ Deployment Replace ‘Multi-Layer’ Deployment? >

Misinformation, once integrated into our long-term memory, becomes very difficult to correct, particularly when it was spread by big names.

The distinction between ‘multi-layer’ and ‘multi-entrance’ deployments (in-series/AND/conjunction versus in-parallel/OR/disjunction) of two/multi factors is plainly demonstrated below.

< ‘Enhancing Lock/Key System’ of ‘Weak Door’ >

Enhancing ‘Weak Panel’ does not make an alternative to enhancing ‘Weak Lock/Key’ system of ‘Weak Door’, but so many solution providers are crowding ‘Weak Panel’ and generating a Red Ocean while very few are actually tackling ‘Weak Lock/Key’ issue.

Expanded Password System that we advocate enhances the analogous lock/key system with the following features

- It offers joy and fun

- It turns a weak password into a high-entropy credential

- It reduces the burden of managing the relation between accounts and the corresponding passwords

- It deters hard-to-defend phishing attacks

- It can be deployed in panicky situations

- It is supportive of biometrics, two/multi-factor authentications, password managers and single-sign-on services as well as simple pictorial/emoji-passwords and patterns-on-grids

- Its applications are to be found wherever people have been using text passwords and numerical PINs

- And, nothing would be lost for the people who want to keep using textual passwords

- Lastly but not the least, it is democracy-compatible by way of providing the chances and means to get our own volition confirmed in our identity assurance.

Linked below is my latest media article.


I was given good chances to have a lot of meaningful discussions in Seattle and Amsterdam at Consumer Identity World 2018 In all I posted the following 5 articles on LinkedIn over the two conferences.

- Four Puzzling Issues of Identity Authentication

- Questions and Answers — Expanded Password System and Related Issues

- Presentation at KuppingerCole’s Consumer Identity World 2018 Europe

- Takeaways from Consumer Identity World Europe 2018

- Targeted/Spear Phishing and Expanded Password System

This article is a short summary of the above as well as the earlier discussions at OASIS.

When we say ‘The door is weak’, it could mean two things — ‘The door panel is weak’ and ‘The lock/key system is weak.’ Enhancing the former does not make an alternative to enhancing the latter, and vice versa. And, needless to say, throwing away the weak lock/key is not an alternative to solving the problem of weak lock/key system. Our proposition is meant to provide a solution to the equivalent of the weak lock/key problem in the sphere of digital identity.

This article, which did not surprise me at all, might help explain the backdrop of why I concluded that I started the project of Expanded Password System (*) in a wrong place and decided to re-launch it outside Japan.


< Targeted/Spear Phishing and Expanded Password System >

Expanded Password System was not designed against phishing attacks, but deploying it wisely would help us deter not only indiscriminate mass phishing but also targeted/spear phishing attacks as one of its secondary effects.

Where users are encouraged to create their own unique image matrices with Expanded Password System, criminals would feel discouraged about the indiscriminate mass phishing because of its heavy costs of capturing and activating thousands, millions or billions of image matrices all unique to different UserIDs.

2-Channel Expanded Password System (*) could discourage targeted phishing because the criminals would have to place both of the two channels under their control simultaneously before starting the phishing trial.

Alternatively, we could think of adding a second step of Expanded Password System, making it ‘Selective 2-step EPS’ for the users who opt for it, which makes criminals’ jobs extremely heavy and complicated.

Criminals who persistently chase really valuable information assets could be discouraged if we deploy the 2-step EPS coupled with the 2-Channel method.

Visit the link for further details.

< Takeaways from Consumer Identity World Europe 2018 >

I made the presentation of ‘Identity Assurance by Our Own Volition and Memory’, ‘Expanded Password System’ and ‘OASIS Open’ in Amsterdam on 30th October.

- Observations: The conventional password is hated as everybody agrees, whereas the volitional password is absolutely necessary where the democratic values matter. Where authentication of our identity happens without our knowledge or against our will, it is a 1984-like Dystopia

These observations lead us to conclude that we have to find the sort of password system that is not hated. Logic tells that there can be no other choice.

- Progress: We believe that we came up with the way out. It is Expanded Password System that accepts images/pictures as well as texts/characters.

Other subjects taken up in the article linked below are

- Conflicts between Security and Privacy

- On-the-fly Generation of Cryptographic Keys from Our Episodic Memory

- Sensible Use of Behavioral Biometrics for Authentication

- Informed Misinformed and Disinformed Consent

Coupled with the earlier takeaways from the Seattle conference, we may now have got a much more comprehensive understanding of all those enigmatic problems around cybersecurity and identity management.

