pith. sign in

arxiv: 2505.02004 · v5 · submitted 2025-05-04 · 💻 cs.CR · cs.ET· cs.HC· cs.SY· eess.SY

Triple-Identity Authentication: The Future of Secure Access

Suyun Borjigin This is my paper

Pith reviewed 2026-05-22 17:32 UTC · model grok-4.3

classification 💻 cs.CR cs.ETcs.HCcs.SYeess.SY
keywords authenticationsecurity gatesIMEIIMSIhash algorithmdecentralized verificationcombined identitypassword-based systems
0
0 comments X

The pith

A scheme combines login credentials with smartphone IMEI and IMSI to let local systems build security gates via random hash-element selection.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper shifts attention from conventional username and password protection to gatekeeping at system interaction points. It defines a combined identity as credential plus IMEI plus IMSI, then lets the local system hash that credential with a matrix-like algorithm and itself pick random internal elements to form an identifier. This identifier verifies the combined identity through an identity-identifier handshake applied at login-name fields, password fields, and server authentication points. The result grants password-based systems autonomy to safeguard identification without centralized control. A reader would care because the approach targets unprotected username fields and attack-prone password fields by embedding device identities directly into verification.

Core claim

By forming each combined identity as credential+IMEI+IMSI and granting the local system the ability to select elements randomly from the internal matrix of a hash algorithm, the scheme creates an identifier that verifies the identity at login points, thereby establishing decentralized security gates that empower local systems to protect authentication processes autonomously.

What carries the argument

The identity-identifier handshake, in which the local system rather than the algorithm creates an identifier from randomly chosen elements of the hashed combined credential to perform verification.

If this is right

  • The handshake can be placed at the login name field, login password field, and server authentication point to create multiple security gates.
  • Local password-based systems obtain autonomy to manage user identification and authentication without external algorithm control.
  • Username fields become protected through the combined identity rather than remaining open.
  • Password fields gain resistance to attacks by tying verification to device-specific IMEI and IMSI values.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same element-selection logic could be tested on non-mobile device identifiers to see whether the scheme extends beyond smartphones.
  • Integration with existing password managers might reduce the need for separate multi-factor tokens if the handshake proves reliable.
  • An attacker model that includes physical device access would need separate analysis to determine whether IMEI and IMSI exposure undermines the combined identity.

Load-bearing premise

The matrix-like hash algorithm supplies internal elements that the local system can select randomly to verify the combined credential-plus-IMEI-plus-IMSI identity without the algorithm itself dictating the identifier.

What would settle it

A demonstration that an attacker can predict or force the specific random elements chosen from the matrix-like hash to produce a matching identifier for a forged combined identity.

Figures

Figures reproduced from arXiv: 2505.02004 by Suyun Borjigin.

Figure 1
Figure 1. Figure 1: Subsequently, other characters "p", "7", "a", "3", and [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
read the original abstract

In password-based authentication systems, the username fields are essentially unprotected, while the password fields are susceptible to attacks. In this article, we shift our research focus from traditional authentication paradigm to the establishment of gatekeeping mechanisms for the systems. To this end, we introduce a Triple-Identity Authentication scheme. First, we combine each user credential (i.e., login name, login password, and authentication password) with the International Mobile Equipment Identity (IMEI) and International Mobile Subscriber Identity (IMSI) of a user's smartphone to create a combined identity represented as "credential+IMEI+IMSI", defined as a system attribute of the user. Then, we grant the password-based local systems autonomy to use the internal elements of our matrix-like hash algorithm. Following a credential input, the algorithm hashes it, and then the local system, rather than the algorithm, creates an identifier using a set of elements randomly selected from the algorithm, which is used to verify the user's combined identity. This decentralized authentication based on the identity-identifier handshake approach is implemented at the system's interaction points, such as login name field, login password field, and server's authentication point. Ultimately, this approach establishes effective security gates, empowering the password-based local systems to autonomously safeguard user identification and authentication processes.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The manuscript proposes a Triple-Identity Authentication scheme for password-based local systems. User credentials (login name, login password, authentication password) are each combined with the device's IMEI and IMSI to form a combined identity denoted 'credential+IMEI+IMSI'. The local system is granted autonomy to apply an unspecified matrix-like hash algorithm: the credential is hashed, after which the system (rather than the algorithm) selects a set of random internal elements to produce an identifier. This identifier is used in an identity-identifier handshake at login-name fields, login-password fields, and the server's authentication point, with the claim that the mechanism establishes effective decentralized security gates.

