Some More Topics on Digital Identity #8–2
Let me try a breakdown of the passwordless concept.
(1) Password-less + nothing else; the least secure
(2) Password-less + something else; securer than (1)
(3) Password + something else: here is the point of arguments
By our criteria, the security increases from 1 to 3. However, by the “passwordless” folks’ criteria, the security of (2) is viewed as higher than (3), presumably because an attack surface of the password is removed in (2) whereas there is an attack surface on the password in (3).
Well, let me try the same for “token-less” login.
(1) Token-less + nothing else; the least secure
(2) Token-less + something else; securer than (1)
(3) Token + something else: here is the point of arguments
By our criteria, the security increases from 1 to 3. However, by the “passwordless” folks’ criteria, the security of (2) should be viewed as higher than (3) because an attack surface of the token is removed in (2) whereas there is an attack surface on the token in (3).
Did you find it fun or very worrying?
Ref: “I support Passwordless Authentication where Convenience Matters More than Security”
………………
As an appendix to the series of ‘Identity Assurance by Citizens’ Non-Volatile Autobiographic Memory #1 — #19’, I am discussing some more topics on digital identity. It may well tell much more about the very broad scope of our activity
*P32 of “Fend Off Cybercrime with Episodic Memory”
Video: https://drive.google.com/file/d/1FEYKjBOEVXVEljRt2_nu1uSXvtUNN73Q/view
/
