GrIDsure
SafeNet’s GrIDsure authentication method utilizes a person’s ability to remember visual patterns. A GrIDsure token consists of a matrix of cells with random characters from which the user selects a “personal identification pattern” (PIP). Each time a user authenticates to a protected resource, they are presented with a challenge grid containing a new set of random characters from which they enter the characters that correspond to their PIP. Since the user responds to a new challenge in the form of a one-time password at each login instance, the end result provides security that is superior to static passwords. To this end, GrIDsure can mitigate threats such as shoulder surfing, keyloggers, password-guessing, and database hacking.
The PIP can be combined with a PIN for an additional level of security.
How GrIDsure works
The user is presented a grid with a random set of characters.
The user selects their personal identification pattern (PIP), consisting of a cell’s location in the grid and the sequence in which its value is entered.
In this example, the user enters their PIP, producing an OTP of 5582. There is no restriction on the order in which a pattern is created. In addition, cells in a pattern may be used more than once. In addition, cells in a pattern may be used more than once.
SafeNet Authentication Service stores the PIP to compare it against PIPs entered in the future.
The next time the user logs in, the same PIP will produce a new OTP. If the new PIP matches the one on record with SafeNet Authentication Service, access is granted.
The PIP complexity and minimum PIP character length can be customized in SAS through Third-Party Authentication Options under VIRTUAL SERVERS > POLICY > Token Policy.
Configure GrIDsure options
-
On the SAS console, select Policy > Token Policies > Third-Party Authentication Options.
-
In the Third-Party Token Type list, select GrIDsure and then click Edit.
-
Configure the GrIDsure options as required:
-
Allow trivial PIPs—(Not recommended) If enabled, the user can select a straight line (horizontal, vertical, diagonal), or the four corners of a square within the grid as their PIP.
-
Use numbers, Use uppercase letters, Use lowercase letters, Use special/symbolic characters—Grids display characters from the enabled options. Note that the grid size is set in Token Templates, as is the requirement for a PIN and the passcode that corresponds to the PIP.
-
Minimum PIP Length—Specify the minimum number of characters for a PIP. The default is 4.
-
-
Select Apply.
Compatible network access points
SafeNet Authentication Service agents provide out-of-the box support for GrIDsure authentication (for example, IIS Agent, Windows Logon Agent). As a browser-based zero-footprint authentication method, any device with a web browser can support GrIDsure, including desktops, laptops, thin clients, tablets, and mobile phones. (Any standard browser can be used.) For custom application integration, a snippet of JavaScript code needs to be included for the protected application to display the grid.
Zero footprint in this context refers to the fact that GrIDsure authentication does not install software or modify the user’s system in any way.
Thin clients can authenticate using GrIDsure when the target system supports GrIDsure authentication; for example, the target web portal, remote web application, or network domain server.
GrIDsure can be used to protect a wide range of applications and use cases, including:
-
VPNs
-
Network logon
-
Cloud applications (SaaS)
-
Web portals
-
VDI
Grid tokens currently protect popular applications, including the following:
-
Cisco ASA
-
Citrix NetScaler
-
F5 Big-IP APM
-
IBM ISAM for Web
-
IIS-7-based applications
-
Juniper Networks
-
Microsoft 365
-
SonicWall SRA
Provisioning a GrIDsure token to a user
To provision a GrIDsure token to a user:
-
In the SAS console, click the Virtual Servers tab.
-
In the Managed Account list, select an account.
-
Click the Assignment tab.
-
Search for and select a user account.
-
Click the Authentication Methods module and then click the Provision button.
-
In the Select Authentication Type list, select GrIDsure.
-
Click the Provision button.
Now that the token has been provisioned to the user, the next step is for the user to self-enroll their token. An email containing a link to self enroll is automatically sent to the user. For more information on this process, refer to Self-enroll a GrIDsure token section.
Self-enroll a GrIDsure token
Self-enrollment is a simple process for SAS users to activate a GrIDsure token that has been provisioned to them and to create their personal identification pattern (PIP). After completing this process, they are able to use their PIP to log in to resources protected with GrIDsure.
Self-enrollment process
A self-enrollment email is sent from either the default email address or the custom “From” email defined in SAS. Likewise, the subject line may also be different depending on whether the default or a custom value is used. Note that the default values for both the email address and the subject line will be different for SAS Cloud and SAS PCE.
If you do not receive your self-enrollment email, contact your security administrator to arrange for a new one to be sent to you.
To self-enroll your GrIDsure token:
-
Read through the entire email before starting the process of enrolling your GrIDsure token.
-
When you are ready to begin enrollment, click the link in the email.
-
After clicking the email link, you are redirected to the SafeNet Authentication Service – Self Enrollment window. In this step,
-
You must select a “personal identification pattern” (PIP) using the displayed grid. Remember, you are selecting a “pattern”, not a number or letter sequence. The minimum PIP character length is four (4). Trivial PIPs are not allowed, as illustrated in the examples on the right side of the window.
Characters are case-sensitive; therefore, capital letter entry must be used for letter characters.
Once you have selected your PIP, click Next to continue.
Valid grid patterns are based on the settings described in Configure GrIDsure options. In addition, a grid pattern must not contain invalid characters or three or more duplicate characters (for example, 5550).
-
If the PIN type is configured as Server-side User Select, enter a PIN of your own and then select Submit. The following images show the range of PIN requirements that may be configured, from fewest (on the left) to most (on the right).
-
If the PIN type is Server-side Server Select or Server-side Fixed, memorize the PIN that is provided and then select Continue.
For information about configuring PIN requirements, see PIN policy parameters.
You are prompted to confirm that you memorized your PIN.
-
To continue, select My PIN is memorized.
-
To review your PIN, select Go back.
-
-
-
The next screen acknowledges that your token has been successfully activated and displays your user ID. You may now close your browser.
Authenticating with GrIDsure
The following steps guide you through accessing a website protected with GrIDsure configured to authenticate against a SAS server.
-
The user launches a web browser and enters a protected website address.
-
On the Login window, the user enters their user ID, and then clicks the Logon button.
-
The user is challenged with the GrIDsure grid and is required to enter their PIP value in the Response field. After clicking the Logon button, if the credentials are valid, the user is authenticated and is given access to the protected website.