Gridsure, a UK company, has created a very nice way to provide strong authentication. Strong authentication combines what you know (login, password) and what you have (something physical).
In the long list of strong authentication mechanisms we know Smartacards, tokens, and more recently we have seen products capable of using the “mobile phone” as a proof of identity (One Time Password sent via SMS, audio authentication, software installed on the device, etc..).
Gridsure has changed the notion of “what I have” by in fact “what I have in my brain”. In their logic, step one for you is to provide to the authentication server (inside the company) a drawing (they call it a pattern), for example a “Z”. Once you have provided this “pattern”, every time you connect Microsoft IAG, the login banner will contain a grid with numbers. The place of these numbers in the grid changes every time you connect.
How strong authentication works now ? The user will see the grid (with random number) and mentally put his “pattern” (something he HAS in his brain) on top of it. Without typing anything (no click on the grid) he will identify the “One Time Password” based on this temporary Grid.
Let’s take an example.
Step 1 (called provisioning phase), you (as a user of the solution) connect the Gridsure web server, and create your pattern. The application will show you a basic grid, with nice 123456789 (previous screenshot). In that example, my Pattern is a drawing like a “Z”, so I tell it to the provisioning system by selecting 1379. Now the Gridsure authentication server knows your secret and associate “My User Name” with “this Z pattern”. You share this secret with the authentication server, you in your brain, the server in his database !
Step 2 (in fact each time you connect Microsoft IAG), you will see on the authentication page 3 questions : your login, your password (if you want to do large SingleSingOn, it is better to also ask the password also) and the “One Time Password” that Gridsure authentication server will use.
This time, do not expect a 12345679 grid, all the numbers will be randomly positioned in the Grid. So visually you will need to peek the numbers, under your “grid”.
Let’s suppose that for this authentication, the Gridsure authentication server has generated a temporary grid like this. IAG will show you this drawing on the login banner :
As you can see our “Z” pattern will give us 3147 as the One Time Password for this session. This information will be sent by IAG to the authentication server, the server will verify that the OTP/Username/Grid is ok, and will validate authentication.
For sure, I took a very basic grid to illustrate their approach, but in reality the grid is a bit bigger. This makes sure that even if a hacker capture at the same time the screen (the grid) and the “OTP” - because there are multiple same numbers (X times 1, X times 2, ..) - he will not be able to guess the pattern by reverse engineering.
This “Gridsure” Strong Authentication does not require any hardware or software to be deployed, is very simple to understand, and I think it has a great potential for most of the users (employees, partners and even customers).
Of course you will not reach here the same level of security as PKI or hardware token, but you are very close, and definitely kill the risky “login/password” authentication approach to reach very high level of security.
In a next article, I will tell you how to connect IAG with Gridsure authentication server.
For more information about their technology, check their videos online: htttp://www.gridsure.com/about/about-gridsure.asp?ItemID=68
Notice that Microsoft IAG supports all kind of authentication, from all vendors. I personally don’t recommend such or such technology, I just share with you the pros and cons of solutions.