< 3-Factor Authentication Weaker Than 2-Factor Authentication >

There is a voice claiming that deploying biometrics with a fallback password on a mobile device makes a 3-factor authentication (‘what your body features are’, ‘what you know’ and ‘what you have’). Even when the user gets falsely rejected by biometrics and required to use a password as the fallback means, the user is still protected by the 2 factors of ‘password’ and ‘device’, so the failure of biometrics does not mean the decrease of security. This is their voice.

However, a straightforward 2-factor authentication made of ‘device’ and ‘password’ would have been more inexpensive, easier to implement/manage and more secure. Multi-Entrance solutions cannot displace Multi-Layer solutions..

* The difference between ‘in-series’ and ‘in-parallel’ (multi-layer and multi-entrance) deployments of two/multi factors is plainly demonstrated here

The above observation is one of the takeaways from Consumer Identity World Europe 2018 that I participated in Amsterdam..

Coincidentally, there came the breaking news about the world largest deployment of biometrics. This sounds remarkably sensible in view of biometrics being an identification tool, not an authentication tool.

< Takeaways from Consumer Identity World USA 2018 >

The so-called #password-less #authentication, if implemented literally, would lead us to a world where we are deprived of the chances and means to get our #volition confirmed in having our #identity authenticated. It would be a #1984-like world. The values of democratic societies are not compatible.

Some people allege that passwords can and will be eliminated by #biometrics or #PIN. But logic tells that it can never happen because the former requires a password/PIN as a fallback means and the latter is no more than the weakest form of numbers-only password.

Various debates over ‘password-less’ or ‘beyond-password’ authentications only make it clear that the solution to the password predicament could be found only inside the family of broadly-defined passwords.

< Pesentation at KuppingerCole’s Consumer Identity World 2018 Europe >

I speak on 30/Oct in Amsterdam that I have been advocating that #security of our cyber life depends on #identity assurance which in turn relies on remembered #passwords with the motto “Identity Assurance by Our Own Volition and Memory”.

Expanded Password System, now acknowledged as ‘Draft Proposal’ for #OASIS Open Projects, is supportive of

1. #Biometrics that require passwords as a #fallback means against false rejection

2. Two/multi-factor #authentications that require passwords as one of the factors

3. ID federations such as password managers and single-sign-on services that require passwords as the master-password.

4. Simple pictorial passwords, emoji-passwords and patterns-on-grid that can all be deployed on our platform

All with the effects that memorable images make us feel pleasant and relaxed and that it is easy to manage the relation between accounts and the corresponding passwords

5. And, nothing would be lost for the people who want to keep using textual passwords.

6. Lastly but not the least, it is #democracy-compatible by way of providing the chances and means to get our #volition confirmed for having our identity authenticated.



< Q&A on #Identity #Assurance, #Password, #Democracy, #Passwordless, #biometrics & #Dystopia >

Here are the questions and answers exchanged when I spoke about Expanded Password System that we advocate in front of the professional audience at Consumer Identity World 2018 Seattle in September.

Q: How would you like to define ‘Password’?

Q: What do you think about password-less #authentications?

Q: What merits and demerits do you see in ID federations?

Q: What do you think about two/multi-factor authentications?

Q: Why did you think of making use of episodic memory?

Q: What do you rely on for your understanding of episodic memory?

Q: Why do you think people have been sticking to characters for passwords?

Q: How can it cope with hacking of the image identifier data?

Q: What if users register the images that are easy for attackers to guess?

Q: How do you handle ‘combination’ and ‘permutation’ for image registration?

Q: What do you think about shoulder surfing?

Q: Can you tell us some more about false rejection as against false acceptance?

and more.

< Four Puzzling Issues of Identity Authentication >

At Consumer Identity World 2018 in Seattle that I participated as a speaker, I noted that there were strong voices of proposing

1. Password-less Authentication

2. Use of PIN to eliminate passwords

3. Biometrics in two/multi-factor authentication for better security

4. Dilemma in physical tokens

What puzzled me were

1. Doesn’t ‘Passwordless’ mean ‘Volitionless’?

2. Isn’t ‘PIN’ the weakest form of numbers-only passwords?

3. Isn’t biometrics deployed with a fallback password ‘in parallel’, not ‘in series’?

4. What if we have dozens of accounts to protect heavily?

Below are my views expressed at the Seattle conference.

Advocate of ‘Identity Assurance by Our Own Volition and Memory’, Inventor of Expanded Password System and Founder of Mnemonic Identity Solutions Limited in UK.