SC Magazine Europe 2013 Awards in the category of "Best Secure Transaction Solution"PINgrid

Replace PINs, Passwords and plastic key-ring tokens with PINgrid - the simple, memorable, secure authentication solution.

Unlike password based systems, PINgrid is able to ensure that secret information is kept in your head and can't be compromised. The result is a highly secure yet simple-to-use authentication and transaction verification system which removes the need for users to carry dedicated hardware tokens or remember multiple passwords or PINs.

Winfrasoft PINgrid is an authentication and transaction verification system which uses pattern recognition in a grid to produce a One Time Code - Grid Pattern Authentication. All the user needs to remember is a pattern of squares on a grid instead of a PIN or Password; which is much easier to do as most people are visually orientated.

When a user needs to logon they are presented with a challenge grid containing seemingly random numbers. They then mentally overlay their pattern onto the grid and type the numbers inside each corresponding square to produce a code. Each time they log on the numbers are different which creates a new One Time Code, even though the pattern stays the same. The fusing of a challenge grid (something you have) with a pattern (something you know) to produce a One Time Code is a one way process which can't be reversed into its separate elements.

A key part of PINgrid security is that the pattern is not revealed during a logon as it stays in the users head. This is in contrast to traditional Two Factor Authentication where typically a four digit PIN is typed in during every logon; and worse still it is usually never changed!

PINgrid is available as 1.5 and 2 Factor Authentication options. 2FA requires the grid to be displayed on a separate device such as a smartphone, tablet or desktop whereas with 1.5FA the grid can be displayed on the same device as the logon prompt. For further information on 1.5 vs. 2 Factor Authentication see the AuthCentral page.

Under the hood PINgrid is based on OATH technology and relies on a common seed and time sync to function. The difference lies at the end of the OATH process where OATH just uses the first 6 to 8 digits of a HASH function, whereas PINgrid uses all the HASH data to fill up a grid of numbers.

Using PINgrid is an easy 3 step process which people get to grips with very quickly. The following example walks through the process...

(1) PINgrid typically uses a 6x6 grid (also available as 8x8) in which a user memorises a chosen pattern and sequence of squares, e.g.: User Pattern
(2) When the users needs to log on they are presented with a challenge grid containing seemingly random numbers, e.g.: 

Challenge Grid
(3) Overlaying their pattern in their mind produces a One Time Code, in this instance: 1 0 1 5 0 2

Now try it yourself on the PINgrid Internet Banking demo site https://www.winfrasoftbank.com/.

Safety In Numbers

The numbers in the grid may appear to be random however a patent pending routine ensures that the grid is filled with a specific range of numbers which are repeated an equal number of times. This helps to protect the pattern while allowing for a large variety of possible codes. The result is that a 6x6 grid will always have 6 unique digits (0 to 5) each repeated 6 times, whereas an 8x8 grid will always have 8 unique digits (0 to 7) each repeated 8 times. When using the minimum pattern length of 6 squares (the OATH minimum) on a 6x6 grid there are 2.1 billion possible patterns to choose from, whereas a 8x8 grid produces a staggering 68.7 billion!

In addition to all the great AuthCentral features, PINgrid also includes:

  • Extra layer of security above traditional tokens as the OTC can only be found if you know the pattern and have visibility of the grid at the same time.
  • Mitigates the threat of key-logging, screen scraping and shoulder surfing attacks as the pattern is not revealed during a logon, thus keeping the something you know a secret.
  • Built in transaction verification / transaction signing functionality to prevent man-in-the-middle and man-in-the-browser attacks.
  • All valid passcodes entered can be used only once, even if the authentication attempt occurs within the same time period from the same device, i.e. true OTC.
  • Soft Token and SMS text message support.
  • Pre-Send or Real-Time tokes for complete flexibility.
  • Additional security can be provided by means of a PIN which can be entered before, after or even in the middle of the OTC.
  • No additional hardware cost or physical token logistics to deal with.
  • Deployable as 1.5 and 2 Factor Authentication.

AuthCentral and PINgrid have been designed and engineered to be suite many scenarios and industry vertices. As such it competes very well on head to head comparisons of key feature sets which are most relevant to customers.

Feature PINgrid RSA Vasco SafeNet Phone Factor Swivel Secur Envoy
2 Factor Authentication Yes Yes Yes Yes Yes Yes Yes
1.5 Factor Authentication Yes No No No No Yes No
Transaction Validation / Signing Yes Yes* Yes* Yes* No No No
"secret" safe from key loggers Yes No No No No No No
Can use AD as database Yes No Yes** Yes** No No Yes
Anytime seed re-generation Yes No No Yes No No Yes
Vendor does NOT store seeds Yes No No Yes No Yes Yes
FIPS crypto (140-2, 180-3, 198a) Yes No No No No No No
OATH Member Yes No Yes Yes No No Yes
SMS/Text Tokens Yes Yes Yes Yes Yes Yes Yes
Soft Tokens Yes Yes Yes Yes Yes Yes Yes

* requires specific advanced token type
** requires AD schema extensions

PINgrid is second to none when it comes to platform coverage for soft tokens making PINgrid truly universal.

Supported Soft Token Platforms PINgrid RSA Vasco SafeNet Phone Factor Swivel Secur Envoy
Android Yes Yes Yes Yes Yes Yes Yes
Apple iOS Yes Yes Yes Yes Yes Yes Yes
BlackBerry 7 & 10 Yes Yes Yes Yes No Yes Yes
Nokia Symbian Yes Yes No No No No No
Apple Mac OS X Yes* Yes No Yes No No No
Windows Phone Yes Yes No Yes Yes Yes Yes
Windows XP and higher Yes Yes Yes Yes No No Yes
Windows 8 "Modern UI" / RT Yes No No No No No No

* in beta.

Data compiled based on public information research Nov-Dec 2012. Please report any errors to info@winfraosft.com.

Winfrasoft Customers: