Graham Titterington
Promising proposal for near universal user authentication method
A UK start up company, GrIDsure, has patented an approach to authenticating users that has a very wide range of applications. It is already being touted as a replacement for conventional Chip and PIN and for solving the problem of user authentication in online transactions. Its beauty is its simplicity and that it doesn't need any particular form of hardware for its implementation. It is ideal for authentication on computer terminals. The Churchill Professor for Operational Research at the University of Cambridge has estimated it to be 100 times more secure than conventional Chip and PIN, and it has already won endorsements from Visa, MasterCard and the Cabinet Office of the UK government.Comment: We often see new ideas in our line of work. Many are fundamentally flawed, and many more simply fall by the wayside under the pressure of the market. This one does however look like a winner. It possesses a beautiful simplicity and generality. Basically it replaces passwords, PINs and fingerprints by asking the user to choose and remember a unique pattern, which is (we are told) more in line with the human psyche. Typically this could be a selection of squares within a grid. Each time the user is required to authenticate, they would be presented with the grid in which each square was labelled. Crucially more than one square would share each label. The labels would be different every time. The user would enter the labels of the squares in their chosen pattern. However as each of these labels does not identify a unique square it is impossible to reconstruct the pattern from this reply (except if a large number of interactions were monitored). Thus the secret pattern would remain secret, even if the machine was compromised by spyware or the user was being watched as they entered their PIN. This latter risk, known as "shoulder surfing", is a major weakness in Chip and PIN schemes. The scheme can be implemented on computers, mobile phones, ATM machines and specialist smart card devices. It can even be adapted for blind people by having the device speak the labels of the squares in the grid, or for illiterate people by using symbols to label the squares. There is a remarkable convergence of accessibility, security and ease of use in this simple idea.
The credit card industry is recoiling from the recognition that Chip and PIN has only reduced total fraud losses by 3% - the other savings on customer-present fraud have simply been matched by increased losses on customer-not-present transactions. A scheme that could protect both scenarios has immense appeal. It is a pity that this invention was not available before Chip and PIN started, and so now it is more likely to roll out in the Internet domain. Watch this space!
