GrIDsure

Articleissues
notable = October 2007
refimprove = October 2007
advert = October 2007

Introduction

This article describes the GrIDsure personal identification system which extends the standard ‘shared-secret’ authentication model to create a secure methodology whereby a dynamic ‘one-time’ password or PIN can be generated by a user. The Technology can be applied in a multitude of scenarios and deployed for virtually any scenario, for example web, ATM, POS, mobile phone, dedicated device, door locks and even as a paper-based solution.

The GrIDsure personal identification system was invented by Stephen Howes and Jonathan Craymer in November 2005. Following the invention extensive investigation was carried out by patent lawyers, into the feasibility of obtaining a patent for the concept and a patent lodged.

GrIDsure has been named as one of Gartner's "Cool Vendors in Application Security & Authentication, 2008" companies, as well as being described as "near universal authentication" by Ovum, and as a real step forward by Bloor Research. [http://mediaproducts.gartner.com/reprints/veracode/156005.html Gartner Cool Vendors]

[http://www.ovum.com/news/euronews.asp?id=6300 Ovum Article]

[http://www.it-analysis.com/business/compliance/content.php?cid=9686 Bloor Research]

How it Works

[http://www.gridsure.com/slideshow See it working]

The core of the patent pending methodology is one of ‘sequential pattern recognition’ of cells on a grid. The user is challenged with a grid containing pseudo-randomly generated numbers and the user selects those numbers that accord with the pattern and sequence made by his chosen cells.

In this process the user needs to remember a pattern of his choice which he registers with the authenticator (the shared secret). Since the user is using his secret pattern to select numbers from a grid square and then using those numbers to authenticate, he never actually ‘gives up’ his secret to the authenticator – he only communicates a ‘representation’ of his secret which is in the form of a selection from a random set of numbers. Consequently there is nothing for a ‘keylogger’ to reverse-engineer and since the numbers are repeated several times in the grid-square, it is extremely difficult for a ‘shoulder-surfer’ to ascertain the pattern by observing the keystrokes and the gridsquare.

The user registration process and subsequent challenge-response process are described in more detail as follows:-

User registration

* The user registers a ‘Personal Identification Pattern’ (PIP) with the authenticator. (Alternatively the authenticator could pre-allocate a PIP to a user.) This becomes his shared secret.
* The grid can be almost any size or shape; however a 5x5 grid gives a good balance between ease of use and security in most situations.
* The PIP can be 4 cells (like a PIN) or any length you like.

General Use

* The user is presented with a grid populated with pseudo random symbols. (The symbols need not be numeric.)
* The user enters the symbols representing his pattern/sequence.
* The authenticator accepts or rejects the user.
* Every time the user is challenged he will be presented with a different grid and so will enter a different GrIDsure code.

Mathematical Security

A study was carried out on the statistical security of GrIDsure by Professor Richard Weber, Churchill Professor of Mathematics for Operational Research in the Department of Pure Mathematics and Mathematical Statistics in the University of Cambridge, and Director of its Statistical Laboratory.

The full report outlines the mathematics of various GrIDsure grids, the probabilities of a thief guessing a PIN or a Personal Identification Pattern (PIP), the chances of a thief reverse-engineering a PIP and the mathematical security of various sized grids and patterns. In an appendix to the main report, Professor Weber studies a number of likely fraud models in order to summarise in a single figure, how much more secure GrIDsure is than a traditional PIN.

"After performing further sensitivity analysis on our model we may conclude that it reasonable to say that against a plausible mix of risks GrIDsure is of the order of 100 times (i.e., two orders of magnitude) more secure than traditional pin."

He concludes:

"This is one of the most beautiful ideas I have seen in many years of looking at algorithms and optimisation problems." - Professor Richard R. Weber. Director, Statistical Laboratory, Cambridge University.

Usability

University College London committed an independent usability trial. This pilot study was carried out by the Department of Human Centered Systems/Department of Computer Science under the direction of Angela Sasse, Professor of Human-Centred Technology. With a background in Human-Computer Interaction, Prof. Sasse has been carrying out research since 1996 to develop a user-centred perspective on security, privacy and trust. She has investigated usability and effectiveness of a number of security mechanisms, including passwords and biometrics. She contributed a review to the 2004 Foresight report on Cybertrust and Crime Prevention, and was appointed a Specialist Advisor to the Home Affairs Committee for its enquiry into the proposed introduction of ID cards. She currently serves on the Biometrics Advisory Group, an independent expert panel that advises the Home Office, and chairs the DTI Knowledge Transfer Network (KTN) on Human Vulnerabilities in Network Security.

The key objective of this pilot study were to:
* See how easily people could learn to use GrIDsure
* To see how well they could recall the process after an extended period of time.

Fifty (50) subjects were chosen of varying age and ability (six were over the age of 60). The trial was carried out on Windows PDAs with ‘soft’ keyboards and no colour on the grid (making the process more difficult than would occur in a real-life situation). A standard 5x5 grid was used and after first usage, subsequent checks were taken at periods of a few hours up to 11 weeks.

The key results of the study were :

* “"All participants grasped the notion quickly and easily"”. All but two managed to use it first time and the remainder managed it with a little additional explanation.
* On subsequent tests, whilst some people were unsure of the process the vast majority nevertheless still managed to complete the task successfully.
*“"There was a high level of success overall in entering the correct number sequence"” (93.84%).
* Excluding the first time, on subsequent use with elapsed times up to 36.9 days, success rates remained high (92.63%).

In a covering letter to the study report, Professor Sasse states:

”"Having looked at many mechanisms which have been proposed in recent years to overcome users' problems with PINs and passwords, this is the first one that has the potential to offer good usability and increased security at the same time"” .

Links

*security tokens

*Two Factor Authentication

External links

* GrIDsure [http://www.gridsure.com The company website]

* "Gartner" [http://mediaproducts.gartner.com/reprints/veracode/156005.html Cool Vendors in Application Security and Authentication]

* "Ovum" [http://www.ovum.com/news/euronews.asp?id=6300 Promising proposal for near universal user authentication method]

* "The Institute of Engineering & Technology" [http://www2.theiet.org/oncomms/sector/magazine.cfm?issueID=219&articleID=AEF8972A-972B-562B-7CB929527C391E86 Grid Expectations]

* "The Register" [http://www.theregister.co.uk/2007/10/04/pin_fraud/ UK start-up tackles PIN fraud with patterns]

* "Info Security Magazine" [http://www.infosecurity-magazine.com/news/071025_Gridsure.html Card issuer to adopt graphical Pin randomiser]

* "Security Park" [http://www.securitypark.co.uk/security_article259966.html Pattern-based ID verification system combats online fraud]

* "Bloor" [http://www.it-analysis.com/business/compliance/content.php?cid=9686 Superior accessible security]

* "Computing.co.uk" [http://www.computing.co.uk/computing/news/2162444/banks-seek-fraud-solutions banks seek fraud solutions]

* "Cambridge Evening News" [http://www.cambridge-news.co.uk/business/news/2007/10/09/e82ba8a4-a675-4e5a-aeda-338a3114153b.lpf ID system the "perfect solution" to fight fraud]

* "The Guardian Unlimited" [http://blogs.guardian.co.uk/technology/2007/10/04/pick_a_pattern_not_a_pin.html Pick a pattern, not a PIN]

* "The Sunday Times" [http://technology.timesonline.co.uk/tol/news/tech_and_web/article2604791.ece Sudoku-style codes planned to defeat bank fraudsters]

In March 2008, an independent security researcher, Mike Bond [ [http://www.cl.cam.ac.uk/~mkb23/ Mike Bond, Security Researcher] ] , identified flaws [ [http://www.cl.cam.ac.uk/~mkb23/research/GridsureComments.pdf Mike Bond, Comments on Gridsure Authentication, 27 March 2008] ] in the Gridsure authentication scheme and concluded:

"The Gridsure authentication mechanism remains largely unproven. Studies so far are flawed or taken out of context; my own initial studies indicate further weaknesses."

It should be noted that the introduction to Dr Bond's paper states "Thisdocument is not intended to be a fully representative or balanced appraisal of the scheme."

Notes