What is GrIDsure?

How does it work?

Instead of having a "fixed" set of characters for a pass-code (in the form of a password, PIN, combination etc.) - which can be vulnerable to threats like key-logging, shoulder-surfing etc., users simply choose a pattern of squares on a grid. For instance their chosen cells might form an 'L' or a 'tick' shape.

We call this "secret" shape a PIP (Personal Identification Pattern).

Once users have set up their PIP once they can then use it to authenticate themselves on web-screens, phones, tills, ATMs etc.).  To authenticate, the user is shown a new grid populated with random numbers. All users have to do is read off the numbers in their pattern positions and in the right sequence and type them in.

Next time they use the system the grid will have a different set of random numbers and so the PIN or password they type in will be different. At no time in the process does the user reveal his secret PIP.The patent-pending process is very simple to use but is remarkably effective and secure.

Might it replace all passwords and PINs?

It certainly has the potential to do so. A GrIDsure "secret" can be used wherever a conventional user code or password would normally be employed for logging in etc., on ANY system or device (as long as a GrIDsure grid can be shown). It takes up no more space, character-for-character, than a "conventional" password on an authentication database, and it is extremely easy to implement. For these reasons, we believe GrIDsure is the future for a great deal of human-machine interaction, where the user has to prove his/her ID, authorisation or consent.

How strong is GrIDsure, compared to passwords and PINs?

How can you quantify the security benefits of having a new code every time? Bearing in mind that once someone's seen you inputting an ordinary password or PIN, any security value that code once had, has gone - instantly!

Another strength GrIDsure has is that it's much easier for the human brain to remember graphical shapes, instead of a "cold" string of numbers or letters. The drive toward longer and more complex passwords over the past few years has become counter-productive as people simply cannot remember them and so they tend to get written down on scraps of paper and left in desk drawers.

GrIDsure shapes are so easy to remember and there is no need to write them down.

What about the mathematical strength?

Many experts have looked at GrIDsure and all who've done so agree it greatly "raises the bar" against fraudsters and based upon a number of models compiled by a Cambridge Professor of Mathematics GrIDsure is thought to be about 100 times more secure than a traditional PIN.

Furthermore it is possible to increase the size of the grid or the length of the Personal Idenification Pattern (PIP) and achieve much higher levels of security without any real increase in workload for the user.

GrIDsure's very simplicity creates yet more strength. There's no complex piece of technology, such as a clever "algorithm" or formula for a hacker to "reverse engineer". The very randomness of users' PIPs means fraudsters quite literally don't know where to start. This means there's no risk of a wholesale attack on millions of accounts at a bank, for instance.

Can a fraudster work out my PIP if he sees me inputting a code?

But there are other factors to remember here.

1.        GrIDsure is NEVER EVER implemented on touch screens, so someone won't work out your PIP from cells being pressed on screen

What happens if my GrIDsure secret is compromised?

How can I register my PIP securely?

There are several ways to do this, some examples include

2.             Online via a secure connection

Will GrIDsure help fight software threats like spyware, key-logging, screen-scraping and Man-In-the-Middle attacks?

Unfortunately these threats are part of everyday life and there is no magic bullet that will eradicate them altogether. However GrIDsure can be used as an ‘ingredient’ in a wider security strategy to make life much more difficult for the fraudster and significantly reduce the threat.

Say you needed to login on an "insecure" computer. A GrIDsure application on a mobile phone could act as a high-security code generator. Key-logging/screen-scraping wouldn't help the fraudster one bit. Your phone would become a kind of "super token" as even if a thief stole it, he couldn't read the code. Because only you know the PIP, only you can read the code!

How does GrIDsure fit in with the CAP or sleeve reader code generator solution being promoted by many UK banks?

Without in any way doing-down any of the excellent work which has been done in this area, we believe GrIDsure could either strengthen the security of these devices OR enable financial institutions and their customers to do without them.

