PINgrid is a pattern based authentication technology that uses our mind’s ability to remember a pattern or shape, and turns this into a robust, simple-to-use logon technology.
This fundamental idea allows PINgrid to generate one time codes which can be used both for multi-factor authentication and password replacement. The user remembers the pattern and uses this to produce a one-time code. The pattern is kept completely secret and is never divulged whilst the code it produces changes from minute to minute.
How it works
A user creates a pattern on a 6×6 or 8×8 grid, consisting of a selection of grid positions in repeatable sequence.
When a user logs on to a device, they are presented with a grid of numbers. These numbers change every time they logon.
The user combines the position and sequence of the pattern they memorised with the unique grid that is displayed to them, to create a one time code which is entered in place of a password.
Whilst PINgrid can be used as a traditional 2 Factor Authentication solution it also suits many other scenarios. PINgrid 1.5 Factor Authentication allows for a secure One Time Code logon without having a secondary device at all which is well suited to easy access, medium security situations. Whereas PINgrid 3 Factor Authentication includes the award winning (SC Magazine Europe 2013) transaction signing functionality for securing high risk tasks – all with a simple to use user interface.
PINgrid caters very well for risk appropriate authentication situations, e.g. Internet Banking or workflow accountability. It can be easily integrated directly into applications via Web API’s and SDK’s for both the authentication server and mobile devices. PINgrid can also replace legacy 2FA solutions for traditional scenarios, e.g. remote access, SSL VPN, or any solution using RADIUS.
2 Way-ID can be used by call centers to quickly identify a person over the phone and a customer can also verify that the call center operator is legitimate too.
Frequently Asked Questions
How is PINgrid better than traditional 2FA?
Traditional 2 factor tokens can be used by anybody in possession of the token. Furthermore the PIN, the something you know, is divulged in full during each login. As such, something you have & something you know should read something somebody has & something anybody knows.
In a PINgrid 2 factor scenario, the something you have is only of use for the intended user as it doesn’t display a usable code, just a challenge grid. As the numbers in the grid are generated specifically for the intended user’s device and can only be used with their pattern, it is only usable by the person it was intended for. Therefore, the something you have cannot be used by anybody else even if they are in possession of it. The something you know is the pattern which is never divulged during a login and thus remains only something you know. As such, something you have & something you know logic holds true.
How does PINgrid provide transaction verification / transaction signing?
PINgrid can be used to securely verify transactions by simultaneously authenticating the user performing the transaction, and verifying key transaction data in a single step. This technique is fundamentally different from traditional OTP solutions which only authenticate the user at the point of the transaction but do not verify the transaction details. The result is that the transaction details could be tampered with in transit even when a valid OTP is used.
PINgrid’s secure transaction verification requires a 2 Factor soft token which allows the user to enter key transaction information, e.g. an account number, onto their offline smart device in order to display a challenge grid. PINgrid will use key transaction information within the mathematical process used to generate the numbers in the grid, and the transaction processing server is able to perform the same calculation based on the transaction data it actually received. If the transaction data were to be maliciously modified in transit, the server would calculate different numbers to what the user saw when entering their code. Thus the code will not be valid and the server will decline the transaction. This type of technology is key to defeating online banking attacks such as “Operation High Roller” and is natively available within the PINgrid SDK’s.
How do the PINgrid soft tokens work?
The PINgrid soft tokens are standalone apps which do not require any data connectivity to function. This is ideal when users are in areas of low signal or international roaming. The hardware ID of the device running the soft token is registered on the server against a user account. The hardware ID is typically an IMEI number or an equivalent unique hardware moniker. The hardware ID is partly used to calculate token seed value. The seed is then combined with the current time of the device to produce the numbers in the grid.
To add extra security to the seeding process, Mutual Device Assignment (MDA) can be used. MDA is a two way process of pairing a user account to a two factor device. The device is linked to the user account via a hardware ID. Conversely a user account is linked to a soft token via a 10 character remote seed value. The Remote Seed value is derived from the actual 256bit user seed stored by the server. Both the soft token and the server will use the hardware ID & Remote Seed values when calculating the seed used to generate the numbers in the grid. Unlike fixed seed systems, MDA allows for simple re-keying of a hardware device in case a seed is compromised. Similarly, if a hardware ID is somehow compromised the remote seed value is still unknown.