Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022

Fend Off Cybercrime by Citizens’
Non-Volatile Episodic Memory
with the values of democracy
29th August, 2022
Mnemonic Identity Solutions Limited
90-second introductory video
Hello,
Digital Transformation would be a pipe dream if it’s not supported by a practicable
means of identity authentication that is secure and yet stress-free, desirably giving us
joy and fun
I am Hitoshi Kokumai, advocate of ‘Identity Assurance by Our Own Volition and
Memory’. I’ve been promoting this principle for 21 years now.
Our company, Mnemonic Identity Solutions Limited (MIS), set up in August 2020 in
United Kingdom for global operations, is a Start-Up as a corporation but it’s more than
a Start-Up as a business entity. We set it up in order to globally expand what its
predecessor named Mnemonic Security, Inc. started in Japan in late 2001.
We have a 20 years long pre-history of technology development, product making and
commercial implementations with some US$1 million sales. Our champion use case is
Japanese Army deploying our product on field vehicles since 2013 and still using it.
At MIS we are now going to help global citizens fend off cybercrime by their non-
volatile episodic memory, with the values of democracy.
Let me present a 90-second introductory video

Problem to Solve
Passwords are
Hard to manage
And yet, absolutely
necessary
Identity theft and
security breaches
are proliferating Critical problem
requiring valid and
practical solutions
2
1. We have a big headache. Passwords are hard to manage, and yet, the passwords
are absolutely necessary.
2. Democracy would be lost where the password was lost and we were deprived of
the chances and means of getting our own volition confirmed in having our identity
authenticated.
When authentication happens without our knowledge or against our will, it is a 1984-
like Dystopia.
3. Identity theft and security breaches are proliferating.
4. This critical problem requires solid and practical solutions.

Basics of Authentication Factors
‘Yes or No’ on feeding correct passwords and ‘Yes or No’ on presenting correct tokens
are deterministic, whereas biometrics which measures unpredictably variable body
features of living animals in changing environments is probabilistic.
It is practically impossible to compare the security of a strong or silly password with
that of a poorly or wisely deployed physical token even though both passwords and
tokens are deterministic,
Deterministic authenticators can be used on its own, whereas a probabilistic
authenticator would lose its availability when used on its own. Direct comparison of
something deterministic and something probabilistic would absolutely bring us
nowhere.
Deterministic authenticators can be used together in a security-enhancing ‘multi-layer’
deployment, whereas probabilistic authenticators can be used with another
authenticator only in a security-lowering ‘multi-entrance’ deployment unless we can
forget the availability as illustrated here.
Password, token and biometrics are ‘authenticators’, while two/multi-factor schemes,
decentralized/distributed digital identity, single-sign-on schemes and password
management tools are all ‘deployment of authentication factors’; We would obtain
nothing by comparing the former with the latter.
Well, removal of the password brings a catastrophic loss of security. It also makes a
grave threat to democracy. We will separately talk this issue later.

Volition and Memory
(1) Volition of the User
– with Self-Determination
(2) Practicability of the Means
– for Use by Homo sapiens
(3) Confidentiality of the Credentials
– by ‘Secret’ as against ‘Unique’
We are of the belief that there must be three prerequisites for identity assurance.
1. First of all, identity assurance with NO confirmation of the user’s volition would
lead to a world where criminals and tyrants dominate citizens.
Democracy would be dead where our volition was not involved in our identity
assurance. We must be against any attempts to do without what we remember, recall ,
recognize and feed to login volitionally.
2. Secondly, mathematical strength of a security means makes sense so long as the
means is practicable for us Homo sapiens. A big cake could be appreciated only if it’s
edible.
3. Thirdly, being ‘unique’ is different from being ‘secret’. ‘Passwords’ must not be
displaced by the likes of ‘User ID’. I mean, we should be very careful when using
biometrics for the purpose of identity authentication, although we don’t see so big a
problem when using biometrics for the purpose of individual identification.
Identification is to give an answer to the question of “Who are they?”, whereas
authentication is to give the answer to the question of “Are they the persons who
claim to be?” Authentication and identification belong to totally different categories.
The answer for the former can only be given somewhere in between very probable and
very improbable, whereas the answer for the latter should given definitively ‘Yes,
accept’ or ‘No, reject’. Mixing the two up and we will see a very bad confusion.

