Cryptocard gobbles tasty, dead number puzzle startup

Umm...

... couldn't malware on the computer capture the image of the grid? I don't see how this is any more secure than the traditional onscreen keyboard - the only advantage it has is the pattern over a password. They talk about passwords being static - well, in this case, the pattern is static, you're just looking up an onscreen cypher when you enter it.

This is somewhat more secure than an onscreen keyboard because there is usually more than one pattern for a given passcode. You would probably have to observer several instances of the grid/passcode to gain the pattern. Still, it's only slightly more secure than a regular password.

What a joke.

This is not proper two-factor authentication. Having two things you know is not two-factor. The second factor needs to be something you own. (ie a token / mobile / etc)

Give them a bit of credit

I happen to be a fan of this product - in a theoretical sense its clearly not as strong as a full 2FA solution, however in practical usage for a regular business person there are other factors to keep in mind (for example its not that uncommon for some business people to write down thier pin on a post it note along side their RSA token).

In theory (using specially crafted grids) it is possible to capture a pattern after two observations, in most normal circumstances you'd be looking at probably 3-4 observations.

There is also the point that you don't *have* to deploy the grid on the login screen, it can be deployed as a seperate soft token (phone or laptop app) under these circumstances it becomes full 2FA - but you increase user inconvienance. In reality the chances are that anyone presenting the grid on screen is likely to be replacing just a regular password in which case it is cleary an improvement. This also has the massive benefit that you can soft deploy a token to a user who is nowhere near an office and may have lost their phone (think DR situations here).

So yes it has practical faults - they all do. But as an general theoretical approach it has a lot of legs and for many users may well be more secure in practice against the threats that they are likely to encounter.

Fantastic buy

Congrats to CryptoCard. They have picked up a great technology.

To clear up a few issues that others have mentioned...

1. Capturing the Grid reveals the passcode - not in one hit - it is stronger than passwords as you would need to collect multiple instances of the Grid and response. Plus you have to be screen scraping in addition to key logging, which starts to leave a bigger footprint and again is harder to achieve. Entirely possible for the more determined though, so you have to think about what you are protecting and if the risk has been covered by the solution. However, as others have already mentioned, a step up from passwords, and think about what we are using them to protect!

2. Not a 2 factor solution - TRUE when presented on the same device as passcode entry - BUT, think what happens when you take the Grid and put it on another device (such as mobile phone)? You are getting a 2 factor token/Grid that doesnt reveal the code of the "something you have" in the same way as a token does. So it becomes a stronger 2 factor method than normal tokens. Please notice I havent called it a stronger solution, as there are risks when transferring seed tokens to other devices, as opposed to hardware tokens, where you do not have to worry about it to the same extent, and they have to be considered/mitigated against. So, in terms of method, grid on the screen is 1.5 factor (stronger than password, weaker than typical 2FA token). Grid on seperate device possibly 2.5 factor (stronger than token). Clunky way of showing it but seems to work considering we are stedfast in 1FA, 2FA and 3FA terminology.

3. Four digit passcodes - if 4 digits (10^4) isnt strong enough for what you are protecting, make it longer. Make it 6 and have 10^6. If you want, make it longer. Those odds make it more likely to win the lottery, when combined with a security policy that locks the user account after multiple failed auth requests. Security always has a building block approach for the different attack vectors, of which authentication is only one block :)

And above all this, patterns tend to be easier to remember. I used Gridsure at the beginning of the year for personal laptop access, and I still remember my pattern! Definitely a method to consider when looking at a secure authentication policy, as it is so flexible in how it could be implemented and used, you wouldnt need multiple auth methods in the same environment.