Safety in numbers

An Ask the Expert feature with E-secure

eSecure Solutions’ Fraser Thomas discusses how the business-critical function of secure user-identification can create a competitve advantage for organisations.

The ability to provide access to systems, services, and confidential and personal information is business critical, To compete in today’s multi-tasking environment it is a requirement to provide secure access for competitive advantage. While technological advances have been made to frustrate hackers from accessing enterprise systems, until now little progress has been made on the weakest link in many secure access systems – the user authentication processes. Historically, this creates a trail of weak spots, rising costs, hassle for users and an administrative nightmare, which has been at best a penetrable hole to core systems.

With Swivel’s award-winning PINsafe solution the ability to take advantage of the freedom endowed when secure authentication works simply and effectively isn’t an unobtainable dream, but a reality. Reliable and resilient, PINsafe is effectual and cost effective. Simple in its execution from deployment to end-user engagement, PINsafe showcases that it doesn’t have to be complicated to be successful.
 
PINsafe offers a wide range of authentication models. The use of the patented one-time code extraction protocol means that PINsafe can offer both single and multi-channel and single and multi-factor authentication solutions where:
• The user only ever needs to remember a simple 4 digit PIN
• The PIN number is never entered
• The OTC changes with each authentication
• Different interfaces can be added as requirements change
 
It provides a full range of user interface options as standard and are all included within the basic license cost. These can be assigned to each user in line with corporate policies and access requirements. Simple to integrate into any environment, PINsafe can be deployed as software only or as an appliance and is fully compatible with Windows- and Linux-based operating systems. Secure, simple two-factor authentication providing freedom from a token made easy by the experts at Swivel.

The principles
PINsafe is a multi-factor authentication system. The core of the solution is the Swivel one-time code (OTC) extraction protocol whereby a user is sent a security string, the user then combines this security string with their PIN number to derive a one-time code. They then use this one-time code to authenticate themselves.

The strength of this system is that the user needs both the security string and their PIN in order to authenticate. The one-time code extraction protocol is simple to use, the PIN determines which characters are to be used and in which order, for the one-time code. PINs can be from four digits to 10 digits long. Security strings can be letters, numbers or a mixture of both.

For instance, you are issued 2-4-6-8 as your PIN and during a login attempt the system generates the following security string: 5-1-7-3-9-2-0-6-4-8. Your PIN, 2-4-6-8, denotes the position of the numbers that comprise the one-time code: second, fourth, sixth and eight. By taking the numbers that correspond to these positions, you can extract the valid code for that login session out of the security string thusly: 1-3-2-6. This approach gives the following advantages:
• The one-time code that the user enters is different for every authentication which provides defence against key-logging attacks, and many simple man-in-the-middle and phishing attacks.
• The user never enters their PIN to authenticate, again providing defence against the attacks listed above.
• As authentication requires two elements, the security string can be sent via a different channel to the authentication request, providing defence against man-in-the-middle attacks.
• The delivery of the security string can be tied to a specific device, such as a mobile phone, providing a two-factor authentication solution.

The beauty of this basic model is that it can be implemented in a number of ways to give different user experiences and different strengths of authentication. For example, the security string can be displayed as an obfuscated (TURing) image on a VPN logon page or delivered via a text message to a user's mobile phone.

Fraser Thomas, Director of Business Development, Swivel Secure
Fraser has worked in systems development for almost 30 years on four continents, including 17 years in the United States as Head of Retail Banking Systems at both Continental Bank in Chicago and Key Bank in Cleveland. He holds a Mathematics degree from the University of the West of England, and an MBA from Case Western Reserve University in Cleveland, Ohio.