What’s New?
The idea of using pictures has been around for two
decades.
New is encouraging people to make use of citizens’
non-volatile episodic image memories.
The idea of using pictures for passwords is not new. It’s been around for well more
than two decades, but the simple forms of pictorial passwords were not as useful as
had been expected. UNKNOWN pictures we manage to remember afresh are still easy
to forget or get confused.
Expanded Password System is new in that it offers a choice to make use of KNOWN
images that are associated with our autobiographic/ episodic memories, as you saw
earlier in the introductory video.

Since the images of episodic memory are not only Non-Volatile but also are the least
subject to INTERFERENCE of MEMORY,

it enables us to manage dozens of unique strong passwords without reusing the same
password across many accounts or carrying around a memo or storage with passwords
on it.
Furthermore, watching memorable images makes us feel comfortable, relaxed and
even healed.

Broader Choice
If only text and # are OK It’s a steep climb …
to memorize
text/number passwords
to lighten the load of
text passwords
to make use of
memorized images
３ＵＶＢ９ＫＵＷ
【Text Mode】【Graphics Mode】【Original Picture Mode】
Recall the remembered
password
Recognize the pictures
remembered in stories
Recognize the unforgettable
pictures of episodic memories
Think of all those ladders you have to climb in Donkey Kong ;-)
Low memory ceiling Very high memory ceiling
High memory ceiling
+ +
8
Shall we have a bit closer look at what it offers?
So far, only texts have been accepted for password systems. It was, as it were, we
have no choice but to walk up a long steep staircase.
With Expanded Password System, we could imagine a situation that escalators and
elevators are provided along with the staircase.
Where we want to continue to use text passwords, we could opt to recall the
remembered passwords, although the memory ceiling is very low,. Most of us can
manage only up to several of them.
We could opt to recognize the pictures remembered in stories where we want to
reduce the burden of text passwords. The memory ceiling is high, say, we would be
able to manage more and more of them.
Where we choose to make use of episodic image memory, we would only need to
recognize the unforgettable images, say, UNFORGETTABLE images. There is
virtually no memory ceiling, that is, we would be able to manage as many passwords
as we like, without any extra efforts.

Relation of Accounts & Passwords
Account A Account B Account C Account D
Account E,
F, G, H, I, J,
K, L-----------
Unique matrices of images allocated to different accounts.
At a glance you will immediately realize what images you
should pick up as your passwords for this or that account.
9
Being able to recall strong passwords is one thing. Being able to recall the relation
between accounts and the corresponding passwords is another.
When unique matrices of images are allocated to different accounts, those unique
image matrices will be telling you what images you should pick up as your password
for this or that account.
When using images of our episodic memories, the Expanded Password System will thus
free us from the burden of managing the relation between accounts and the
corresponding passwords.

Isn’t Episodic Memory Malleable?
We know that
episodic
memories can
change easily.
… But that doesn’t
matter for
authentication. It
could even help.
10
It’s known that episodic memories are easily changeable.
What we remember as our experience may have been transformed and not objectively
factual. But it would not matter for identity authentication.
What we subjectively remember as our episodic memory could suffice.
From confidentiality’s point of view, it could be even better than objectively factual
memories since no clues are given to attackers.

What
about
Entropy
‘CBA123’ IS
ABSURDLY WEAK.
WHAT IF ‘C’ AS AN
IMAGE GETS PRESENTED
BY SOMETHING LIKE
‘X4S&EI0W’ ?
WHAT IF ‘X4S&EIWDOEX7RVB%9UB3MJVK’
INSTEAD OF ‘CBA123’ GETS HASHED?
11
Generally speaking, hard-to-break passwords are hard-to-remember. But it’s not the
fate of what we remember.
It would be easily possible to safely manage many of high-entropy passwords with
Expanded Password System that handles characters as images.
Each image or character is represented by the image identifier data which can be of
any length.
1. Assume that your password is “CBA123”
2. and that the image ‘C’ is identified as X4s& eI0w, and so on.
3. When you input CBA123, the authentication data that the server receives is not
the easy-to-break “CBA123”, but something like “X4s&eI0wdoex7RVb%9Ub3mJvk”,
which could be automatically altered periodically or at each access where desired.
By the way, threats of 'visual-manual attacks on display’ are very different to
'automated brute force attacks’.
A figure of ’20-bit’, for instance, would be just a bad joke against automated attacks,
whereas it would make a pretty tall wall against visual-manual attacks on display.

A
Huge Improvement
• Password fatigue alleviated for all
• Better security for password-managers and SSO services
• Even better security for two/multi-factor authentications
• Less vulnerable security for biometric products
Backward-Compatible
• Nothing lost for users who wish to keep using text passwords
Enjoyable Login
• Get the images in your matrix registered. It’s easy and joyful.
12
What to Gain
Passwords are now both secure and stress-free.
People who enjoy handling images will gain both better security and better
convenience. The only extra effort required is to get these images registered; but
people already do that across social media platforms and seem to love it.
Then, huge improvement.
1 .Password fatigue would be alleviated for all.
2. Better security for password mangers and single-sign-on services.
3. Even better security for multi-factor authentications.
4. Less vulnerable security for biometrics.
5. And, It’s backward-compatible. Nothing would be lost for the people who wish to
keep using text passwords.
6. On top of all these gains, enhancing your passwords itself is now fun.

Typical Use Case
Japan’s Army adopted our
product for accepting ‘Panic-
Proof’ and yet ‘Hard-to-
Break’ credentials.
Japan Ground Self-Defense Force, aka, Army is using Expanded Password System for
authentication of the personnel who handle the encrypted data exchange between
commanders and field communications vehicles since 2013.
Some 460 licenses were offered to each field communications vehicle. With each
vehicle shared by multiple soldiers, the number of people who use our solution are
now supposed to be in many thousands.
The number of licenses increased more than 10-fold over the 9-year period of use from
2013. We humbly assume that they are well satisfied with us.

Client Software
for
Device Login
Applications Login
Image-to-Code Conversion
Server Software
for
Online-Access
2-Factor Scheme
Open ID Compatible
Data Encryption Software
with on-the-fly key generation
Single & Distributed Authority
Unlimited Use Cases
14
Applications of Expanded Password System will be found
Wherever people have been dependent on text passwords and numerical PINS,
Wherever people need some means of identity authentication, even if we still do not
know what it will be.

How We Position Our Proposition
The underpinning principle of Expanded Password System
will not go away so long as people want their own volition
and memory to remain involved in identity authentication.
15
It’s Legitimate Successor to Seals and Autographs
More on the Power of Citizens’ Non-Volatile Episodic Memory
Starting with the perception that our continuous identity as human being is made of
our autobiographic memory, we are making identity authentication schemes better by
leveraging the time-honored tradition of seals and autographs
The underpinning principle of Expanded Password System shall not go away so long
as people want our own volition and memory to remain involved in identity
assurance.

Competition or Opportunity
Password-managers, single-sign-on service?
Passwords required as the master-password: Opportunity.
Two/multi-factor authentication?
Passwords required as one of the factors: Opportunity.
Pattern-on-grid, emoji, conventional picture passwords?
Deployable on our platform: Opportunity.
Biometrics?
Passwords required as a backup means: Opportunity.
What can be thought of as competition to Expanded Password System?
1. Password-managers and single-sign-on services require passwords as the master-
password.
2. Two/Multi-factor authentications require passwords as one of the factors.
3. Pattern-on-grid, conventional picture passwords and emoji-passwords can all be
deployed on our platform.
4. Biometrics requires passwords as a fallback means.
As such, competition could be thinkable only among the different products of the
family of Expanded Password System.
By the way, some people claim that PIN can eliminate passwords, but logic dictates that
it can never happen since PIN is no more than a weak form of numbers-only password.
Neither can Passphrase, which is no more than a long password.
There are also some people who talk about the likes of PKI and onetime passwords as
an alternative to passwords. But it is like talking about a weak door and proposing to
enhance the door panel as an alternative to enhancing the lock and key.

Exciting Scenery of Digital Identity
What about “Passwordless” Authentication
“LOSS of Security Taken for GAIN of Security” -
https://www.linkedin.com/pulse/loss-security-taken-gain-hitoshi-kokumai/
We look tiny and sound feeble. They look massive and sound mighty. We are made of
logical fact-based non-flammable graphene. They are made of illogical fallacy-based
inflammable paper.
‘We’ mean the forces who advocate the digital identity for which citizens’ volition and
memory play a critical role, supporting the solid identity security and the values of
democracy.
‘They’ mean the forces who advocate the digital identity from which citizens’ volition
and memory are removed, damaging the identity security and the values of
democracy. Big names like GAFAM are found as part of the paper elephant, which
make them look really massive and sound extremely loud.
Whether looking tiny or massive, whether sounding feeble or mighty, it does not
matter. It’s fact and logic that decides the endgame. We will prevail in due course.

Launching Global Operation
Following experimental successes in Japan, we set up our global
headquarters as Mnemonic Identity Solutions Limited (MIS)
in United Kingdom in August 2020 -
https://www.mnemonicidentitysolutions.com/
With the sales of some US$1 million and a successful adoption by Japan’s military in
2013 at our Japanese entity named Mnemonic Security, Inc., we came to realise that it
will not be in Japan but the global market that decides the future of our endeavour.
We set up Mnemonic Identity Solutions Limited with British colleagues in UK in 2020
for launching the global operations.

First Global Project
“Mnemonic Gateways”
Leak-proof Password Manager
powered by citizens’
non-volatile episodic
image memory
90-second demonstration video
What if we come up with a password manager powered by citizens’ non-volatile
episodic memory?
It is ‘leak-proof’; the passwords, which are generated and re-generated on-the-fly by
our image-to-code converter from users' hard-to-forget episodic image memory, will be
deleted from the software along with the intermediate data when it is shut down.
The merits of episodic image memory enable us to easily handle multiple password
managing modules with multiple unique sets of images; it helps us avoid creating a
single point of failure.
Login to the software by picking up your registered images. When logged-in, a seed
data is generated/re-generated from the image data on the fly.
Select the account requiring a password from the account list and the software will
generate/re-generate a unique password for the target account and send out the user
ID and password to the login page.
Please watch a quick 90-second demonstration video. This makes the first product for
our global operations.
We will expect the revenue from the sales of high-security versions for tens of millions
of professional users, while offering a standard version to billions of global consumers
at no cost.

Goal
Make Expanded Password System solutions readily available
to all the global citizens –
rich and poor, young and old, healthy and disabled, literate and illiterate,
in peace and in disaster –
over many generations until humans discover something other than
'digital identity' for safe and orderly societal life.
Our mission is
1. to make Expanded Password System solutions readily available to all the global
citizens –
2. rich and poor, young and old, healthy and disabled, literate and illiterate, in peace
and in disaster –
3. over many generations until humans discover something other than 'digital identity'
for safe and orderly societal life.

There exists a secure and yet stress- free means of
democracy-compatible identity authentication.
That is Expanded Password System
Thank You for Your Time
Hitoshi Kokumai
Founder & Chief Architect
Profile https://www.linkedin.com/in/hitoshikokumai/
hitoshi.kokumai@mnemonicidentitysolutions.com
kokumai@mneme.co.jp 21
As such, there exists a secure and yet stress free means of democracy-compatible
identity authentication. That is Expanded Password System
2. Thank you very much for your time.

Have a Break
Published in 2005
This comic looks more relevant now than 17 years ago.

Some More Topics on Digital Identity
23
Dementia and Authentication
Cryptography for Digital Identity
Impact of AI and Quantum-Computing
Login under Duress
2-Channel Expanded Password System
Secure Brain-Machine-Interface
Hybrid Text Password
More on “Passwordless” Authentication
More on “Biometrics” Authentication
FIDO and Expanded Password System
Transparency and Integrity
28th August, 2022
Let me discuss some more topics on digital identity. It may well tell much more about
the very broad scope of our business operations.
They are
Cryptography for Digital Identity
Impact of AI and Quantum-Computing
Login under Duress
More on “Passwordless” Authentication
More on “Biometrics” Authentication

When people become unable to
recognise the unforgettable images of
their episodic memory that they had
volitionally registered as login credentials,
it is probably the time that guardianship should be
considered for them.
“Your solution, Expanded Password System powered by citizens’ non-volatile episodic
memory, has a big drawback of being useless for the authentication of people with
advanced dementia.” - This is what I kept hearing over 20 years, mostly from the
people who promote passwordless and biometrics authentication schemes.
“When people become unable to recognise the unforgettable images of their episodic
memory that they had volitionally registered as login credentials, it is probably the
time that guardianship should be considered for them.
While it’s possible to get them ‘identified’, getting them ‘authenticated’ should be
viewed as a crime in a democratic society”. - This is what I kept answering over the 20
years.

Cryptography and Digital Identity
Protection by cryptography can’t be above protection by login credential
Shall we consider a very typical case that a message is encrypted by a cryptographic
module that can stand the fiercest brute forces attacks for trillions of years, while the
digital identity of the recipient who is to decrypt the encrypted message is protected
by a password that a PC can break in a matter of hours or even minutes?
Protection by cryptography can’t be above protection by login credential, passwords in
most cases. The lower of the two decides the overall protection level.
This observation urges us to make the secret credentials the most solid and reliable
where the data to protect is classified. Here we propose that we can make use of
operators’ episodic memory that is firmly inscribed deep in their brains for their secret
credentials.

Impact of AI and Quantum Computing
https://aitechtrend.com/quantum-computing-and-password-authentication/
In its publication in autumn 2021 USA’s NSA said “We ‘don’t know when or even if’ a
quantum computer will ever be able to break today’s public-key encryption”
In view of that observation, in an article “Quantum Computing and Password
Authentication” I wrote
“Let us assume, however, that quantum computing has suddenly made a quantum leap
and becomes able to break today’s public key schemes. Would we have to despair?
We do not need to panic. Bad guys, who have a quantum computer at hand, would
still have to break the part of user authentication, that is NOT dependent on the public-
key scheme, prior to accessing the target data, in the normal environment where
secret credentials, that is, remembered passwords, play a big role.”
My article , published in early October 2021, became the ‘most trending’ at NY-based
aiTech Trend in February 2022 and still retains that status.
This phenomenon probably tells much on how concerned artificial intelligence people
are about the issue of passwords and identity assurance with respect to the
uncontrolled progress of AI and Quantum Computing.

Login under Duress
The issue of Login under Duress is taken care of
since 2003 . Watch this video - “High-Security
Operation on PC for managers”
https://www.youtube.com/watch?v=UO_1fEp2jFo
The bad guy who is forcing the user to make a login under duress
without knowing how many images the user had registered, would
have no idea of whether the user selected an extra image or not,
whereas the software would detect it, allow the login and guide the
bad guy to a dummy data section while silently sending a real-time
alarm to security personnel.
The issue of Login under Duress is already taken care of since 2003 . Watch this video -
“High-Security Operation on PC for managers”
At 2 minutes 40 seconds, you will be watching the registration page, on which you find
a box for ‘Yes or No ‘ for “Emergency PassSymbol”. Click ‘Yes’ and you will be able to
register an extra image as a duress code.
The bad guy who is forcing the user to make a login under duress without knowing how
many images the user had registered, would have no idea of whether the user selected
an extra image or not, whereas the software would detect it, allow the login and guide
the bad guy to a dummy data section while silently sending a real-time alarm to
security personnel.
This function had been implemented a decade before Japan’s Army talked to us; We
did not assume that such duress alarming function would be rarely appreciated outside
the military but anticipated that the more digital assets are piled up in the digital
space, the more frequently the cases of forced login under duress will happen.

28
Using physical onetime tokens is said to be more secure than using phones for
receiving onetime code via Short Message Service as one of the two authentication
factors. However, the use of physical tokens brings its own headache. What shall we
do if we have dozens of accounts that require two factor schemes?
Carrying around a bunch of dozens of physical tokens? Or, re-using the same tokens
across dozens of accounts? The former would be too cumbersome and too easily
attract attention of bad guys, physically creating a single point of failure, while the
latter would be very convenient but brings the similar single point of failure in another
way.
Well, what if random onetime numbers or characters are allocated to each image on
the matrix shown on a user’s second device. Recognizing the registered images, the
user will feed these numbers or characters on a main device. From those onetime
data, the authentication server will tell the images that user is supposed to have
registered as the credential.
All that is needed at the users’ end is just a web browser on a second device. With all
different sets of images for all different accounts, a single phone can readily cope with
dozens of accounts without creating a single point of failure.
This is not a hypothesis. We actually have a use case of commercial implementation.

Ask the users to focus their attention
on the numbers or characters given to
the registered images.
A simple brain-monitoring is vulnerable to wiretapping.
The monitoring system will then collect the brain-generated onetime signal
corresponding to these numbers or characters.
29
Random numbers or characters allocated to the images.
Neuro signals are monitored via a separate channel.
A simple brain-monitoring has a security problem. The data, if wiretapped by
criminals, can be replayed for impersonation straight away. The monitored brain
data should be a onetime disposable code.
An idea is that the authentication system allocates random numbers or characters to
the images shown to the user. The user focuses their attention on the numbers or
characters given to the images they had registered.
The monitoring system will collect the brain-generated onetime signals corresponding
to the registered images. Incidentally, the channel for showing the pictures is
supposed to be separated from the channel for brain-monitoring.
Even if intercepting successfully, criminals would be unable to impersonate the user
because the intercepted data was onetime and disposed upon use.

Factor 1 – Password Remembered
(what we know/remember)
Factor 2 – Password Written Down or Physically Stored
(what we have/possess)
30
Effect - A ‘boring legacy password system’ turning into a no-cost
hybrid password system made of ‘what we know’ and ‘what we
have’.
The problems that are caused by ‘hard-to-manage’ passwords will be drastically
mitigated when we come up with “Mnemonic Gateways” password manager driven by
Expanded Password System (EPS) and other EPS-based solutions with which the secret
credentials for login can be generated and re-generated from non-volatile citizens
episodic image memory.
While we have to wait for it to happen, we are suggesting a stopgap measure of
combining two kinds of passwords - one that we can easily remember and recall , with
the other that is truly random and complex for electronical storage on a device. When
in use, we recall and type the former and copy&paste the latter.
We call it ‘Hybrid Text Password’. It is not as safe and simple as remembering the
whole of it but much safer than storing the whole of it. But, would you be interested
to talk about the size of a cake that we know is not edible?
The hybrid password is what I myself have long been practicing for high-security
accounts that accept only text-passwords.

More on ‘Passwordless’ Authentication
Where removing the password increase security of digital identity, we would find such
picture at every ATM .
We would also hear “Remove the army and we will have a stronger national defense”
We could accept “Passwordless” authentication without losing sanity if it comes with a
transparent statement that it brings ‘better availability’ at the cost of losing security,
helping people where availability and convenience, not security, matters most.
The problem is that the “passwordless” promoters are adamantly alleging that the
passwordless schemes are to increase security, thus spreading a false sense of security.
The false sense of security is not only weakening the defence of democratic nations
from within when we have to cope with the yet increasing cybersecurity threats from
aggressive anti-democracy regimes, but also preventing global citizens from being
better prepared against the threats by making good use of the defence surface of the
password and its expanded developments.

(1) Password-less + nothing else; the least secure
(2) Password-less + something else; securer than (1)
(3) Password + something else: point of arguments
(1) Token-less + nothing else; the least secure
(2) Token-less + something else; securer than (1)
(3) Token + something else: point of arguments
Let me try a breakdown of the passwordless concept.
(1) Password-less + nothing else; the least secure
(2) Password-less + something else; securer than (1)
(3) Password + something else: here is the point of arguments
By our criteria, the security increases from 1 to 3. However, by the “passwordless”
folks’ criteria, the security of (2) is viewed as higher than (3), presumably because an
attack surface of the password is removed in (2) whereas there is an attack surface on
the password in (3).
Well, let me try the same for “token-less” login.
(1) Token-less + nothing else; the least secure
(2) Token-less + something else; securer than (1)
(3) Token + something else: here is the point of arguments
By our criteria, the security increases from 1 to 3. However, by the “passwordless”
folks’ criteria, the security of (2) should be viewed as higher than (3) because an attack
surface of the token is removed in (2) whereas there is an attack surface on the token
in (3).
Did you find it fun or very worrying?

The ‘passwordless’ promoters might have been trapped in a cognitive pitfall. From my
experience of debating with them, we suspect that there are three possible scenarios -
(1) They may have taken 'what is not good and helpful enough' for 'what is ‘bad and
harmful’.
(2) They may have failed to notice that a token, whether PKI-based or otherwise, also
carries the attack surface of being stolen or otherwise compromised.
(3) They may have assumed that a defense surface is a part of an attack surface in the
case of password.
We wish that the ‘passwordless’ folks had listened to our advice.

