Skip to main content

Fallacies and illogics generated and dispersed by professionals, big businesses and tech-media

(1) Unknown Nature of Biometrics    (2) Overlooked Security in Cyberspace    (3) Ignored Nature of Humans’ Identity

1.   Unknown Nature of Biometrics

It is getting known that NIST no longer allows biometrics to be used on its own but requires it to be used ‘only as part of multi-factor authentication with a physical authenticator (something you have)’ in view of the inherent vulnerabilities of biometrics as stated in 5.2.3 ‘Use of Biometrics’ of Digital Identity Guidelines 800-63B.

Privacy issues of biometrics are relatively well known. Not a few people are aware that it will be catastrophic when biometrics data are leaked, since it is impossible to change or cancel biometrics data. (‘when’ rather than ‘if’ in view of the long lists of data breach by sophisticated attacks.)

But the security aspect of biometrics brought by the co-use with a fallback password is unknown. It is probably due to the indifference of the participants to those facts as quoted below.

FAR, FRR & Threshold explained with graphs
- False Acceptance Rates and False Rejection Rates are in a trade-off relation, not independent from each other
https://www.slideshare.net/HitoshiKokumai/biometrics-password-fa-fr-threshold

False acceptance of 1/1,000,000 is not necessarily better than that of 1/50,000 in biometrics
- We need to know the corresponding false rejection rates before judgment.
https://www.slideshare.net/HitoshiKokumai/capable-of-learning-to-get-fooled

‘Unique’ is not ‘Secret’
- Identification is not authentication. Convenience is not security.
https://www.slideshare.net/HitoshiKokumai/mix-up-unique-with-secret-and-confuse-identification-with-authentication

Cinderella challenged by foot recognition (Published 2005)
- False Rejection vs False Acceptance
http://www.mneme.co.jp/english/manga/parody/index1-2.htm

NIST requires that biometrics “SHALL be used only with a physical authenticator” (NIST 800-63B 5.2.3)
https://www.slideshare.net/HitoshiKokumai/who-are-unable-to-admit-this-fallacy

Turn off biometrics where security matters
- Biometrics is a good tool to achieve a good convenience, not a good security.
https://youtu.be/7UAgtPtmUbk


2.   Overlooked Security in Cyberspace

The security we need is for safer life of good citizens. We do not need such security measures that help criminals and tyrants.

Password-less Life -  It is a Dystopia.
- What we need is a new breed of password to succeed the conventional password.
https://youtu.be/UJDBZpX1a0U

Two entrances placed in parallel provide nice convenience to criminals
- This is what we witness in so many biometrics products in cyberspace
https://www.slideshare.net/HitoshiKokumai/password-dependent-passwordkiller-46151802

Behind the unsuccessful password guidelines are security experts’ indifference to humans’ cognition
https://www.slideshare.net/HitoshiKokumai/failures-of-password-guidelines

The password written on a memo is ‘‘what we have’, not ‘what we know’
https://www.slideshare.net/HitoshiKokumai/nocost-2factor-authentication


3.   Ignored Nature of Humans’ Identity

Having our identity authenticated is for social activities in human communities, in which our identity is not separated from our volition and personal memories.

Volition & Memory
- Shall we discuss our ‘identity as citizens living in society’ rather than that of ‘a chunk of bone, flesh, fat and skin’?
https://www.slideshare.net/HitoshiKokumai/identity-episodic-memory

What is expected of a successor to the password?
- What has to be used with a password is not qualified. 
https://youtu.be/-KEE2VdDnY0

We could be more rational in defining our identity as a citizen in human society
- Our autobiographic memory, not our body features, makes our identity as a citizen
https://www.slideshare.net/HitoshiKokumai/what-defines-what-we-are

Smartphone Security – Intuitive, easy and reliable
- We could make use of autobiographic/episodic memory
https://youtu.be/Q8kGNeIS2Lc

Identity Assurance in Emergency
- Episodic memories enable intuitive authentication that stands panicky situations
https://www.slideshare.net/HitoshiKokumai/identity-assurance-in-emergencies

Amazing Security Comics (Published 2005)
- Homo sapiens versus NIST-backed security professionals
http://www.mneme.co.jp/english/manga/parody/index1-1.html


Appendix – Related articles published on Media

Unnecessary Deaths Presumably Brought By Faulty Biometrics
http://www.valuewalk.com/2018/02/biometrics-aadhaar-danger/

Biometrics as additional access route weaker than password-only protection
https://www.scmagazineuk.com/biometrics-as-additional-access-route-weaker-than-password-only-protection/article/738419/

Make sure not to mix up ‘Identification’ with ‘Authentication’
https://pentestmag.com/make-sure-not-mix-identification-authentication/

Mitigation of Password Predicament
http://www.paymentsjournal.com/Content/Blogs/Industry_Blog/37333/

Virtual Strategy Magazine - Intuitive Passwords: Passwords to Succeed Passwords
http://virtual-strategy.com/2017/04/14/intuitive-passwords-passwords-to-succeed-passwords/


Comments

Post a Comment

Popular posts from this blog

Expanded Password System to Complement FIDO2

2 is larger than 1 but is not necessarily stronger than 1, as two children could be overwhelmed by a grown-up. For a two-factor authentication to be really reliable, each factor should be reasonably secure and usable enough. On the other hand, ‘password-less’ authentication, however attractive it might sound, would only benefit bad guys as examined in the link page - https://www.linkedin.com/pulse/removal-passwords-its-security-effect-hitoshi-kokumai/ People who offer a token as 'a factor' of two factor authentication schemes could all be viewed as our potential down-stream partners. Among them are the people who offer FIDO2-compatible solutions. Put together, we could come up with the two-factor authentications that are much more reliable than otherwise.
Post a Comment
Read more

Quest for Global Ubiquity

We wish to make our Expanded Password System solutions readily available to all the global citizens: rich and poor, young and old, healthy and disabled, literate and illiterate, in peace and in disaster. For achieving such global ubiquity, we will need more and more research into such diverse disciplines as psychology, sociology, behavioural economics and brain science in addition to cryptography, safe coding and other security technologies. Your shout would be welcomed if you happen to know researchers who may be interested to include the issue of ‘identity assurance by our own VOLITION and MEMORY’ in their study subjects or if you yourself are interested to join us. We will shortly launch the global operation of promoting Expanded Password System from our headquarters set up in UK and this research program, which should naturally be international, is to play a significant role in it. Linked is my article posted 6 years ago, which might indicate an aspect of what we
Post a Comment
Read more

Biometrics for Increasing and Decreasing Security

https://www.fedscoop.com/phone-cases-security-air-force-disa/ It could be a correct use of biometrics for increasing security if biometrics is used for continuously monitoring the user's voice and behaviors to detect when a bad guy has grabbed the logged-in device from the user. Demand the user's password afresh, and the bad guy could be turned away as discussed here - "Anything used correctly is useful and so are UV, disinfectant and biometrics." https://www.linkedin.com/posts/hitoshikokumai_digital-identity-anything-used-correctly-activity-6663264695664934913-S2FS It could be a wrong use of biometrics for decreasing security if biometrics is used as a second authenticator along with a default password as examined here - "Early models of smartphones were safer than newer models - How come?" https://www.linkedin.com/pulse/early-models-smartphones-were-safer-than-newer-how-come-kokumai Windows Hello for payment authentication would be fi
Post a Comment
Read more