Smart card overcomes static PIN

By Ron Condon, UK Bureau Chief 30 May 2008 | SearchSecurity.co.uk

Security UK News Digg This!     StumbleUpon     Del.icio.us

A new smart card system based on British and Finnish technology claims to have overcome the problem of the static four-digit PIN, which is open to a range of attacks including password replay, key-logging and shoulder-surfing.

The card, from Finnish-based Aventra, incorporates technology from a small Cambridge company called Gridsure, which generates a new code every time for the user to enter.

The system works by sending a grid of randomly-generated digits (normally 5 by 5 cells) to the user's display, which could be a mobile phone, a PDA or a PC. The user will have already chosen four cells as their own individual authentication pattern, and so can identify themselves by keying in the digits displayed in those cells for that particular authentication.

Smart cards: Smart card deployment: How to know if it's smart for your enterprise: Smart cards are an efficient way to combine credentialing for logical and physical access, but the implementation process isn't easy. How to choose the right smart card: The ISO 7816 form factor is the most commonly deployed smart card in the enterprise, but it's not always the best option. Is there a way to bridge physical and logical security without using smart cards or biometrics?Identity management and access control expert Joel Dubin explains how a corporation can merge physical and logical security without using expensive measures, such as smart cards.

The deal is a major coup for Gridsure, a private company of just seven people, which was founded in 2005 and launched its authentication technology just a year ago. It has already licensed its grid technique to a number of companies, including Actividentity, Ingenico, Masabi, Vizuri, Tata and CGI, but the Aventra card is the first commercial product to be based on it.

Gridsure chairman Jonathan Craymer said the strength of authentication could be increased by enlarging the size of grid to 9 by 9, or 10 by 10, and by asking users to enter six digits. He said some people used a pattern – such as a tick or an L-shape – to help them memorise their cells without compromising security.

As well as overcoming the problem of the static PIN, Craymer said the technology was also more effective than a security token, which could be used by a thief. "Only the users themselves know their pattern of cells, and so a thief cannot copy it," he said.

The technology is also not limited to displaying digits, Craymer said. It could also display coloured panels or even pictures, if that is more suited to the application.

Gridsure's main aim is to provide technology for other companies to embed in their own products, but Craymer added that the company has created a 'phone back' system for demonstration to banks, for instance, where the banks want to send a one-time code for a user to key in. "If the phone is stolen, then the thief could steal the code. With our system, the user would receive a grid of digits, and only they would know which ones to key in," he said.

He added that the company was in "a number of interesting discussions" with banks about the technique, but none of these had reached a conclusion yet.

Tags: Biometrics, Smart Cards, Tokens,  Secure User Authentication and Authorization,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Biometrics, Smart Cards, Tokens Preventing password fatigue with single sign-on (SSO) authentication Gridsure finds global deal for its pattern-based authentication Single sign-on system removes password chaos at East Kent NHS Trust Will physical security integrators work with IT departments? Tokenless two-factor authentication helps council with CoCo compliance Chip and PIN adoption serves lesson for U.S. payment industry Visa probes tokens, encryption for PCI card data protection Strong authentication methods, voice recognition systems make comeback Security on a budget: How to make the most of authentication tools Creating a secure platform for smart card programmers Secure User Authentication and Authorization Preventing password fatigue with single sign-on (SSO) authentication Gridsure finds global deal for its pattern-based authentication Physical security threats: Don't gift your data away Using unique device identification for bank website security Yahoo login credentials at risk to hijacking attack Single sign-on system removes password chaos at East Kent NHS Trust Tokenless two-factor authentication helps council with CoCo compliance Risk-based multifactor authentication implementation best practices Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Chip and PIN  (SearchSecurityUK.com) NO2ID  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary