- Published: 22 March 2011
- Written by NStinchcombe
Pattern-based authentication “comes of age” with pin+
A system which will allow the information security industry to ditch passwords, PINs and tokens is to debut at this year’s Infosecurity Europe Show.
pin+TM utilises the power of matrix-pattern authentication (MPA) to generate one-time codes without hardware tokens or card readers, and is arguably the most exciting advance in computer security since the invention of tokens over 20 years ago.
pin+ brings standardisation and essential comfort/familiarity for users. Its highly recognisable (trademarked) shield-shaped matrix offers ease-of-use combined with high security, thanks to its unique 6X6X6X6 format (6X6 matrix, 6-digit one-time codes, using only numbers 1-6).
Powered by new patent-pending IPR from Winfrasoft, pin+ offers users a raft of powerful new features.
“In pin+ the basic concept of extracting one-time codes using patterns on a matrix of squares has been honed into a powerful tool for real-world use wherever strong authentication of individuals is required,” said Jonathan Craymer, managing director of PinPlus Limited. “With the launch of pin+ Matrix Pattern Authentication (MPA) has truly come of age.”
pin+ offers:-
· consistent standardised look and feel (all applications)
· vastly increased mathematical strength
· true one-time codes
· superior protection
· improved resistance to reverse engineering
· static PIN option
· fast/consistent implementation.
“I challenge anyone to come up with a better system for strongly authenticating individuals in virtually any scenario imaginable than matrix pattern authentication as represented by pin+," added Craymer.
“We’ve taken a good basic concept and refined it for real-world use, in a way no-one has done before. Our aim is to do what successful brands like McDonald's and Visa/MasterCard have done respectively for roadside fast food and credit cards. By introducing a standard 6X6 pin+ shield matrix, we're going to give users a feeling of comfort and familiarity, as well as the essential ability to transfer secret patterns from one platform/system to another.
“As for mathematical strength, the Winfrasoft patent-applied-for system which powers pin+ offers no less than 2.1bn pattern combinations** - compared to only say 390,625 from 5X5/4-digit code systems. This arguably makes pin+ over five and a half thousand times (5572) times stronger than such a format.
“True one-time codes? pin+’s patent-pending system ensures “correct” codes can only be used once, while many other systems allow you to use codes again, leaving them susceptible to so-called replay attacks.”
pin+ offers superior protection as its highly-developed algorithm offers built-in protection against pattern cracking, screen scraping and replay attacks not offered by rivals, also avoiding security peaks and troughs suffered by less sophisticated systems – when occasionally sets of characters presented can be more or less secure.
And the the static PIN option? Steve Hope of pin+ partner Winfrasoft explains: “This is another patent-protected new feature which allows users to exponentially increase security by inserting an additional 4 (or more) digit number into one-time codes. This can be entered before, after, or even in the middle of a one time code, hugely increasing the entropy strength.
“We’re also offering improved resistance to reverse engineering as pin+’s restriction of its standard character-set (using only the numbers 1-6 on a 6x6 matrix) increases repetition of characters on the matrix (each one appears 6 times) meaning an attacker would have to capture and analyse 4 to 6 successful logins to reverse a pattern, compared to just 2 or 3 for some other systems.”
pin+ also offers fast and consistent implementations because every deployment will be compatible with other uses of the system, thanks to consistent implementation standards and guidelines. “This means there’s no guesswork or need to ‘reinvent the wheel’,” added Hope. “pin+ naturally forms part of a positive authentication ‘ecosystem’, made even easier by the availability of a pin+ Software Development Kit (SDK) including all the necessary source and compiled code, for rapid product delivery.”
pin+ is available for Solutions Integrators and others to build-in the new system right now, and Winfrasoft will launch the first off-the-shelf ‘boxed’ product with pin+ embedded at InfoSec. Watch this space.
“The above features add enormously to the well-known benefits of matrix pattern authentication, in particular the way it gets users effortlessly to create consistently complex and sophisticated barriers against hackers, without the need for special training, procedures or disciplines,” adds Craymer.
“In theory everyone could construct and use really strong passwords, but in reality they don’t, and if any IT department or director says otherwise, they’re not living in the real world. We believe users don’t need training – they need something like this, which is easy to use, and guarantees a secure secret is used. Why make life hard, when it can be this easy?”
Notes for editors:-
Some interesting additional stats/facts on pin+:-
** Maths buffs may like to know that a 6x6 matrix with 6 digit pin offers 2,176,782,336 potential patterns.
While this should be more than adequate for most corporate - or even military use - a 10X10X6X10, or even 10X10X10X10 configuration is available for ultra high security applications.
It may also be worth mentioning that if an attacker were intent on making a “brute force” attack, thanks to pin+’s built-in limit of three login attempts every five minutes, it would take him a long time. To try every one of the 46,656 combinations in a typical 6 digit pin (using the numbers 1 to 6 only) he’d have to make 15,552 attempts, taking 1296 hours – in other words just under 2 months!
Although it’s against the odds that an attacker will successfully make a “lucky guess” at a one-time code they will not be able to re-use it and it will not reveal the pattern. It’s comforting to know that with pin+ the chances of this happening are reduced still further. The 4-digit one-time PINs (using characters 0-9) used in other 4 digit systems only have 10,000 combinations (10X10X10X10), whereas a 6-digit pin+ OTP (using only the numbers 1-6) offers 46,656 combinations, and is arguably almost five times stronger. Every little helps.