GrIDsure

GrIDsure was a personal identification system which extends the standard ‘shared-secret’ authentication model to create a secure methodology whereby a dynamic ‘one-time’ password or PIN can be generated by a user. It could have been used to secure ATMs, POSs, mobile phones, dedicated devices, door locks and even as a paper-based solution. It was invented by Jonathan Craymer in November 2005 and was taken over by Stephen Howes after Craymer's departure in 2009. It had been named as one of Gartner's "Cool Vendors in Application Security & Authentication, 2008" companies, as well as being described as "near universal authentication" by Ovum, and as a real step forward by Bloor Research.^[1][2][3]

GrIDsure went into liquidation in October 2011 after poor sales and investor funding dried up.

Contents 1 How it Worked 1.1 User registration 1.2 General Use 2 Mathematical Security 3 Usability 4 See also 5 External links 6 Notes

How it Worked

See it working

The core of the patent pending methodology is one of ‘sequential pattern recognition’ of cells on a grid. The user is challenged with a grid containing pseudo-randomly generated numbers and the user selects those numbers that accord with the pattern and sequence made by his chosen cells.

In this process the user needs to remember a pattern of his choice which he registers with the authenticator (the shared secret). Since the user is using his secret pattern to select numbers from a grid square and then using those numbers to authenticate, he never actually ‘gives up’ his secret to the authenticator – he only communicates a ‘representation’ of his secret which is in the form of a selection from a random set of numbers. Consequently there is nothing for a ‘keylogger’ to reverse-engineer and since the numbers are repeated several times in the grid-square, it is extremely difficult for a ‘shoulder-surfer’ to ascertain the pattern by observing the keystrokes and the gridsquare.

The user registration process and subsequent challenge-response process are described in more detail as follows:-

User registration

• The user registers a ‘Personal Identification Pattern’ (PIP) with the authenticator. (Alternatively the authenticator could pre-allocate a PIP to a user.) This becomes his shared secret.
• The grid can be almost any size or shape; however a 5x5 grid gives a good balance between ease of use and security in most situations.
• The PIP can be 4 cells (like a PIN) or any length you like.

General Use

• The user is presented with a grid populated with pseudo random symbols. (The symbols need not be numeric.)
• The user enters the symbols representing his pattern/sequence.
• The authenticator accepts or rejects the user.
• Every time the user is challenged he will be presented with a different grid and so will enter a different GrIDsure code.

Mathematical Security

A study was carried out on the statistical security of GrIDsure by Richard Weber in the Statistical Laboratory of the University of Cambridge.

The full report outlines the mathematics of various GrIDsure grids, the probabilities of a thief guessing a PIN or a Personal Identification Pattern (PIP), the chances of a thief reverse-engineering a PIP and the mathematical security of various sized grids and patterns. In an appendix to the main report, Professor Weber studies a number of likely fraud models in order to summarise in a single figure, how much more secure GrIDsure is than a traditional PIN.

"After performing further sensitivity analysis on our model we may conclude that it reasonable to say that against a plausible mix of risks GrIDsure is of the order of 100 times (i.e., two orders of magnitude) more secure than traditional pin.

He concludes:

This is one of the most beautiful ideas I have seen in many years of looking at algorithms and optimisation problems. - Professor Richard R. Weber. Director, Statistical Laboratory, Cambridge University.

In March 2008, an independent security researcher, Mike Bond^[4], identified flaws^[5] in the Gridsure authentication scheme, specifically commenting on Weber's analysis, and concluded:

"The Gridsure authentication mechanism remains largely unproven. Studies so far are flawed or taken out of context; my own initial studies indicate further weaknesses."

The introduction to Dr Bond's paper states "This document is not intended to be a fully representative or balanced appraisal of the scheme."

Usability

University College London committed an independent usability trial. This pilot study was carried out by the Department of Human Centered Systems/Department of Computer Science under the direction of Angela Sasse, Professor of Human-Centred Technology. With a background in Human-Computer Interaction, Prof. Sasse has been carrying out research since 1996 to develop a user-centred perspective on security, privacy and trust. She has investigated usability and effectiveness of a number of security mechanisms, including passwords and biometrics. She contributed a review to the 2004 Foresight report on Cybertrust and Crime Prevention, and was appointed a Specialist Advisor to the Home Affairs Committee for its enquiry into the proposed introduction of ID cards. She currently serves on the Biometrics Advisory Group, an independent expert panel that advises the Home Office, and chairs the DTI Knowledge Transfer Network (KTN) on Human Vulnerabilities in Network Security.

The key objective of this pilot study were to:

• See how easily people could learn to use GrIDsure
• To see how well they could recall the process after an extended period of time.

Fifty (50) subjects were chosen of varying age and ability (six were over the age of 60). The trial was carried out on Windows PDAs with ‘soft’ keyboards and no colour on the grid (making the process more difficult than would occur in a real-life situation). A standard 5x5 grid was used and after first usage, subsequent checks were taken at periods of a few hours up to 11 weeks.

The key results of the study were :

• “All participants grasped the notion quickly and easily”. All but two managed to use it first time and the remainder managed it with a little additional explanation.
• On subsequent tests, whilst some people were unsure of the process the vast majority nevertheless still managed to complete the task successfully.
• “There was a high level of success overall in entering the correct number sequence” (93.84%).
• Excluding the first time, on subsequent use with elapsed times up to 36.9 days, success rates remained high (92.63%).

In a covering letter to the study report, Professor Sasse states:

”Having looked at many mechanisms which have been proposed in recent years to overcome users' problems with PINs and passwords, this is the first one that has the potential to offer good usability and increased security at the same time” .

See also

• security tokens

• Two Factor Authentication

External links

• GrIDsure The company website

• Gartner Cool Vendors in Application Security and Authentication

• Ovum Promising proposal for near universal user authentication method

• The Institute of Engineering & Technology Grid Expectations

• The Register UK start-up tackles PIN fraud with patterns

• Info Security Magazine Card issuer to adopt graphical Pin randomiser

• Security Park Pattern-based ID verification system combats online fraud

• Bloor Superior accessible security

• Computing.co.uk banks seek fraud solutions

• Cambridge Evening News ID system the "perfect solution" to fight fraud

• The Guardian Unlimited Pick a pattern, not a PIN

• The Sunday Times Sudoku-style codes planned to defeat bank fraudsters

• "French Gridsure article" fr:GridSure

Notes