When passwords aren't passwords

After graduating from Oxford Polytechnic in 1983, Stephen Howes decided that his best path in life was as a programmer in the pharmaceutical industry. He stayed for 11 years. Around 1994, however, itchy feet put him in touch with a Cambridge recruitment company, and from there a then-unknown outfit called Pipex.

“‘They're doing something with this thing called the internet' was how it was described. I ended as product engineering director,” he says.

Howes reported to a VP of engineering in the US. “He took me aside one day and said: ‘You know what the problem is with you f***ing Brits? You don't know when to give up.' He meant it as a compliment: if we've got a problem, we'll stick with it until we find a solution.”

This tenacity finally led Howes to start up his own IT consultancy, GrIDsure, in 2002. “I wanted to get my hands dirty again,” he recalls. It was through this venture that he met a like-minded individual, Jonathan Craymer, who had developed a gizmo to help him remember PINs. “It was basically just a sliding card with some holes in – slide it back and forth and there's your PIN,” Howes explains.

That led to GrIDsure's current product offering, which, without going into the algorithms and programming, works on the simple premise that shapes are easier to remember than number sequences. So when you first set up your GrIDsure account, you choose a shape from a grid – your Personal Identification Pattern (PIP), as the company calls it. This can be as simple or complex as you like, but it does mean you have to remember that shape. Then each time you logon to a GrIDsure-protected device, you enter the characters that appear within your chosen shape – and obviously the numbers change every time. Simples.

“We immediately filed something with the Patent Office. We started touting the idea to people in the banking industry, and various other people, expecting them to say ‘Oh, that old thing, we gave that idea up years ago'. But people were actually saying ‘Bloody hell, this seems to work',” Howes reveals.

“The original plan really was to license the IP, thinking it would be all straightforward – we'll find people who are established in the market, get them to license it and we'll just take the royalties. Big mistake. It didn't work,” he admits.

So instead Howes and Craymer decided to go out and build products of their own, and eventually came up with enterprise products. “So now, anywhere in a Windows Active Directory-based environment, where you would see a username and password, we can replace that with a GrIDsure PIP,” Howes says.

He adds that GrIDsure could be used as an alternative on any system that relies on a PIN or password – from a computer login to burglar-alarm activation to keyless ignitions. It sounds brilliant, but surely the obvious market is financial services? This, however, is not an easy nut to crack, according to Howes.

“It's been difficult. You'd go to a bank and they would say: ‘Yes, we're very modern, we're very innovative, we like to be first in the marketplace.' And then, in the next breath: ‘Who else is using it?'  So nobody wants to go first. Plus a lot of banking protocols are committee-designed,” he states.

What's more, it must be very difficult for a start-up to compete with the likes of RSA and the major banks' own two-factor solutions. “It's very tough to be a new entrant in the market, especially when you start off as a two-man band. The attitude is: ‘Who are these people who don't come from a security background – why should we go and buy a security product from them?',” he says.

Howes' view is that the security world is too conservative in its thinking. Too many followers of the herd. He says there are a lot of people who would prefer to do nothing than something. At the same time, they are looking for security nirvana. “They are never going to find it.  The people who thought that RSA was the perfect security solution have just had a bit of a wake-up call. And there are those people who will stick with what they've got until they find ‘perfection'. And that's a really poor choice,” he says.

He argues that with tighter budgets, people have got to start looking at alternative ways of doing things. But above all, the user has been forgotten.

“People are starting to change their thinking and looking for a solution that does the job, rather than necessarily thinking ‘Well, I've got to have passwords or I've got to have tokens or I've got to have smartcards or I've got to have biometrics',” he says.

A mind for business

So that's the challenge, and to meet it Howes is looking to get his hands dirty again to bring the “technologist at heart” back to the fore. To this effect, the company recently brought in seasoned tech exec Daniel Mothersdale (nCipher and Websense feature on his CV) to look after the commercial side of the business.

“If you're focusing on technology, you've got to give it your whole attention. If you get immersed in something technical then it's difficult to manage the wider organisation. I'm happy playing with bits and bytes and I like thinking about problems and trying to find simple solutions to problems,” Howes says.

GrIDsure still faces the perennial challenges of the start-up tech company – good idea, but how to make it catch on? And what happens when people question the Cambridge-based minnow's support capabilities and financial security?

“Well, Microsoft was a little company once. So was Cisco. And there are two answers to the second question. One is, go and buy the product from one of our OEM partners. But, to be honest, we've not had that many people show those types of concerns. We've sold into Credit Agricole, which is the world's fourth-largest banking group – they've got 3,500 people using it, all the senior executives using it,” Howes says.

As for the other answer, he mentions a webinar that GrIDsure conducted with Angela Sasse, professor of human-centred technology at University College London, in which she argued that passwords were dead.

“Right now, the authentication landscape is a big, big sandpit, but everybody is playing down in one corner,” Howes exclaims. He adds that CISOs need to take a little bit more responsibility – and look to find the right solution.

“People need to go out there and look at the whole authentication landscape and find something that is appropriate to their needs, their budget and their end-users and the risks that they are trying to protect against,” he says.

He adds: “At the moment, what we're doing is pushing too much back on the end-user and making them far too responsible for their security. We're giving them bad solutions, we're giving them bad technology and we're giving them outdated technology – and when it all goes wrong, we blame it on the end-user.”

Howes is not really into the idea that chief information security officers are becoming business-enablers, or even, for that matter, business thinkers. “That's how a lot of CISOs would like to think of themselves, but I believe that when you get under the covers, they are still very, very conservative in their thinking,” he says.

But should every CISO aspire to being a business thinker? “They've got to be business-minded because they've got to follow the corporate goals and protect the business. However, they've also got to be thinking out of the box and they've got to be looking at it from the perspective of the bad guy. The bad guys are using incremental tactics to circumvent security. The good guys need to be good at innovative thinking. The ‘follow the sheep mentality' is not the way to go because that way you'll only ever move at the pace of the slowest person,” Howes says.

He adds: “They are always going to find new ways of hacking. They will always be upping the game. But those people who think that they will find a perfect solution, I believe they're going to be looking for a long, long time. There will never be nirvana when it comes to information security.”