Open in app

Sign in

Write

Sign in

Dissection of Passwordless MFA

Hitoshi Kokumai
2 min readApr 24, 2023

--

I found this report very inviting — “What are passkeys? A cybersecurity researcher explains how you can use your phone to make passwords a thing of the past” https://theconversation.com/what-are-passkeys-a-cybersecurity-researcher-explains-how-you-can-use-your-phone-to-make-passwords-a-thing-of-the-past-196643

Can the password really be made ‘a thing of the past’ by the ‘Passwordless MFA’ like Passkeys, which are presumably made of 3 factors as below?

1. PKI — known for decades to be effective to prove the authenticity of a device with a private key embedded in it. It’s a good tool for device/machine authentication.

2. Biometrics — supposed to authenticate the person who holds the PKI-embedded device, when (only when) the user is not falsely rejected by the biometrics

3. Pincode — supposed to authenticate the person when (only when) the user is falsely rejected by biometrics. (Pincode, which is no more than a numbers-only password, is supposed to not belong to the password when the solution is called a ‘Passwordless’ solution).

The problems that we identify therein are -

A. Meaning of MFA

While it is often called ‘MFA’ because three factors are ostensibly involved, we should call it Quasi-MFA because (2) and (3) are deployed in a two-entrance/in-parallel formation, which only provides the security lower than that of having two factors deployed in a two-layer/in-series formation.

B. Private Key of PKI

A private key of PKI embedded in a device is vulnerable to theft and abuse. The risks would be greater if it is copied and stored somewhere physically, whether online or offline.

C. Troubles of Pincode

Users of the likes of PassKeys have to continue to struggle with the dilemma of easy-to-remember or easy-to-break pincode.

Then, What Can We Offer?

Our PKI solution for online login that we plan to put on the global market following Mnemonic Gateways password manager will relieve the PKI users of the concerns about the theft and abuse of their private keys.

By turning the function of regenerating multiple high-entropy passwords on-the-fly from users’ non-volatile image memory into regenerating multiple private keys of PKI the same way, we will be easily able to achieve what the likes of PassKeys can by no means achieve.

………………

Above is the gist of an article of the same title linked below. https://www.linkedin.com/pulse/dissection-passwordless-mfa-hitoshi-kokumai/

Cybersecurity
Identity
Authentication
MFA
Risk

--

--

Hitoshi Kokumai
Hitoshi Kokumai

Written by Hitoshi Kokumai

28 Followers
2 Following

Advocate of ‘Identity Assurance by Our Own Volition and Memory’, Inventor of Expanded Password System and Founder of Mnemonic Identity Solutions Limited in UK.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams