Democracy must require the individuals to have the rights not to get their identity authenticated without their knowingly confirming it. This volitional process can be achieved only with "volitional" identity authentication made possible by "memorized secrets", say, passwords and expanded passwords.
<reference>
Slide: Password Fatigue and Expanded Password System
http://www.slideshare.net/HitoshiKokumai/password-fatigue-and-expanded-password-system
Article (7-page): Intuitive Password – passwords succeeding passwords
https://www.slideshare.net/HitoshiKokumai/intuitive-passwords-passwords-succeeding-passwords
A Journey Into the Emotions of Software Developers
Democracy would be dead where the password is killed
1. Democracy would be dead where the password is killed
Some security people are advocating that the password should be killed dead.
I wonder if they are aware of what they mean by what they say. A society
where login without users’ volition is allowed would be the society where
democracy is dead. It’s a tyrant’s utopia.
We know that biometrics, which relies on a fallback password, can by no
means be an alternative to the password, that the password is an
indispensable factor for multi-factor schemes and that the security of
password managers and single-sign-on schemes needs to hinge on the
reliability of the password.
The password (memorized secret) is absolutely necessary. Don’t let it be
killed. Don’t accept any form of passwordless login.
< Related Articles >
P2 Mix up “Unique” with “Secret” and we would confuse “Identification” with
“Authentication”
P3 Truth does not matter in infosec?
<Reference>
Slide: Password Fatigue and Expanded Password System
http://www.slideshare.net/HitoshiKokumai/password-fatigue-and-expanded-password-s
ystem
Article (7-page): Intuitive Password – passwords succeeding passwords
https://www.slideshare.net/HitoshiKokumai/intuitive-passwords-passwords-succeeding-
passwords
2. Mix up “Unique” with “Secret” and
we would confuse “Identification” with “Authentication”
Biometrics follows “unique” features of individuals’ bodies and behaviors. It
means that it could be well used when deployed for identification of
individuals who may be conscious or unconscious, alive or dead. Due respect
could be paid to biometrics in this sphere.
Being “unique” is different from being “secret”, however. It would be a
misuse of biometrics if deployed for security of the identity authentication of
individuals.
Confusing “Identification” with “Authentication”, we would be building a
sandcastle in which people are trapped in a nefarious false sense of security.
However gigantic and grandiose it may look, the sandcastle could melt away
altogether when we have a heavy storm.
And, the storm will come. The question is not “if”, but just “how soon”.
< Related Articles >
P2 Truth does not matter in infosec?
P3 Democracy would be dead where the password is killed
< Videos >
Turn off biometrics where security matters (30 seconds)
https://youtu.be/7UAgtPtmUbk
Biometrics in Cyber Space - "below-one" factor authentication
https://youtu.be/wuhB5vxKYlg
Six Reasons to Believe Biometrics Don't Ruin Cyber Security
https://youtu.be/lODTiO2k8ws
Password-free Life - Utopia or Dystopia? (30 seconds)
https://youtu.be/UJDBZpX1a0U
Password Predicament and Expanded Password System
https://youtu.be/-KEE2VdDnY0
3. Truth does not matter in infosec?
Tech media seem busy arguing which biometrics is better than the others.
But it is all nonsense from security’s point of view. Instead we should ask
why security-lowering measures have been touted as security-enhancing
solutions.
Because of its inherent characteristics, biometrics depends on a fallback
means in case of false rejection. In physical security, it could be handled by
personnel in charge other than the user. In cybersecurity, however, it needs
to be handled by the user themselves, in most cases by way of a password
that the user themselves needs to feed.
So long as the biometrics is backed up by a fallback password, irrespective of
which are more accurate than the others, its security is lower than that of a
password-only authentication as illustrated in this video.
https://youtu.be/wuhB5vxKYlg
Then, we have to wonder why and how the biometrics has been touted as a
security-enhancing tool for so long, with so many security professionals being
silent about the fact.
There could be various explanations – from agnotology, neuroscience,
psychology, sociology, behavioral economics and so on. This phenomenon
will perhaps be found to have provided an excitingly rich material for a
number of scientists and researchers in those fields.
Summary of the video
> >