PINsafe multi-factor authentication system

PINsafe is a multi-factor authentication system. The core of the solution is the Swivel one-time code (OTC) extraction protocol whereby a user is sent a security string, the user then combines this security string with their PIN number to derive a one-time code. They then use this one-time code to authenticate themselves.

The strength of this system is that the user needs both the security string and their PIN in order to authenticate. The one-time code extraction protocol is simple to use, the PIN determines which characters are to be used and in which order, for the one-time code.

The example above shows how a PIN of 2468 is combined with the security string to create the one-time code 1326. PINs can be from 4 digits to 10 digits long. Security strings can be letters, numbers or a mixture of both.

This approach gives the following advantages:

• The one-time code that the user enters is different for every authentication which provides defence against key-logging attacks, and many simple man-in-the-middle and phishing attacks.
• The user never enters their PIN to authenticate, again providing defence against the attacks listed above.
• As authentication requires two elements, the security string can be sent via a different channel to the authentication request, providing defence against man-in-the-middle attacks.
• The delivery of the security string can be tied to a specific device, eg a mobile phone, providing a two-factor authentication solution.

The beauty of this basic model is that it can be implemented in a number of ways to give different user experiences and different strengths of authentication. For example the security string can be displayed as an obfuscated (TURing) image on a VPN logon page or delivered via a text message to a user's mobile phone.