Alternative authentication

In the wake of a series of high profile data losses, and the surrounding media furor, many firms may be taking a closer look at the methods they use to manage and control access to their systems.

A recent investigation by the Times revealed just how easy it is to obtain sensitive personal information and for hackers to obtain access to bank accounts. The Times downloaded—at no cost—several private account numbers, PINs and security codes offered as tasters by hacker websites.

While ‘chip and PIN’ remains a popular method of authentication, it’s widely considered to be less than perfect. A PIN, which stays the same all the time, can be guessed or stolen by ‘shoulder surfers.’ And error prone humans tend to write these numbers down anyway, proving the old adage that the human factor is very often the weakest link in the security chain.

As a result, other methods such as biometric or token authentication have emerged as additional layers of security. But so far all these solutions have involved additional hardware such as code generators.

Enter GrIDsure, a Cambridgeshire based start-up, which believes it may have the solution.

The new approach involves a grid. Each time the user wants to authenticate, the terminal (a computer, PDA, mobile phone) displays a grid of numbers. The client’s ‘secret’ is a pattern, used to read off the numbers which are then entered onto the keypad. And because the grid is filled with random numbers, new ‘PIN’ codes are created each time.

“For a five by five grid, and a four cell pattern, you have around 400,000 possible arrangements, compared to the 10,000 possible combinations of four digits in a traditional PIN.

Jonathan Craymer, director, GrIDsure

‘For a five by five grid, and a four cell pattern, you have around 400,000 possible arrangements, compared to the 10,000 possible combinations of four digits in a traditional PIN,’ says Jonathan Craymer, director, GrIDsure.

As highlighted in a mathematical study, Cambridge professor Richard Webber stated, ‘against a plausible mix of risks GrIDsure is of the order of 100 times more secure than traditional PIN.’

Research run by UCL suggests the system is easy to grasp and the pattern is easier to remember than a normal PIN.

We’re not in competition with chip and PIN, said Craymer, we could be used in conjunction as another layer of security.

The technology has a number of applications; it can be used on computers, ATMs, or in any situation where people would otherwise be required to use a PIN or password. And because it also works with mobile devices the cost of implementation is reduced.

Currently, the Cambridge firm is in talks with banks, local and central government as well as some organisations in North America. It’s early days yet and so far it remains to be seen if GrIDsure will be able to convince major players to replace their existing systems with its new method of authentication.