Source: Paul Sigismondi, Ph.D., is a research physicist and educator. He has a B.S. in Physics from the University of California at Berkeley and a Ph.D. in Physics from the University of North Carolina at Chapel Hill. His research interests include theoretical astrophysics and quantum field theory.
Security from intruders is an ancient quandary and the internet has created new challenges. The purpose of this evaluation is to explore a digital identity and authentication solution called PhotolokÒ that addresses the security problem caused by the digital transformation that has invaded our daily lives. Since the digital world is still evolving, it’s helpful to begin with a review of security solutions because we still use century-old methods that will be replaced someday with digital solutions like Photolok.
A functional security system must allow quick, easy, and convenient entry to those with permission, but must make invasion by an unwanted intruder a highly unlikely occurrence. Ancient security arrangements typically involved gates, walls, watchtowers, moats, and armed personnel. In these arrangements, the main objective, which is still operative in modern systems, was to make invasion a taxing and dangerous enterprise for the intruder. Like today, robust and effective security required manpower and maintenance. Furthermore, the administrators had to acquire an awareness of the ever changing techniques that clever intruders were attempting in order to subvert the security systems in place.
The lock and key, which likely existed in rudimentary forms in ancient Egypt, provided localized security for people’s homes, safes, and the like. The advent of the combination lock eliminated the necessity of transporting keys and required merely recall of a numerical code to secure entry. Like the modern password system used for cybersecurity, these systems had their drawbacks.
From the standpoint of user convenience, what happens if the user loses his or her keys or forgets the combination? Spare sets of keys, pieces of paper with combinations written on them, keys placed under mats, and unlocked back doors and windows litter the praxis of those trying to prevent lockouts, while securing their property traditionally. They also create more possibilities for unwanted intruders to gain access to the keys or the combination. Since the user was not always able to access spare keys or a place where the combination is stored, the security system had to be penetrable without keys or the correct combination to be practicable. And, if a locksmith can pick a lock or crack a safe, then someone with nefarious intentions could certainly learn to do the same.
A combination lock has 59,280 distinct codes. There are less than 100,000 distinct lock and key combinations for a typical home door. If an 8-letter password is assigned at random to logon to an internet account, there are nearly 209 billion distinct possibilities for that password. In practice, a randomly assigned password is extremely difficult to remember. So instead, users are generally allowed to choose their own password
People tend to choose memorable passwords composed of common words and pass phrases. This significantly reduces the number of passwords practically in use. Zipf’s law, a well-known rule of thumb in statistics, states that the frequency of a given event within a distribution is inversely related to the rank of that event amongst the most highly ranked members of that distribution. Practically speaking, this means many people will choose the most common passwords in use. For example, in 2021, an estimated 2.5 million users adopted the most common password, “123456”, Nearly a million users chose “123456789”, and a little over 300,000 users chose “password”.
Zipf’s law has the effect of concentrating a population into the highly ranked events within that population. In fact, fitting the data for the top 7 passwords yields a frequency that is inversely proportional to the rank to 1.3 power. If this relationship were to hold consistently, then 50% of the passwords in use would be one of the top 7 most common passwords. This phenomenon gives internet intruders (bots and cyber hackers) a distinct advantage. (A ‘bot’ – short for robot – is a software program that performs automated, repetitive, pre-defined tasks. Bots typically imitate or replace human user behavior. Because they are automated, bots operate much faster than human users.)
Given that a modern intruder is often an automated bot that can make billions of attempts with the most common passwords on multiple targets each second, traditional passwords are vulnerable to statistical attack. Even, if a user is astute enough to choose a more secure password, there are other methods that bots can try in order to penetrate password secured systems, which include phishing, ransomware, malware, insider threats, and distributed denial of service attacks, to name a few.
reCAPTCHA is a common solution to prevent BOT attacks. After the user has successfully entered their username and password, they are prompted to prove they are a human either properly identifying distorted text or by identifying images with similar content. At this point, every hacker has seen the limited suite of images used in the reCAPTCHA algorithm and can use this information to their advantage. In addition, off the shelf software can now crack the reCAPTCHA algorithm 70% of the time.
The rapid advancement and efficacy of techniques currently employed by cyber hackers necessitate more robust security systems. Traditional password secured systems are also vulnerable to non-statistical attacks (phishing, ransomware, and man in the middle attacks, etc.) and to statistical attack, especially when sufficient latitude is given to the user in choosing a password. Photolok is a system that is nearly impervious to non-statistical attack and has an incredibly low probability of statistical attacks, comparable to truly randomly assigned passwords. At the same time, it is far more convenient to the user in terms of recall than a randomly assigned password that the user did not participate in choosing.
Photolok is a novel concept that employs proprietary-coded photos as the key to entry. The system can either assign the user photos or allow the user to choose photos from a proprietary library of photos that currently number over 6400. At login, the user is prompted for an email address. As an added security feature, there is an option that requires the user to input an access code that is emailed or texted to them after they have entered their email address. Subsequently, the user must locate one of their account photos, which appears randomly amid a panel of photos.
The Photolok identity and authentication system can be customized to allow the user to choose up to 5 photos as well as label special security photos for 1-Time Use and Duress. This identity and authentication system is highly secure and easy to use given that the photos are easily recalled and must be spotted by a human. More importantly, Photolok also protects against most external attacks, including keylogging, shoulder surfing, phishing, ransomware, and man-in-the-middle attacks while preventing horizontal penetrations.
This leaves a statistical attack as the only viable means of penetrating the Photolok system. However, this is highly unlikely. The number of possible combinations formed by choosing a minimum 3 photos from a library of 6400 is nearly 44 billion, which is about 5.5 times the total population of the world. The number of people fully employed in the US is about 132 million. If every one of those workers participated in choosing 3 photos out of 6400, the probability that there would be at least one duplicate set of photos in that large sample is 0.32%. Even if the entire world’s population were given this task, the likelihood of at least one duplicate set of photos occurring within the choices is still only 17%. Therefore, penetration of the Photolok system is nearly impossible.
Furthermore, the above analysis overestimates the probability of breakthrough. There is no limit to complexity of the Photolok system. Photos can be added to the library. Administrators can also ask the users to choose more photos. As stated above, the choice of 3 photos is a minimum. In many cases, users will want to use 4 photos with nearly 69 trillion photo combinations. With the ability to change a few operational variables, security can be further enhanced in a flexible manner with no extra burden to the user – e.g., increasing the size of the proprietary photo library.
As opposed to passwords, bots can’t identify the photos to target. The randomization of photo localizations effectively neutralizes any automated attack. Furthermore, the bots won’t be able to collect the digital data behind the photos, which may change each time a login attempt occurs. With almost 100% certainty, any attempt at penetration by automated bot will result in failure and automatically locks the user’s account.
In conclusion, Photolok represents a significant and promising evolution in digital security systems. It seamlessly eliminates many of the flaws inherent in the present security paradigm. Most importantly, it enhances online digital security, while simultaneously reducing the burden on the user, which is critical for mass adoption.
Note: to learn more about Netlok’s Photolok logon solution, click www.netlok.com.