Caveats about ‘Password’
Sometimes the word ‘Password’ is narrowly interpreted as ‘remembered text password’ and sometimes it’s taken broadly as ‘whatever we remember for authentication’.
We are of the view that it would be desirable to define ‘Password’ broadly enough. As a denotational definition, it could be ‘Whatever we remember and recall volitionally for identity authentication.
As a connotation, it could be “A shared secret known only by two consenting parties. The secret will be submitted by one party to the other on request. It is used to verify legitimate access to an asset of shared interest.” (This is suggested by my British friend.)
By the way, password-like texts written on a memo or stored in a physical device should desirably be given other names than ‘Password’. For now I would like to call it ‘physically possessed password’ as against ‘password’ or ‘remembered password’.
Physically possessed high-entropy passwords have a potential merit of being strong against brute force attacks but it is as vulnerable to physical theft as other physically possessed objects like cards and tokens.
We do not see any difference against wiretapping between the remembered and physically possessed passwords.
Caveats about Biometrics
Biometrics is a useful tool for forensic and other purposes of personal identification in physical space. As for identity authentication in cyber space, it brings not just better convenience but also some protection, which is better than nothing although lower than a password-only protection. .
We would reiterate that biometrics could be recommended where convenience matters, but must not be recommended where security matters.
Caveats about ID federations
ID federations such as single-sign-on services and password managers indeed help us mitigate the burden of managing so many passwords. On the other hand, ID federations create a single point of failure like putting all the eggs in a single basket. It manages all my passwords when un-hacked and loses all my passwords to criminals when hacked.
ID federations should be operated in a decentralized formation or should be considered mainly for relatively lower-security accounts, not for the highest-security business accounts which should desirably be protected by all different strong passwords unique to each account. Needless to say, the strength of the master-password is crucially important in any case.
Caveats about Two/multi-factor authentication
It certainly could have a big merit for better security. It should, however, be operated with caveats.
Firstly, ‘2’ and ‘3’ are indeed larger than ‘1’ on paper, but we should not forget that two or three weak children may well be much weaker than a single tough guy. Secondly, physical tokens, cards, phones and memos are easily left behind, lost, stolen and abused. Then the remembered password would be the last resort.
The two/multi-factor authentication could be reliable only when it comes with a reliable password. A truly reliable two/multi-factor solution desired for most important accounts requires the use of the most reliable password.
Incidentally, we would like to repeatedly emphasize that all the factors of two/multi-factor authentications must be deployed ‘in series’, not ‘in parallel’. Biometrics deployed ‘in parallel’ instead of ‘in series’ must not be counted as a factor of the two/multi-factor authentications. We need to harbor a serious doubt when we hear of a two/multi-factor authentication that is claimed to have a biometrics as a factor of it.
