GrIDsure Enterprise Login 4.0
Strengths: Shapes easier to remember than passwords, cuts keyloggers and shoulder surfers out of the loop, easy AD group policy management, better value than token-based systems
Weaknesses: Core suite installation is best left to the reseller
Verdict: An unusual and easily managed alternative to standard password or token-based security
Most IT support departments will agree that humans are just not very good at remembering passwords. Research has shown that we are all much better at remembering shapes, and it's this attribute that GrIDsure's Enterprise Login (GEL) uses to offer an interesting alternative to standard password-based security.
Instead of being required to enter an increasingly complex series of characters and numbers when they login, users are presented with a grid of cells where they only need to remember a shape. They visualise where the shape is on the grid and simply enter the corresponding cell contents as their password.
GrIDsure calls it a Personal Identification Pattern (PIP). When users create one, they could, for example, use the shape of a letter of the alphabet. The only other thing they need to remember is the order in which they selected the cells when creating their PIP.
Each time it is presented to the user, the grid is populated with random numbers. Keyloggers are dealt with effectively as users always enter a different sequence of numbers every time they login.
GrIDsure also tackles the problem of shoulder surfing. To guess a user's PIP, you would need to see the numbers being entered, note their precise sequence and match them to the grid.
The minimum grid size is 5x5 cells, so each number will occur at least twice and some will appear three times. Consequently, the shoulder surfer would need to be very lucky to match the numbers to the correct cell positions.
GEL installation is usually handled by a reseller, and we would recommend leaving it to them as we found it overly complex and not covered clearly in the documentation. Furthermore, the installation sequence must be followed precisely to avoid any problems later on.
User authentication is handled by an Authenticore server and multiple instances can be distributed across the network where large numbers of users are involved. There is also a log server and a password filter where the latter is used to monitor all password change requests.
Workstations require the GEL agent installed along with an optional logging component. GrIDsure also includes a terminal services agent as standard.
Integration with Active Directory is very good and we liked the fact that all management can be carried out from the Group Policy Management Editor. Consequently, the workstation agents can be installed easily using an AD group policy.
After installation, you will find the default domain policy has new entries for controlling GEL. These are used to create global policies that activate the PIP, determine the size of the grid and whether random password generation is required. You can also decide if users are allowed to enrol with GEL and can change their PIP or delete it. The Windows AD user creation wizard has an extra step for configuring all these functions, and existing AD users get a new GrIDsure tab in their properties.
It is natural for users to go for easily remembered shapes, but you can apply restrictions to these in your group policies.
Once the workstation components have been deployed, users can run the GrIDsure Logon System utility and enrol their chosen pattern. It presents a grid where you simply click on the cells you want to include in your PIP and register them. You can also allow specific users to select the grid login or use a standard username/password combination.
So far, we have looked at the standard LAN module, but GrIDsure offers an optional web access plug-in for IIS6 and IIS7. This allows you to present the GEL grid to users accessing web-based resources such as the Exchange OWA.
Compared with the main GEL suite, the plug-in is very easy to install and adds a new element to the IIS Manager interface. The grid properties are still controlled by group policies, but this allows you to customise the web page presented to users.
The cell size in pixels can be modified and you can pick any font for the interface. Security is much tighter for web access as the plug-in can place upper and lower case characters in the cells as well as numbers.
GrIDsure is working on providing this feature for the standard Windows login grid.
Another plug-in is available for integrating GEL with any Radius client. Workers logging in remotely using services such as VPNs can be presented with the GEL grid. Where workers take their laptops offsite, the GEL login data can be securely cached on their system.
As businesses tighten up their security, this is a unique alternative that could significantly cut the costs of password maintenance.