Grid Data Security introduces really cool 1.5 factor authentication for Citrix

Written on Oct 23 2007 Filed under: Web Interface, Security 10,188 views, 7 comments

by Brian Madden

While walking around the exhibit hall at Citrix iForum The App Expo 07 tonight, I met some folks from a company called Grid Data Security. They have a one-time password solution for Citrix Web Interface which is possibly the coolest OTP solution I've ever seen.

After you enter your username into Web Interface, a grid comes on the screen that lists all of the characters on the keyboard, each surrounded by four numbers. Then the user types in the number for each character instead of that actual character. So far, so good... nothing special.

The big difference from other solutions is that when a user enrolls in Grid, they select which number location they want to use.. upper-right corner, lower-left corner, etc. The number location that a user chooses is known only to them (and the system).Then when the user enters their password, they type the corresponding number in their chosen location next to each character of their password. So for example, if my password is "Password," and if I selected "lower left" when I enrolled, I would enter the GridCode of 23662656.

What's crazy about this is that you don't have to worry about anyone overlooking your shoulder. (Or "shoulder surfing" as the Grid guys called it.) Can you really reverse engineer 23662656 back to a word? Even if someone took a screenshot of the Grid and tried to reverse-engineer the GridCode to a real word. To prevent this, when the user enrolls, they can also choose to add a secret value to each number on the screen. For example, a user could select "lower right" when they enroll, and +2 for the value. So when the user types in their GridCode, they'd type in 45884878 instead of 23662656. Of course an attacker would not know whether the user was secretly adding some values to the numbers or not.

Perhaps it goes without saying that the actual numbers that show up on the screen are random, so each time you refresh the screen, a new set of numbers shows up in all the corners of the character squares.

Is this two-factor authentication? No. But it's not really single-factor either.

• The passwords are only valid once, protecting against key loggers.
• Each character on the screen has four numbers, protecting against people looking over your shoulder.
• Since it's visual only, it runs from anywhere. You don't need any client side component like BioPassword. (i.e. Flash installed, ActiveX, custom virtual channel DLL, etc.)
• You don't need a token like with Secure Computing or SecurID.

And, the best part: the price is only $1 per user, per year!

They also have this solution for Outlook Web Access and a GINA replacement for workstation use. 

Comments

Guest wrote Hardware only?

on 10-24-2007 9:30 AM

This looks good and well priced. I checked the website and it looks like there is a hardware component , ie, an appliance. Were they just showing off the appliance, or did they suggest that the engine could be installed on a Wintel box (eg, the Web Interface machine)? Steve

Brian Madden wrote Re: Hardware only?

on 10-24-2007 10:26 AM

No, this is a software-only solution.. I didn't talk to them about hardware at all.. I know they also have solutions for the banking and credit card industries, so maybe the hardware is something that works with those things?

Guest wrote Re: Hardware only?

on 10-24-2007 10:50 AM

The engine that was shown at the expo was native .NET code running directly on the Web Interface server. We have found that this is the easiest way to deploy into Citrix and Microsoft Outlook Web Access systems. There is an appliance version of our product available with a SOAP API for applications where direct integration is not desirable.

--Mike Forrest, Grid Data Security

Guest wrote INGDirect web bank uses this

on 10-24-2007 12:34 PM

INGDirect uses something a lot like this but in reverse - you have a 10 digit phone keypad that you use to input your pin and each number has a letter assigned to it. I wonder if it's the same company or, if not, who ripped off whom?

Brian Madden wrote Re: INGDirect web bank uses this

on 10-24-2007 12:56 PM

I use ING Direct for my banking too. This is not the same company, but it's also not the same technology. The ING site uses a one-to-one model, where each digit in your PIN is linked to one alpha character on the screen. This means that someone who was capturing the screen and the keystrokes would know your password, as well as someone overlooking your shoulder would know your password. With Grid, both of those capture methods are also protected. Actually, there are quite a few solutions similar to this.. what ING uses of course, and even other free solutions for Citrix Web Interface, like this: http://www.brianmadden.com/content/article/Enhance-Web-Interface-Security-with-a-Virtual-Keyboard-Login- The advantage with Grid is the fact that is has four numbers per character instead of one.

Guest wrote What about Swivel TURing

on 10-24-2007 1:22 PM

What about Swivel Secure (http://www.swivelsecure.com/). We har several customers that use their technology, however I think PINsafe provide better end-user experience due to the simplicity of their design. You can enter your OTC/OTP much faster than using the Grid showed here... PINsafe integrated very nicely with Citrix webinterface, Outlook Web Interface, Microsoft IAG, just about any web application front-end. Highly recommend their solution.

Guest wrote dw

on 08-18-2008 9:31 AM

sfs

No over rapidshare crawlers can be compared with Megauploadfiles.com. megauploadfiles.comis a best megaupload search engine.

(Note: You must be logged in to post a comment.)