Significance. If a concrete, analyzable matrix-like hash algorithm with provable properties were supplied, the idea of shifting verification autonomy to the local system while binding credentials to device identifiers could offer a fresh angle on mitigating field-level attacks. The conceptual emphasis on decentralized gatekeeping at interaction points is a strength. However, the absence of any formal definition, security reduction, or attack model means the work currently contributes only an informal proposal rather than a verifiable advance.

major comments (2)
  1. [Abstract] Abstract (paragraph describing the hash process): The matrix-like hash algorithm is introduced without any specification of its dimensions, the underlying hash function, the distribution or rule governing random element selection, or the predicate used to verify that the resulting identifier matches the combined 'credential+IMEI+IMSI' identity. Because the entire security claim reduces to the correctness of this self-defined selection process, the lack of definition makes the assertion that the scheme 'establishes effective security gates' impossible to assess.
  2. [Abstract] Abstract: No threat model, attack analysis, or security proof is provided to support the claim that the identity-identifier handshake protects against attacks on username or password fields. The security argument is therefore circular: verification depends on an autonomous local process whose reliability is asserted but not demonstrated.
minor comments (2)
  1. The combined-identity notation 'credential+IMEI+IMSI' is used informally; a precise syntactic definition or example computation would improve clarity.
  2. The manuscript would benefit from explicit comparison to existing device-binding or multi-factor schemes (e.g., those using IMEI/IMSI in 3GPP standards) to clarify novelty.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their insightful comments on our manuscript proposing the Triple-Identity Authentication scheme. We address each major comment below and indicate the revisions we will make to improve the clarity and rigor of the work.

read point-by-point responses

  1. Referee: [Abstract] Abstract (paragraph describing the hash process): The matrix-like hash algorithm is introduced without any specification of its dimensions, the underlying hash function, the distribution or rule governing random element selection, or the predicate used to verify that the resulting identifier matches the combined 'credential+IMEI+IMSI' identity. Because the entire security claim reduces to the correctness of this self-defined selection process, the lack of definition makes the assertion that the scheme 'establishes effective security gates' impossible to assess.

    Authors: We agree that the abstract provides only a high-level overview of the matrix-like hash algorithm without concrete specifications. The intent was to focus on the novel concept of granting autonomy to local systems for identifier generation rather than detailing a specific implementation. In the revised manuscript, we will update the abstract and add a new subsection in the methodology to specify the algorithm: for example, a 5x5 matrix where each element is a 256-bit value derived from hashing the credential with device identifiers using SHA-256, with random selection governed by a uniform distribution over a seeded pseudorandom generator tied to the IMSI, and verification via exact matching of the reconstructed identifier to the expected combined identity. This will make the security claims more assessable. revision: yes

  2. Referee: [Abstract] Abstract: No threat model, attack analysis, or security proof is provided to support the claim that the identity-identifier handshake protects against attacks on username or password fields. The security argument is therefore circular: verification depends on an autonomous local process whose reliability is asserted but not demonstrated.

    Authors: The referee is correct that the manuscript lacks a formal threat model and security analysis. Our proposal emphasizes the architectural shift to decentralized verification at multiple points using device-bound credentials, which we argue inherently raises the bar for field-level attacks by requiring knowledge of both credentials and device identifiers. However, without explicit analysis, this remains informal. We will revise the paper to include a threat model section assuming adversaries capable of intercepting or injecting at login fields, and provide an informal analysis showing how the identity-identifier handshake prevents direct credential exposure. A full cryptographic proof is beyond the scope of this conceptual paper but will be discussed as future work. revision: partial

Circularity Check

0 steps flagged

No circularity in claimed derivation

full rationale

The paper describes a proposed authentication scheme in prose without any equations, first-principles derivations, or mathematical reductions. Security is asserted from the described identity-identifier handshake and local-system element selection, but this is a definitional proposal rather than a derivation that reduces to its own inputs by construction. No load-bearing step equates an output to a fitted input or self-citation chain; the absence of algorithm details is a specification gap, not circularity.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The central claim rests on the unverified security properties of the custom hash algorithm and the assumption that IMEI/IMSI binding adds meaningful protection beyond existing methods.

