PINgrid is a pattern based authentication technology that uses our mind’s ability to remember a pattern or shape, and turns this into a robust, simple-to-use logon technology.
This fundamental idea allows PINgrid to generate One Time Passcodes (OTP) which can be used both for Multi-Factor Authentication and as a replacement for passwords. The user remembers the pattern and uses this to produce a OTP. The pattern is kept completely secret and is never divulged whilst the code it produces changes from minute to minute.
How it works
The pattern + the grid = the OTP.
A user creates a pattern on a 6×6 or 8×8 grid, consisting of a selection of squares in a repeatable sequence.
When a user logs on to a device, they are presented with a grid of numbers. These numbers change every 60 seconds or every time they logon.
The user combines their pattern with the numbers on the grid to create a One Tme Pin (OTP) which is entered in place of a password.
PINgrid can be used as a traditional Muti-Factor Authentication (2 and 3 factor) solution via the Authenticator Mobile App as well as with Deviceless OTP which allows for a secure logons without having a secondary device. PINgrid also includes the award winning (SC Magazine Europe 2013) transaction signing functionality for securing high risk tasks – all with a simple to use user interface.
PINgrid is well suited to risk appropriate authentication scenarios, e.g. Internet Banking or workflow accountability and can be easily integrated directly into applications via Web API’s. PINgrid can also replace legacy 2FA products for traditional scenarios, e.g. remote access, SSL VPN, or any solution using RADIUS.
2 Way-ID can be used by call centers to quickly identify a person over the phone and a customer can verify that the call center operator is legitimate too.
Frequently Asked Questions
How is PINgrid better than traditional 2FA?
Traditional 2 Factor Authentication tokens can be used by anybody in possession of the token. Furthermore the PIN, the “something you know”, is divulged in full during each login. As such, “something you have” & “something you know” becomes “something somebody has” & “something anybody knows”.
In a PINgrid 2 Factor Authentication scenario, the “something you have” is only usable by the intended user as it doesn’t display a usable code, just a challenge grid. As the numbers in the grid are generated specifically for the intended user’s device, and can only be used with their pattern, it is only usable by the person it was intended for. Therefore, the “something you have” cannot be used by anybody else even if they are in possession of it. The “something you know” is the pattern which is never divulged during a login and thus remains only something that you know.
How does PINgrid provide transaction verification / transaction signing?
PINgrid can be used to securely verify transactions by simultaneously authenticating the user performing the transaction, and verifying key transaction data in a single step. This technique is fundamentally different from traditional One Time Pin solutions which only authenticate the user at the point of the transaction but do not verify the transaction details. The result is that the transaction details could be tampered with in transit even when a valid OTP is entered.
PINgrid’s secure transaction verification requires a Multi-Factor Authenticator Moble App which allows the user to enter key transaction information, e.g. an account number, onto their offline mobile device in order to display a challenge grid. PINgrid will use the transaction information within the mathematical process used to generate the numbers in the grid, and the transaction processing server is able to perform the same calculation based on the transaction data it actually received. If the transaction data were to be maliciously modified in transit, the server would calculate different numbers to what the user saw when entering their code and the OTP will not be valid and the server will decline the transaction. This type of technology is key to defeating online banking attacks such as “Operation High Roller” and is natively available within the Authlogics MFA solution.
How do the PINgrid soft tokens work?
A PINgrid soft tokens, such as the Authlogics Authenticator Mobile App are standalone apps which do not require any data connectivity to function. This is ideal when users are in areas of low signal or international roaming. The unique ID of the device running the app is registered on the server against a user account. The unique ID is cryptographically generated when the app is installed. The ID is used to calculate token seed value which is then combined with the current time to produce the numbers in the grid.
To add extra security to the seeding process, Mutual Device Assignment (MDA) can be used. MDA is a two way process of pairing a user account to a two factor device. The device is linked to the user account via a hardware ID. Conversely a user account is linked to a soft token via a 10 character remote seed value. The Remote Seed value is derived from the actual 256bit user seed stored by the server. Both the soft token and the server will use the hardware ID & Remote Seed values when calculating the seed used to generate the numbers in the grid. Unlike fixed seed systems, MDA allows for simple re-keying of a hardware device in case a seed is compromised. Similarly, if a hardware ID is somehow compromised the remote seed value is still unknown.
MDA is automatically configured when an Authenticator Mobile App is registered via a QR code.