Swivel Secure PINsafe review

There are plenty of different user- authentication schemes available today, but schemes such as biometrics have failed to take off in a big way, mainly due to high costs. Swivel's PINsafe is unique, as not only does it look far more cost-effective, but the entire system is based around simple four-digit PINs.

It sounds a little too simplistic to build an industrial-strength security policy on four little numbers, but Swivel's patented technology delivers an interesting twist to the use of PINs. Essentially, the numbers refer to positions and are never actually input by the user, so unless they personally disclose their PIN there are few ways of hacking it. When a user wants to access a resource protected by PINsafe, they're presented with a simple logon screen that requires them to enter their PINsafe username. A ten-digit security string is then presented to them and they derive a four-digit one-time code (OTC) by entering the numbers in the positions their personal PIN refers to. If your PIN contains the number '1', you use the number in the first position in the security string. If you want stronger security, you can make the security string comprise upper- or lower-case characters instead. Three methods of presenting the security string are available, with TURing used to obfuscate the code, while BUTTon and PATTern use keypads that refer to positions for deriving the OTC. PATTern is quite innovative, as it requires the user to remember a simple pattern on a group of ten buttons rather than the PIN itself.

PINsafe seems a super system for deploying to mobile users, as it employs two-factor authentication - something you have and something you know. With a GSM modem attached to the PINsafe appliance it can issue security strings directly to users' mobile phones via SMTP or SMS. Swivel calls this method dual-channel authentication, as the security string and OTC are delivered using different communications media - the mobile receives the security string, but the OTC is entered using a web browser. Irrespective of whether the OTC is entered correctly, the system will automatically issue a new one to the user's mobile immediately. This makes them ready to go for their next session. But if multiple messages are being received, it's clear someone is trying to hack your account.

The PINsafe appliance is simple to install. In order to protect web resources, you're required to load the supplied ISAPI filter agent on your web server and edit a small text-based configuration file to provide details of the protected web resources. A local XML database can be used to store user details and the appliance can integrate with Active Directory or function as a RADIUS server. The well-designed web interface makes it a doddle to set up users, while group membership defines their privileges. SMS integration requires a GSM modem attached to the appliance, but all you need to do is select the GSM transport group for your workers and enter their mobile phone numbers. To cut costs, you can also just purchase the PINsafe software and supply your own hardware.

In the search for alternative user-authentication schemes, all too often the simplest solutions can be easily overlooked. We found that, along with being easy to install and manage, PINsafe offers very tough security measures and particularly good value as well.

Author: Dave Mitchell