What is a sleeve reader? It's like a calculator with a card slot. Some banks are using them to more strongly ID web-banking customers, and in the future they'll allow users to make card purchases over the web.

How do they work? The user inserts a credit/debit card and his/her PIN, and it creates a one-time code. Yes it does the job, BUT you still need your PIN, AND you need to carry the device around - or make sure it's present at the office or home when you want to use it.

Another big BUT is that a fraudster who steals a card and PIN together, can now go online and pretend to be you. (He can use any sleeve reader - and may have one in his pocket ready - they all work with any card.)  

We believe that the PIN is the ‘achilles heel’ of Chip and PIN ……GrIDsure is proven to be many more times more secure than a PIN so if the banking industry does choose to promote the sleeve-reader then why not replace the PIN with a GrIDsure code?

Can I use one GrIDsure secret or PIP for several credit cards or accounts?

Can GrIDsure be used for mobile phone-based applications?

It's ideal for this fast-growing sector. A GrIDsure code is an ideal way for a phone user to authenticate himself for example with M-banking applications. One of our partners, Masabi, recently demonstrated a number of secure GrIDsure-based solutions to an industry event in London this year.

How does GrIDsure fit alongside other systems like token code generators, or biometrics?

We have a large organisation with employees logging in currently using tokens. How can GrIDsure help?

A number of market leading companies are working with GrIDsure to develop solutions for the corporate market, whether it be for a PC login replacement, remote VPN login or access to any other IT resource.

GrIDsure provides a simple and secure methodology which compared to tokens requires very little user training and comes without the cost and overhead of issuing and administering additional hardware devices.

I am a private individual concerned about card fraud - how can I get to use GrIDsure right now?

We're talking to major banks and card companies, as well as authentication companies and solution providers across the world. Obviously new systems can't be introduced overnight, and these things take time. However we believe GrIDsure will soon be offered by these organisations as part of their efforts to combat fraud and protect customers.

If you think that GrIDsure would provide you with better security for your money than a standard PIN then why not tell your bank or card issuer that you would prefer to use GrIDsure. Alternatively keep your eye on our News section where we will keep you posted on the names of the banks and card issuers who can offer GrIDsure protection.

I am disabled, how can GrIDsure help me?

In developing GrIDsure we have been very conscious of the needs of disabled people.

One of the key features of the technology is that the PIN numbers that it generates are one-time, in other words you can safely tell someone a GrIDsure code knowing that they will not be able to use that same PIN again.

Using a Point of Sale scenario as an example, if you had difficulties with using a keypad you could pay for goods at a checkout with a credit card and rather than type a PIN in yourself you could read off your one-time GrIDsure code and ask a friend or carer to type them in for you.

 In discussions with the Royal National Institute for Blind People we believe that with the aid of a text-to-speech device it would be possible for many blind people to select their one-time GrIDsure PIN from a set of numbers spoken to them.

In the UK alone there are about 500,000 people who are largely housebound. GrIdsure’s simple and secure  process for authenticating web login or making web payments would offer greater security for this important sector of society.

What else can it be used for?

Is GrIDsure suitable for children to use?

In our market research we have worked closely with the education sector and are developing a number of solutions for schools including a Microsoft Windows login replacement using GrIDsure.

In a school environment where children are sharing computers and working in close proximity it is very easy for children to steal passwords and then use them maliciously to plagiarise homework, send hoax emails or to simply lock a user’s account by changing the password.

In our own trials conducted at a school we found that the students grasped the concept quickly and easily and many commented on how much more secure they felt in using GrIDsure compared to a standard password.

Children as young as 6 or 7 have found GrIDsure easy and ‘fun’ to use.Furthermore since the GrIDsure secret or ‘PIP’ does not involve any disclosure of any personal information or biometric data it gives parents the reassurance that their child’s personal ID is protected.

Compare this to the fears that many parents rightly have in children’s fingerprints being used to take out a school library book or to buy school lunch.