What We Know for Certain about Authentication Factors
We are often asked to confirm that Expanded Password System that we advocate is more secure or more user-friendly than text password, physical token and biometrics.
My answer is “It is unknowable. It’s in the sphere of agnosticism”.
A very poorly designed, implemented and operated Expanded Password System (EPS) could possibly be less secure and less user-friendly than other solutions that are wisely designed, implemented and operated.
— — — — — — — — — — — — — — — — —
Besides that, what is known to us for certain by logic about various authenticators are
A: ‘Yes/No’ on feeding correct passwords/EPS and ‘Yes/No’ on presenting correct tokens are deterministic, whereas biometrics which measures unpredictably variable body features of living animals in changing environments is probabilistic.
B: It is practically impossible to compare the security of a strong or silly password with that of a poorly or wisely deployed physical token even though both passwords and tokens are deterministic,
C: Direct comparison of something deterministic and something probabilistic would absolutely bring us nowhere.
D: Deterministic authenticators can be used on its own, whereas a probabilistic authenticator would lose its availability when used on its own.
E: Deterministic authenticators can be used together in a security-enhancing ‘multi-layer’ deployment, whereas probabilistic authenticators can be used with another authenticator only in a security-lowering ‘multi-entrance’ deployment unless we can forget the availability.
F: Removal of the password brings a catastrophic loss of security. It also makes a grave threat to democracy.
G: PIN belongs to the family of password as a numbers-only password; displacing a password by a PIN is like displacing the ‘knife family’ by a ‘paper knife’.
H: Password/EPS, token and biometrics are ‘authenticators’, while two/multi-factor schemes, decentralized/distributed digital identity, single-sign-on schemes and password management tools are all ‘deployment of authenticators’; We would obtain nothing by comparing the former with the latter.
— — — — — — — — — — — — — — — — —
I have heard many different observations from a number of security professionals. I will certainly welcome refutations.
We have the knowhow to have Expanded Password System wisely designed, implemented and operated, with the rich experience of building the image-to-code conversion software modules for re-generating cryptographic keys on-the-fly from our episodic image memory.
Key References
Digital Identity for Global Citizens
Image-to-Code Conversion by Expanded Password System
Summary and Brief History — Expanded Password System
Proposition on How to Build Sustainable Digital Identity Platform
Additional References
Account Recovery with Expanded Password System
External Body Features Viewed as ‘What We Are’
History, Current Status and Future Scenarios of Expanded Password System
Negative Security Effect of Biometrics Deployed in Cyberspace
Removal of Passwords and Its Security Effect
Update: Questions and Answers — Expanded Password System and Related Issues (30/June/2020)
< Videos on YouTube>
Slide: Outline of Expanded Password System (3minutes 2seconds)
Digital Identity for Global Citizens (10minutes — narrated)
Demo: Simplified Operation on Smartphone for consumers (1m41s)
Demo: High-Security Operation on PC for managers (4m28s)
Demo: Simple capture and registration of pictures by users (1m26s)
Slide: Biometrics in Cyber Space — “below-one” factor authentication