I’ve seen many approaches for strong authentication – most of them are either too expensive, too complicated, or they aren’t really appealing. The latter is true for approaches like “passfaces” have to pick one or some known faces from different pictures. Many approaches are complicated to deliver. And many of the token-based approaches are complex from a logistics perspective and are expensive. However, many of these approaches and especially combinations of for example hardware tokens and soft-tokens will work for many use cases.
But there are other approaches which are interesting as well. One which looks pretty interesting is GrIDsure, provided by an UK vendor and implemented by several OEMs right now. The idea is to provide a grid of numbers and to define a pattern within this grid per user. One user might decide on picking the numbers in the corners, clockwise. The next one might pick numbers from the second line from the right to the left. Even a relatively small grid allows for many different combinations. And due to the fact that the numbers within the grid change every time, there is a very high number of changing PINs which then can be entered. The concept is easy to understand, doesn’t require additional hardware and works with any type of device with a display.
Despite being really reluctant when a new vendor appears and likes to tell me that he has found the solution for strong authentication, the conversation with GrIDsure was definitely interesting. At least interesting enough to cover it in my blog and to do further research on that solution.
This is exactly why we OEM'ed GrIDsure for our Defender product here at Quest Software.
The appeal, of course, is that the organization doesn't have to provision a physical device or card. And unlike SMS text and grid cards, the memorizing of a pattern eliminates the risk of interception (except for the call center identity verification where the user entered from grid card).
Potentially brilliant… any known holes?
Mike
[...] See the original post here: Stronger and simpler authentication | Martin Kuppinger [...]
Wouldn't this be susceptible to a Man in the Middle attack, just like using a more conventional One Time Password would be? The attack is: (1) website displays grid to MITM; (2) MITM displays grid to victim; (3) victim enters correct sequence of numbers; (4) MITM collects correct sequence of numbers and replays to website.
I wish someone would come up with a way of making client-side certificates practical. Wouldn't that be the best way to do strong authentication?
Actually, we thought up a way round that too, it's a PoC at present, but usign the base concept, then add in a transaction specific grID, and a second channel… Simple for the user, no additional hardware & secure from MitM.