A good friend of mine and Cambridgeshire entrepreneur, Jonathan Craymer has invented an ultra secure replacement for all Passwords and PINs. Like all really good ideas it is simple, persuasive and full of new new and exciting possibilities.
When Jonathan showed me how this new pin+ technology worked at the end of last year – I immediately saw a real opportunity for its use in the postal community. It would be a superb tool for the secure authentication of people using the new range of electronic postal services and possibly even .post itself. It could be used for both over-the-counter and on-line services.
pin+ is one of those simple ideas which makes you wonder why no-one thought of it before. But then isn’t that so often the way? Instead of a fixed code the user just remembers a brain-friendly pattern on a little matrix of squares, which fills with random numbers each time – so just by reading the numbers in his/her squares, the user gets a different code every time. (Think about it – many of us already use patterns, perhaps without realising it, on phone key-pads, ATMs etc.)
Shoulder-surfing and key-logging are no longer a threat, since the matrix is never touched with the mouse-pointer or your finger, and each number is repeated several times. There are 2.1bn pattern possibilities even on the matrix shown. So the cryptographic strength or ‘entropy’ is extremely high, meaning that in theory a customer could use the same pattern to protect multiple applications.
In the example above, the one time login code is 542512 – but the next time the user is asked to authenticate, the numbers in the matrix will have randomised, giving another OTC, and so on. The company behind it, PinPlus Ltd (www.pinplus.net) says it’s the equivalent of carrying a key-fob token, only far more convenient, and something which at negligible cost could be rolled out to millions of users.
But there’s more – the team behind pin+ believes it’s ‘cracked’ the problem of hackers stealing password files, with a clever back-end which splits up the stored patterns, making stealing entry secrets (something which greatly embarrassed LinkedIn and eHarmony recently) virtually impossible.
Not surprisingly they’re getting interest from everything from Government security agencies to financial services. In my opinion it could be ideal for those using post office branches for financial and other transactions where strong authentication is needed, but without the high cost and inconvenience of customers having to carry additional hardware. pin+ can be presented to customers on browsers on in-store kiosks or their own PCs or devices, which massively raises the bar over fixed codes. Or if regulations insist, it can be used on phone/device apps for more traditional ‘two-factor’ authentication.
Customers could authenticate themselves in branches, or even on delivery drivers’ devices at the door, and it would also work with NFC apps on phones.
Thought-provoking or what?