A new smart card system based on British and Finnish technology claims to have overcome the problem of the static four-digit PIN, which is open to a range of attacks including password replay, key-logging and shoulder-surfing.
The smart card, from Finnish-based Aventra, incorporates technology from a small Cambridge company called Gridsure, which generates a new code every time for the user to enter.
The smart card technology works by sending a grid of randomly-generated digits (normally 5 by 5 cells) to the user's display, which could be a mobile phone, a PDA or a PC. The user will have already chosen four cells as their own individual authentication pattern, and so can identify themselves by keying in the digits displayed in those cells for that particular authentication.
The deal is a major coup for Gridsure, a private company of just seven people, which was founded in 2005 and launched its authentication technology just a year ago. It has already licensed its grid technique to a number of companies, including Actividentity, Ingenico, Masabi, Vizuri, Tata and CGI, but the Aventra card is the first commercial product to be based on it.
Gridsure chairman Jonathan Craymer said the strength of smart card authentication could be increased by enlarging the size of grid to 9 by 9, or 10 by 10, and by asking users to enter six digits. He said some people used a pattern – such as a tick or an L-shape – to help them memorise their cells without compromising security.
As well as overcoming the problem of the static PIN, Craymer said the technology was also more effective than a security token, which could be used by a thief. "Only the users themselves know their pattern of cells, and so a thief cannot copy it," he said.
The technology is also not limited to displaying digits, Craymer said. It could also display coloured panels or even pictures, if that is more suited to the application.
Gridsure's main aim is to provide smart card technology for other companies to embed in their own products, but Craymer added that the company has created a 'phone back' system for demonstration to banks, for instance, where the banks want to send a one-time code for a user to key in. "If the phone is stolen, then the thief could steal the code. With our system, the user would receive a grid of digits, and only they would know which ones to key in," he said.
He added that the company was in "a number of interesting discussions" with banks about the technique, but none of these had reached a conclusion yet.