Access vendor GridSure uses patterns to remember PINs

A British startup has developed an authentication system that only requires users to remember a pattern on a grid of numbers rather than a PIN.

A British startup has developed an authentication system that requires users to remember a pattern on a grid of numbers rather than a PIN (personal identification number).

GrIDsure's system is intended to be more resistant to so-called "shoulder surfing," or being seen typing in a login or password, and to defeate keyloggers, which are clandestine programs that record keystrokes.

GrIDsure is a small company in a very competitive market of authentication software and hardware vendors striving to increase the security of e-commerce, online banking and money transfers.

Two of GrIDsure's products concern logging on to a PC running Microsoft's Windows. Once GrIDsure's software is installed, a user picks a pattern from a five-square by five-square grid. The company calls it the user's "personal identification pattern" (PIP). The pattern is associated with the person's real password.

Every time the user logs on to the PC, different numbers appear in the grid. The user enters the numbers that correspond to their pattern. The numbers are inconsequential; only the pattern matters. If a keystroke logger is present, it could pick up the numbers corresponding to that pattern, but that sequence won't be used again.

Banks are increasingly sending one-time password generators to their clients. The devices are hardware tokens that display a number which will allow a person to login to a Web site for a very limited amount of time as an enhanced security measure.

GrIDsure Chairman Jonathan Craymer, a former journalist who came up with the grid concept, said since the system is only software-based, it's cheaper than buying hardware tokens. It's also easier for people to remember a pattern rather than a multitude of PINs.

GrIDsure has been slow to take off due to the wide vetting process that new authentication technologies must go through to ensure they're secure. But Craymer said Microsoft, Novell and other companies have expressed interest in it. GrIDsure has also submitted the system to a U.K. government testing scheme, Craymer said.

The simplicity of the system is its strength, as well as its security, wrote Graham Titterington, principal analyst at Ovum, in a research note. It also has wide applicability and could be incorporated into Web sites as well as other scenarios, he wrote.

"The scheme can be implemented on computers, mobile phones, ATM machines and specialist smart card devices," Titterington wrote.

However, at least one security researcher at the University of Cambridge has disputed how resistant GrIDsure is to shoulder surfing.

"Shoulder surfers could specifically learn to determine patterns in a better way, probably in reference to common patterns," wrote Mike Bond in a March 2008 commentary.

GrIDsure may also not be resistant in point-of-sale devices that have been tampered with, he wrote. News reports recently detailed a scheme where point-of-sale devices at several U.K. retailers had been rigged to record PINs and the magnetic stripe data of credit cards. Throughout most of Europe, consumers must enter a PIN before completing a purchase, a system known as "chip-and-PIN."

"The sabotaged terminal can record an entire challenge and response," Bond wrote.

Craymer said he is aware of the Bond report and "it's not really for me to comment on his view."

However, another University of Cambridge professor wrote in a June 2006 evaluation that GrIDsure is still safer than chip-and-PIN.

A five-square by five-square grid offers 390,625 possible personal identification patterns consisting of four numbers, wrote Richard Weber, a professor in the statistical laboratory of the Department of Pure Mathematics and Mathematical Statistics at the University of Cambridge.

"By contrast, in traditional chip-and-PIN there are just 10,000 four-digit pins," Weber wrote. "So there are many more PIPs than PINs, and it is much harder for a thief to guess a four-cell PIP than to guess a four-digit PIN."

References show all

Comments

1

jonathan@gridsure.com

Mon 05/01/2009 - 06:42

GrIDsure & Mike Bond's 'old' criticism

Further to Jeremy Kirk's excellent article on GrIDsure - "Access vendor GridSure uses patterns to remember PINs" - which mentions Mike Bond's comments of some 10 months ago (since when GrIDsure has undergone a great deal of development) it's probably worth mentioning for the sake of those seeking the latest info, that after a recent meeting with Mike to explain developments in the system, Mike and ourselves have agreed on the following statement:-

"We are aware of Mike Bond's report of March 2008 and value input from both industry and academia. We have since discussed with Mike his report in detail and provided him with further clarification.

“The threats to all authentication mechanisms depend on the environment in which they are used and GrIDsure, like every other security technology, needs to be implemented in a form appropriate to the threat profile.

“We thank Mike for his input and as a result of his report we have further clarified the guidelines for GrIDsure implementation."

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the TechWorld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: authentication, passwords
Whitepapers
All whitepapers
 
rhs_login_lockGet exclusive access to Techworld news, reports & analysis.

Twitter Feed

Whitepapers

- + c

Latest News

- + c
more