Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

New login system beats 'shoulder surfers'

Users remember pattern, not PIN.

Article comments

A UK startup has developed an authentication system that requires users to remember a pattern on a grid of numbers rather than a PIN.

GrIDsure's system is intended to be more resistant to so-called "shoulder surfing," or being seen typing in a login or password, and to defeate keyloggers, which are clandestine programs that record keystrokes.

GrIDsure is a small company in a very competitive market of authentication software and hardware vendors striving to increase the security of e-commerce, online banking and money transfers.

Two of GrIDsure's products concern logging on to a PC running Microsoft's Windows. Once GrIDsure's software is installed, a user picks a pattern from a five-square by five-square grid. The company calls it the user's "personal identification pattern" (PIP). The pattern is associated with the person's real password.

Every time the user logs on to the PC, different numbers appear in the grid. The user enters the numbers that correspond to their pattern. The numbers are inconsequential; only the pattern matters. If a keystroke logger is present, it could pick up the numbers corresponding to that pattern, but that sequence won't be used again.

Banks are increasingly sending one-time password generators to their clients. The devices are hardware tokens that display a number which will allow a person to login to a website for a very limited amount of time as an enhanced security measure.

GrIDsure Chairman Jonathan Craymer, a former journalist who came up with the grid concept, said since the system is only software-based, it's cheaper than buying hardware tokens. It's also easier for people to remember a pattern rather than a multitude of PINs.

GrIDsure has been slow to take off due to the wide vetting process that new authentication technologies must go through to ensure they're secure. But Craymer said Microsoft, Novell and other companies have expressed interest in it. GrIDsure has also submitted the system to a UK government testing scheme, Craymer said.

The simplicity of the system is its strength, as well as its security, wrote Graham Titterington, principal analyst at Ovum, in a research note. It also has wide applicability and could be incorporated into websites as well as other scenarios, he wrote.

"The scheme can be implemented on computers, mobile phones, ATM machines and specialist smart card devices," Titterington wrote.

However, at least one security researcher at the University of Cambridge has disputed how resistant GrIDsure is to shoulder surfing.

"Shoulder surfers could specifically learn to determine patterns in a better way, probably in reference to common patterns," wrote Mike Bond in a March 2008 commentary.

GrIDsure may also not be resistant in point-of-sale devices that have been tampered with, he wrote. News reports recently detailed a scheme where point-of-sale devices at several UK retailers had been rigged to record PINs and the magnetic stripe data of credit cards. Throughout most of Europe, consumers must enter a PIN before completing a purchase, a system known as "chip-and-PIN."

"The sabotaged terminal can record an entire challenge and response," Bond wrote.

Craymer said he is aware of the Bond report and "it's not really for me to comment on his view."

However, another University of Cambridge professor wrote in a June 2006 evaluation that GrIDsure is still safer than chip-and-PIN.

A five-square by five-square grid offers 390,625 possible personal identification patterns consisting of four numbers, wrote Richard Weber, a professor in the statistical laboratory of the Department of Pure Mathematics and Mathematical Statistics at the University of Cambridge.

"By contrast, in traditional chip-and-PIN there are just 10,000 four-digit pins," Weber wrote. "So there are many more PIPs than PINs, and it is much harder for a thief to guess a four-cell PIP than to guess a four-digit PIN."


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *