Hypothesis? — Yes, it was Hypothesis Two Decades Ago
In 2000 when we started to apply for patents, it was no more than a thought experiment
In 2001 when we had a PoC software running on a pocket computer, it could still be called a hypothesis
In 2004 it was definitely no longer a hypothesis — being used by 20,000 ecommerce consumers in the real world.
In 2005 it was deployed on mobile phones as well as PC.
In 2008 it was enjoyed by 140,000 consumers.
In 2013 it was adopted by Japanese Army for exchange of encrypted data with field communications vehicles and now expected to stay in use for 10 more years.
I restate the above expressly in view of the rumours still circulating among some security/identity people that our proposition of Expanded Password System is no more than an unproven hypothesis .
* Reference *
“When, why and how Expanded Password System was developed” https://www.linkedin.com/pulse/when-why-how-expanded-password-system-developed-hitoshi-kokumai/
“Summary and Brief History — Expanded Password System” https://www.linkedin.com/pulse/summary-brief-history-expanded-password-system-hitoshi-kokumai
What are we now doing — “Mnemonic Gateways as Leading Digital Identity App” https://www.linkedin.com/pulse/mnemonic-gateways-leading-digital-identity-app-hitoshi-kokumai/
……………………………………
Remark: Entropy and confidentiality of the credentials are the top priority along with user-friendliness.
- Entropy: Threats of ‘visual-manual attacks on display’ are very different to ‘automated brute force attacks’ on the data server. A figure of ’20-bits’, say, a million attempts, for instance, would be just a bad joke against automated attacks, whereas it would make a pretty tall wall against visual-manual attacks on display.
The entropy of a combination of several images against automated brute force attacks? — It can easily exceed a million bits.
Confidentiality: Since 2004 we have made it an iron rule to not store any secret credentials in the authentication program, but to get them generated and regenerated on-the-fly from users’ non-volatile image memory when (only when) needed.
