New approach to authentication promises security, simplicity

A Huntington, U.K.-based start-up, GrIDsure, has patented an approach to authenticating users which has a very wide range of applications. The approach is being touted as a replacement for conventional Chip and PIN and for solving the problem of user authentication in online transactions. The company says the technology’s beauty lies in its simplicity, and that it does not need any particular form of hardware for its implementation. It is ideal for authentication on computer terminals. The company has estimated it to be 100 times more secure than conventional Chip and PIN, and it has already won endorsements from Visa, MasterCard, and the Cabinet Office of the U.K. government.

How does it work: The approach replaces passwords, PINs, and fingerprints by asking the user to choose and remember a unique pattern which is more in line with the human psyche. Typically this could be a selection of squares within a grid. Each time the user is required to authenticate, they would be presented with the grid in which each square was labeled. Importantly, more than one square would share each label. The labels would be different every time. The user would enter the labels of the squares in their chosen pattern. Now, as each of these labels does not identify a unique square it is impossible to reconstruct the pattern from this reply (except if a large number of interactions were monitored). The secret pattern would thus remain secret, even if the machine was compromised by spyware or the user was being watched as they entered their PIN. This latter risk, known as “shoulder surfing,” is a major weakness in Chip and PIN schemes. The scheme can be implemented on computers, mobile phones, ATM machines, specialist smart card devices, and at access doors to sensitive locations. It can even be adapted for blind people by having the device speak the labels of the squares in the grid, or for illiterate people by using symbols to label the squares.