Most Important Area of Cybersecurity — It’s Where We are Working
It is very encouraging to see Prof Bill Buchanan, reputed cryptographer, pick up Identity and Access Management as the most important area of cybersecurity, where we are struggling to not lose in the battle with bad actors. The professor and I currently have a bit different view, though, on the best practice required for the solid identity assurance.
I was called out by Tim Pietruck and shahiN Noursalehi on Prof Bill Buchanan’s post on Cryptographers and Cryptanalysts Group https:// www.linkedin.com/feed/update/urn:li:activity:7067740367579664384
Below is my comment left there.
Well, everyone talks about the pains of being forced to keep using the password (which could mean a text-only password or a secret credential as a whole depending on the context).
While I am with them about the pains of text-only password systems, I look to the potential of expanding the password to include non-text memory objects besides textual objects. Specifically, making use of citizens’ non-volatile episodic memory, say, the memory of citizens’ emotion-coloured personal experiences, especially pleasant ones, as a seed of secret credential
I do not talk about our proposition today. I would like to direct your attention to the perils of removing the password (secret credential) from digital identity.
I reckon that removal of the password would increase the identity security where (only where) the attack surface of a password is larger than the defense surface of the password.
I would very much appreciate the group members’ feedback on this analysis — “How to not see our weak digital identity further weakened” https://www.linkedin.com/pulse/how-see-our-weak-digital-identity-further-weakened-hitoshi-kokumai/
Counterarguments from the people who disagree with me will certainly be much welcomed.
PS I could have added that biometrics is playing a critical role among the people who want to see the password removed.
Two minutes spent on this short video will convince us, immediately and completely, that biometrics used with a default/fallback password/pincode destroys the security that the password/pincode has somehow provided so far — “Biometrics in Cyber Space — ‘below-one’ factor authentication” https://youtu.be/wuhB5vxKYlg
By the way, the schema below may be helpful for understanding what are driving those people to think of throwing away the password.