More on ‘Biometrics’ Authentication
34
30-second Video YouTube
Surprisingly many people are promoting, selling and adopting biometrics as a tool of
identity authentication without the basic knowledge of the very technology.
Get graphs to talk the nature of biometrics
- By nature, whether static or behavioural, all the biometrics technologies are
'probabilistic' since it measures unpredictably variable body features of living animals
in ever changing environments.
- False Acceptance and False Rejection are not the variables that are independent
from each other, but are dependent on each other.
- The lower a False Acceptance Rate is, the higher the corresponding False Rejection
Rate is. The lower a False Rejection Rate, the higher the corresponding False
Acceptance Rate.
- When a False Acceptance Rate is close to Zero, the corresponding False Rejection
Rate is close to One. When an False Rejection Rate is close to Zero, the corresponding
False Acceptance Rate is close to One.
- The presence of False Rejection, however close to Zero, would require a fallback
means against the False Rejection unless the user can forget the availability.

More on ‘Biometrics’ Authentication
This house has added a new door with biometrics with near-zero false acceptance
besides an old door with a weak password that the biometrics vendor ridiculed harshly.
The client asks “The new door looks very impressive. But why does the old door stay?”
The vendor replies “The new door rejects criminals so effectively that you might also
be rejected occasionally” Shortly thereafter, a burglar is delighted to utter “Very
convenient! I can attack both of the two”
As such, biometrics used with a fallback password brings down the security that the
password has provided. However powerful and influential the biometrics vendor may
be, like Apple, Google and Microsoft are, they cannot change this fact.
Incidentally, there would be nothing wrong in deploying biometrics with a
default/fallback password if vendors state transparently that the benefit of biometrics
used for authentication in cyberspace is ‘better availability’ obtained by sacrificing the
security that the password on its own somehow provides.
What is wrong is that they mislead the public to believe that it contributes to ‘better
security’, thus spreading a false sense of security and thereby weakening the defence
line of democratic nations from within when we have to face fierce cyberattacks from
adversaries of democracy.

We might be watching two FIDOs;
(1) Password-receptive FIDO
(2) Password-rejective FIDO
A password-repelled (passwordless) FIDO-specified product should
not be recommend to the people who need a good security,
although it might be acceptable for low-security use cases where
availability and convenience matter more.
The subject of FIDO frequently pops up in our digital identity discussions.
We might be watching two FIDOs;
(1) Password-receptive FIDO
(2) Password-rejective FIDO
We deem that the FIDO specification on its own is (1), although some FIDO people
sound as if (2) is the case.
A password-repelled (passwordless) FIDO-specified product should not be recommend
to the people who need a good security, although it might be acceptable for low-
security use cases where availability and convenience matter more.
On the other hand, irrespective of how friendlily or unfriendlily FIDO people look at us,
we are certain that Expanded Password System powered by citizens’ non-volatile
episodic memory is perfectly compatible with the device-based FIDO specification for
providing very solid two/multi-factor authentication solutions.
Furthermore, such two/multi-factor solutions would be truly robust when the post-
quantum cryptography is incorporated. The same reasoning applies to other forms of
device-based authentication schemes.

Let me talk about the moral responsibility of those of us who have awoken
Firstly, It would not be very wise to get the defence line weakened from within when
facing formidable adversaries who are known to be making every effort to destroy the
values of democracy.
What I mean is the lack of transparency and integrity over the “passwordless” and
“biometrics” authentication schemes that quite a few security professionals and big IT
players are touting, as discussed earlier.
We have been trying to stay tenacious since we awoke to this consequential problem,
probably as one of the first few to have awoken to it.
We do not want to be among those who knowingly turn a blind eye to the ongoing
erosion of the democratic values due to a wrong design of digital transformation when
facing the dreadful democracy-destroyers.
Secondly, once we are awake to what role the power and merits of citizens’ non-
volatile episodic memory can play for solid digital identity, it cannot be an option for us
to be hesitant to press ahead proactively and energetically, especially in the current
perilous circumstances.
We would like to believe that our endeavour is viewed as worth the support of all the
good citizens.

Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022

Similar to Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022 (20)

Recently uploaded

Recently uploaded (20)

Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022