While walking around the exhibit hall at
Citrix iForum The App Expo 07 tonight, I met some folks from a company called Grid Data Security. They have a one-time password solution for Citrix Web Interface which is possibly the coolest OTP solution I've ever seen.
After you enter your username into Web Interface, a grid comes on the screen that lists all of the characters on the keyboard, each surrounded by four numbers. Then the user types in the number for each character instead of that actual character. So far, so good... nothing special.
The big difference from other solutions is that when a user enrolls in Grid, they select which number location they want to use.. upper-right corner, lower-left corner, etc. The number location that a user chooses is known only to them (and the system).Then when the user enters their password, they type the corresponding number in their chosen location next to each character of their password. So for example, if my password is "Password," and if I selected "lower left" when I enrolled, I would enter the GridCode of 23662656.
What's crazy about this is that you don't have to worry about anyone overlooking your shoulder. (Or "shoulder surfing" as the Grid guys called it.) Can you really reverse engineer 23662656 back to a word? Even if someone took a screenshot of the Grid and tried to reverse-engineer the GridCode to a real word. To prevent this, when the user enrolls, they can also choose to add a secret value to each number on the screen. For example, a user could select "lower right" when they enroll, and +2 for the value. So when the user types in their GridCode, they'd type in 45884878 instead of 23662656. Of course an attacker would not know whether the user was secretly adding some values to the numbers or not.
Perhaps it goes without saying that the actual numbers that show up on the screen are random, so each time you refresh the screen, a new set of numbers shows up in all the corners of the character squares.
Is this two-factor authentication? No. But it's not really single-factor either.
- The passwords are only valid once, protecting against key loggers.
- Each character on the screen has four numbers, protecting against people looking over your shoulder.
- Since it's visual only, it runs from anywhere. You don't need any client side component like BioPassword. (i.e. Flash installed, ActiveX, custom virtual channel DLL, etc.)
- You don't need a token like with Secure Computing or SecurID.
And, the best part: the price is only $1 per user, per year!
They also have this solution for Outlook Web Access and a GINA replacement for workstation use.
(Note: You must be logged in to post a comment.)
If you log in and nothing happens, delete your cookies from BrianMadden.com and try again. Sorry about that, but we had to make a one-time change to the cookie path when we migrated web servers.