New login system beats 'shoulder surfers'

A UK startup has developed an authentication system that requires users to remember a pattern on a grid of numbers rather than a PIN.

GrIDsure's system is intended to be more resistant to so-called "shoulder surfing," or being seen typing in a login or password, and to defeate keyloggers, which are clandestine programs that record keystrokes.

GrIDsure is a small company in a very competitive market of authentication software and hardware vendors striving to increase the security of e-commerce, online banking and money transfers.

Two of GrIDsure's products concern logging on to a PC running Microsoft's Windows. Once GrIDsure's software is installed, a user picks a pattern from a five-square by five-square grid. The company calls it the user's "personal identification pattern" (PIP). The pattern is associated with the person's real password.

Every time the user logs on to the PC, different numbers appear in the grid. The user enters the numbers that correspond to their pattern. The numbers are inconsequential; only the pattern matters. If a keystroke logger is present, it could pick up the numbers corresponding to that pattern, but that sequence won't be used again.

Banks are increasingly sending one-time password generators to their clients. The devices are hardware tokens that display a number which will allow a person to login to a website for a very limited amount of time as an enhanced security measure.

GrIDsure Chairman Jonathan Craymer, a former journalist who came up with the grid concept, said since the system is only software-based, it's cheaper than buying hardware tokens. It's also easier for people to remember a pattern rather than a multitude of PINs.

GrIDsure has been slow to take off due to the wide vetting process that new authentication technologies must go through to ensure they're secure. But Craymer said Microsoft, Novell and other companies have expressed interest in it. GrIDsure has also submitted the system to a UK government testing scheme, Craymer said.

The simplicity of the system is its strength, as well as its security, wrote Graham Titterington, principal analyst at Ovum, in a research note. It also has wide applicability and could be incorporated into websites as well as other scenarios, he wrote.

"The scheme can be implemented on computers, mobile phones, ATM machines and specialist smart card devices," Titterington wrote.

However, at least one security researcher at the University of Cambridge has disputed how resistant GrIDsure is to shoulder surfing.

"Shoulder surfers could specifically learn to determine patterns in a better way, probably in reference to common patterns," wrote Mike Bond in a March 2008 commentary.

GrIDsure may also not be resistant in point-of-sale devices that have been tampered with, he wrote. News reports recently detailed a scheme where point-of-sale devices at several UK retailers had been rigged to record PINs and the magnetic stripe data of credit cards. Throughout most of Europe, consumers must enter a PIN before completing a purchase, a system known as "chip-and-PIN."

"The sabotaged terminal can record an entire challenge and response," Bond wrote.

Craymer said he is aware of the Bond report and "it's not really for me to comment on his view."

However, another University of Cambridge professor wrote in a June 2006 evaluation that GrIDsure is still safer than chip-and-PIN.

A five-square by five-square grid offers 390,625 possible personal identification patterns consisting of four numbers, wrote Richard Weber, a professor in the statistical laboratory of the Department of Pure Mathematics and Mathematical Statistics at the University of Cambridge.

"By contrast, in traditional chip-and-PIN there are just 10,000 four-digit pins," Weber wrote. "So there are many more PIPs than PINs, and it is much harder for a thief to guess a four-cell PIP than to guess a four-digit PIN."