The ‘originator' of matrix-pattern authentication in the UK and Europe and founder of pin+ tells SC Magazine about his vision of one-time codes for all and why the future of personal authentication definitely won't include hardware – and possibly not even phones.
He makes a virtue of not having been brought up in the authentication industry. But then Jonathan Craymer argues that the industry may well benefit from a fresh pair of eyes.
Just six years ago you would have found him bashing out press releases for one of his PR customers, or writing up interviews for national newspapers – and magazines such as Woman's Own and Auto Express. His journalistic career lasted some 30-plus years, during which time he also presented and produced shows for local radio stations.
However, an inventive streak, previously largely ignored, led in 2005 to the creation of a PIN-reminder device. “It was called the Craymer Grid and, after being featured on Radio 2 one afternoon, it sold like hot cakes to people concerned about coping with the newly introduced Chip & PIN,” he recalls. “I still get letters asking if it's still available – it is also great for storing things like passwords – but unfortunately it's no longer on the market.”
Craymer adds: “Two things came out of that. One was a personal realisation of how important it is to help Joe Public with authentication – most people really do hate passwords; the other was contained in the instructions I had penned for the device, which told users to hide their PINs in a pattern on a grid. Having in effect come up with the idea behind matrix or grid-pattern authentication, my first thought was to create a version of the PIN device for PDAs or smartphones, so I hired Stephen Howes as a jobbing techie. I still have the bill for the work he did for me.
“Realising that here was a system capable of creating new PINs or pass-codes every time, but not knowing how much programming might be needed to take it to market, I suggested to Howes that we went into business on a 50-50 basis. That was the start of GrIDsure. Without raking over what happened over the next few years, I left GrIDsure in 2009 and started over.”
He continues: “Pin+ is a joint creation of my new company, PinPlus Ltd, and Winfrasoft Corporation, using a state-of-the-art algorithm. We've effectively produced an extremely strong un-cased token that works in virtually any scenario, on any device and, importantly, via any web browser, without the need for anything to be installed. A true anytime, anywhere login experience.
“The algorithm creates strings of 36 (or 100) characters consistently and securely, with iPhone-generation looks. We were aiming to give end-users the equivalent of a token, which would be more convenient and require less management, for the price of a cup of coffee per year.
“Under the hood, the algorithm is extremely sophisticated. Built on OATH and FIPS cryptographic standards, it thwarts keyloggers, screen-scrapers, shoulder surfing and brute-force and replay attacks, while its patent-pending formula makes pattern reversal very difficult for 1.5-factor authentication.
“From the user's point of view, the fact that both the pin+ Core (1.5-factor) and Pro (2-factor) products work the same way is a real plus, and we believe our user-friendly and recognisable graphics make the system easy to use and build trust. We also decided to go for per-user annual pricing, instead of charging per token, as this is simpler for customers.”
Customers building pin+ Technology into smaller schemes or products can license it for an annual charge of £1.50 per user (up to 5,000) for the Core version, or £2.50 for the Pro.
Pin+ was launched at InfoSec 2011 in April, showing off both pin+ Technology (basically the licensable IPR) and Winfrasoft's AuthCentral, an off-the-shelf product that can be integrated with Core and Pro. Pro works via installed apps on PCs, laptops and smartphones; they can be downloaded, along with the ‘Software Development Kit' from www.winfrasoft.com/pinplus. Pin+ is also now RADIUS compatible, and can be integrated with most industry-standard systems.
Early adopters have included the South London NHS Trust, South African law firm Webber Wentzel, and a wealth management company in the City.
Interestingly, the health trust needed to expand the numbers for secure login, and used pin+ as the authentication element for those not entitled to receive NHS smartcards. Behind the scenes, the combined pin+ and smartcard system is powered by Microsoft's Universal Access Gateway and Winfrasoft technology.
Sowing the seeds
The two companies behind pin+ have made clear their intention of getting the technology ‘out there', and are even prepared to lose licence revenue in order to seed the market.
“The traditional model in the authentication industry is to think small and not let anything go out the door until it's paid for,” says Craymer. “In sharp contrast to this, our first move was to tell the charity/third sector that it could use pin+ Technology free of charge in both Core and Pro form. We're currently in discussion with a number of charity heads of IT. We are also offering pin+ Core free to online games players. We'd love to see 100 million PlayStation users enjoying increased security, for instance.
“A revolutionary part of our business model is to sell Pro licences to non-profit organisations in the local and national government, health and education sectors, and then give pin+ Core licences to their end-users. The proposition to local authorities is quite groundbreaking. For the same money they may be spending on tokens for just ten per cent of their workforce, they'll be able to use Pro for all staff, contractors etc, and Core logins for all citizens.”
Craymer is evidently enjoying his role of future-scoper. “As a journalist, I was probably heading towards becoming an analyst anyway, and this ability to see the bigger picture has proved extremely useful in drawing up the plans for pin+ with a number of prospective partners,” he says. “Here's an example. So-called SMS soft tokens have become something of a flavour of the month, as have phone-based ‘out-of-band' authentication systems. We're talking to a number of those vendors because clearly there are potential security flaws if criminals get hold of users' phones or divert calls, as unfortunately the one-time codes are often displayed in an obvious form, so hackers can read them.
“We can also foresee situations in certain security-conscious industries where no additional devices, such as phones, will be allowed into the workplace. Users will still be required to generate secure one-time codes, but via their desktop PCs or secure intranet portals. The paperless society never happened, but we foresee the tokenless society arriving quite soon, and we believe we can contribute a great deal to that revolution.”