axioms (1)
  • ad hoc to paper The matrix-like hash algorithm permits the local system to autonomously select random internal elements to form a reliable verification identifier.
    Invoked when describing how the identifier is created after hashing the credential.
invented entities (1)
  • Combined identity credential+IMEI+IMSI no independent evidence
    purpose: Serves as the system attribute used for verification.
    Introduced as the core identity representation without external validation mechanism.

pith-pipeline@v0.9.0 · 5761 in / 1356 out tokens · 39777 ms · 2026-05-22T17:32:14.149266+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

27 extracted references · 27 canonical work pages

  1. [1]

    D igital Identity Guidelines

    National Institute of Standards and Technology (NIST). D igital Identity Guidelines. Technical report, NIST, 2025. h ttps://doi.org/10.6028/NIST.SP.800-63-4

    work page doi:10.6028/nist.sp.800-63-4 2025

  2. [2]

    Multi-Factor Authentication

    NIST. Multi-Factor Authentication. Guidance by Topic, S mall Business Cybersecurity Corner, 2022. https://www.ni st.gov/itl/smallbusinesscyber/guidancetopic/multi -factor-a uthentication

    work page 2022

  3. [3]

    The Laws of Identity, 2005

    Kim Cameron. The Laws of Identity, 2005. http://www.id entityblog.com/?p=354

    work page 2005

  4. [4]

    Security and Privacy Controls for Information Syst ems and Organizations

    NIST. Security and Privacy Controls for Information Syst ems and Organizations. Technical report, NIST, 2020. htt ps://doi.org/10.6028/NIST.SP.800-53r5

    work page doi:10.6028/nist.sp.800-53r5 2020

  5. [5]

    Bosworth, Mario G

    K. Bosworth, Mario G. Gonzalez Lee, S. Jaweed, and T. Wright. Entities, Identities, Identifiers and Credentials— What Does It All Mean? BT Technology Journal, 23:25–3 6, 2005. https://doi.org/10.1007/s10550-006-0004-2

    work page doi:10.1007/s10550-006-0004-2 2005

  6. [6]

    Guidelines on Mobile Device Forensics (draft)

    Rick Ayers, Sam Brothers, and Jansen Wayne. Guidelines on Mobile Device Forensics (draft). Technical report, NI ST, 2018. https://nvlpubs.nist.gov/nistpubs/SpecialPublica tions/NIST.SP.800-101D.pdf. 11

    work page 2018

  7. [7]

    Punja and Richard P

    Shafik G. Punja and Richard P. Mislan. Mobile Device Analysis. Small scale digital device forensics journal, 2(1):1–16, 2008

    work page 2008

  8. [8]

    Trends in Data Protection a nd Encryption Technologies

    Valentin Mulder, Alain Mermoud, Vincent Lenders, and B ernhard (Editors) Tellenbach. Trends in Data Protection a nd Encryption Technologies. Springer, 2023. https://doi.or g/10.1007/978-3-031-33386-6

    work page doi:10.1007/978-3-031-33386-6 2023

  9. [9]

    (2019, April 4)

    Yun Su and Mo Xi. (2019, April 4). Password Generation Method Which Satisfies the Requirement for Security and Usability Simultaneously (PCT/IB2019/052719)

    work page 2019

  10. [10]

    (2023, Nov

    Yun Su and Mo Xi. (2023, Nov. 23). Method for a Login- Authentication System Using a Pair of Login and Authentication Passwords (PCT/IB2023/061846)

    work page 2023

  11. [11]

    Suyun Borjigin. (2024). Systematic Solutions to Login and Authentication Security Problems: A Dual-Password Login-Authentication Mechanism. arXiv:2404.01803

    work page arXiv 2024

  12. [12]

    Suyun Borjigin . (2024). An Alternative to Multi-Factor Authentication with a Triple-Identity Authentication Scheme. arXiv:2407.19459

    work page arXiv 2024

  13. [13]

    Explor ing Covert Third-Party Identifiers through External Storag e in the Android New Era

    Zikan Dong, Tianming Liu, Jiapeng Deng, Li Li, Minghui Yang, Meng Wang, Guosheng Xu, and Guoai Xu. Explor ing Covert Third-Party Identifiers through External Storag e in the Android New Era. In 33rd USENIX Security Sym posium (USENIX Security 24), pages 4535–4552. USENI X Association, 2024. https://www.usenix.org/conference/ usenixsecurity24/presentation/...

    work page 2024

  14. [14]

    A Review of Identity, Identification and Authentication

    Juanita Blue, Joan Condell, and Tom Lunney. A Review of Identity, Identification and Authentication. International Journal for Information Security Research (IJISR), 8:794– 804, 2018

    work page 2018

  15. [15]

    Attaining self -regulation: A social cognitive perspective,

    Jason Andress. The Basics of Information Security (Secon d Edition). Syngress, 2014. https://doi.org/10.1016/B978 - 0-12-800744-0.00002-6

    work page doi:10.1016/b978 2014

  16. [16]

    An Empirical Study of Wireless Carrier Auth entication for SIM Swaps

    Kevin Lee, Benjamin Kaiser, Jonathan Mayer, and Arvind Narayanan. An Empirical Study of Wireless Carrier Auth entication for SIM Swaps. Sixteenth Symposium on Usabl e Privacy and Security (SOUPS) 2020, pages 61–79, 2020. https://www.usenix.org/conference/soups2020/presentati on/lee

    work page 2020

  17. [17]

    How to Protect Yourself against a Sim Swap Attack, WIRED

    Brian Barrett. How to Protect Yourself against a Sim Swap Attack, WIRED. 2018. https://www.wired.com/story/sim - swap-attack-defend-phone/

    work page 2018

  18. [18]

    Zero Trust Architecture

    Scott Rose, Oliver Borchert, Stu Mitchell, and Sean Connelly. Zero Trust Architecture. Technical report, NIST,

    work page

  19. [19]

    https://doi.org/10.6028/NIST.SP.800-207

    work page doi:10.6028/nist.sp.800-207

  20. [20]

    Greene, John Kelsey, and Joshua M

    Kristen K. Greene, John Kelsey, and Joshua M. Franklin. Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. Technical report, NIST,

    work page

  21. [21]

    https://doi.org/10.6028/NIST.IR.8040

    work page doi:10.6028/nist.ir.8040

  22. [22]

    Password Creation in the Presence of Blacklists

    Hana Habib, Jessica Colnago, William Melicher, Blase U r, Sean Segreti, Lujo Bauer, Nicolas Christin, and Lorrie C ranor. Password Creation in the Presence of Blacklists. In Proc. USEC, page 50, 2017. http://dx.doi.org/10.14722/us ec.2017.23043

    work page doi:10.14722/us 2017

  23. [23]

    The Tangled Web of Password Reuse

    Anupam Das, Joseph Bonneau, Matthew Caesar, Nikita Borisov, and XiaoFeng Wang. The Tangled Web of Password Reuse. In NDSS, volume 14, pages 23–26, 2014. https://doi.org/10.14722/ndss.2014.23357

    work page doi:10.14722/ndss.2014.23357 2014

  24. [24]

    Riham Altawy and Amr M. Youssef. Security tradeoffs in cyber physical systems: A Case Study Survey on Implantable Medical Devices. IEEE Access, 4:959 –979,

    work page

  25. [25]

    https://doi.org/10.1109/ACCESS.2016. 2521727

    work page doi:10.1109/access.2016 2016

  26. [26]

    Angela Sasse, Matthew Smith, Cormac Herley, Heather Lipford, and Kami Vaniea

    M. Angela Sasse, Matthew Smith, Cormac Herley, Heather Lipford, and Kami Vaniea. Debunking Security-Usability Tradeoff Myths. IEEE Secur. & Priv., 14:33 –39, 2016. https://doi.org/10.1109/MSP.2016.110

    work page doi:10.1109/msp.2016.110 2016

  27. [27]

    From Usability to User Experience

    Hala Magdy Hassan and Galal Hassan Galal -Edeen. From Usability to User Experience. In 2017 International Confe rence on Intelligent Informatics and Biomedical Sciences (ICIIBMS), pages 216–222, 2017. https://doi.org/10.1109/ ICIIBMS.2017.8279761

    work page arXiv 2017