Is Shayype the future of authentication? ManagedIT finds out more from inventors Jon Beal and Jonathan Craymer
Fear of data breaches and the threat of huge fines from the Information Commissioner’s Office (ICO) have spread terror among directors since the inception of GDPR in May 2018, made worse by the fact that the online security industry appears unable to stem the constant flow of headlinegrabbing hacks and data breaches.
Could a new UK invention from UK start-up Cloud-pin Ltd be the solution? Shayype is designed to do what two-factor authentication does – provide users with securityboosting ‘one-time’ passcodes (OTPs) for logging into systems or authorising an action – but without the need to set up complex phone-based processes or use inconvenient hardware.
Instead, users choose a pattern or shape made up of a number of squares (typically seven) on a numbered grid, the pattern and position of which they will need to memorise for all future log-ins. Each square within the grid contains a number that changes with every transaction. To log-in securely, the user just enters the numbers that appear in the squares that make up their chosen shape.
Shayype can be used instead of passwords for individual applications or as a ‘wrapper’ around existing password-protected systems, offering additional security via cloud-based ‘remote authentication’, plus the security and convenience of single sign-on.
To find out more, Technology Reseller spoke to Shayype’s inventors Cloud-pin Technical Director Jon Beal (JB) and Cloud-pin Chairman Jonathan Craymer (JC).
ManagedIT (MIT): What’s wrong with traditional passwords?
JC: Traditional passwords were once thought to be secure enough to keep hackers out. It was argued it would take even the best computers years to reverse engineer ‘strong’ passwords. But modern technology designed to ‘crack’ the most complex passwords in fractions of a second, viruses or malware able to capture everything users type, as well as sophisticated methods designed to fool users into giving up their passwords have seriously downgraded the use of fixed ID codes as a security measure. The real problem is that you never know when a password has fallen into the wrong hands, so while you’re sleeping at night a hacker could be coming and going, all the while appearing to be you.
MIT: Why, then, are passwords still so widely used?
JC: This is a slightly tricky one to answer. The response we prefer is that, until now, no-one has demonstrated that there’s something better! Also, a lot of people still see passwords as ‘free’, whereas they’re anything but free if they allow hackers to get in. Data breaches may cost enterprises millions in terms of reputational damage, loss of customers and potentially huge fines from the Information Commissioner. These may be survivable by larger firms but could wipe out smaller companies.
MIT: What is Shayype’s approach and why is it potentially more secure?
JB: We could see a long time ago that passwords weren’t secure enough and couldn’t understand why the tech giants that had created our digital world weren’t able to come up with anything better. Instead, they turned on the password, blaming it for many of our cyber ills. Meanwhile, product vendors announced they had the answer with a dazzling array of hardware-based ‘two factor’ systems using key fobs, phones, USB plug-in or Bluetooth ‘keys’, as well as various biometric systems based on users’ personal characteristics, such as fingerprints, face shapes or voice recognition. All of these have flaws – the main one being that they can all be stolen.
Clearly, what was needed was a better ‘mentally held secret’ – something you know, which is secure, easy to use and never exposed. So, we created Shayype, offering the simplicity of passwords with the strength of two-factor but without the need for extra hardware.
MIT: What are the benefits of Shayype compared to other password alternatives – and why might it be a more successful replacement?
JC: The problem with passwords is that hackers can so easily get hold of and re-use them. But all the alternatives have flaws too. A phone or key-fob can be stolen. In fact, as Jon says, everything we currently use to authenticate ourselves, including our fingerprints, someone can now walk off with!
Chinese technicians showed last Autumn at a conference in Shanghai that they could steal victims’ fingerprints from drinking glasses in about 20 minutes. SMS-based two factor, which has a huge foothold, can also be easily defeated by ‘sim fraud’, where a criminal fools a service provider into letting him/her take over someone’s number. This is so common even my Neighbourhood Watch group has been warning about it.
MIT: How can organisations implement Shayype and what are the costs involved?
JB: We realised we needed a way of making Shayype easily available to SMEs and other types of business, so we made use of a terrific Identity and access Management (IaM) package called Keycloak, created by Red Hat (now part of IBM). Similar packages are available, but Keycloak is very robust and adaptable and has built-in adapters for working with virtually every conceivable platform, such as Microsoft 365 and Active Directory, so that any competent IT firm armed with the Shayype ‘application protocol interface’ (API) can create an impenetrable ‘wrapper’ around existing or legacy systems.
The advantages of such a system are huge, because it permits ‘remote authentication’, where the process of authenticating users is done completely offsite, which raises security enormously. Entire workforces can be given an OTP facility, as can customers, contractors, suppliers etc. Added to that, Shayype Keycloak will enable single sign-on, allowing users to link seamlessly into every application they’re required to use, without having to put in individual passwords, which can create yet more security problems, before logging out at the end of the day. Administrators can easily manage access privileges, so if for instance an employee needs to look at something after hours from home, they may be allowed to do so, but only with limited access.
Companies that want to install Shayype on an existing platform will be able to do so using an SDK (software developer’s kit) which we‘re in the process of writing. However, we believe use of the Shayype Keycloak version will bring significant advantages, such as automatic updates and easier central management, so that’s what we recommend.
The cost? We’re talking to a handful of potential first adopters and IT installers, and part of those discussions are about how much it will cost to use Shayype. Since, for the most part, it will be working in the cloud, we need to run a few pilots to see what the real running costs are before we develop a full pricing structure. However, we aim to offer Shayype as cheaply as possible – hopefully in the region of less than £1 per user/year.
MIT: What feedback have you had from early trials – and what lessons have you learnt?
JC: It’s early days and we’re still only talking to potential first adopters, but even so the feedback has been incredibly positive. We did a programme of user trials at the outset, and one person was so amazed at how easy it was to log in with Shayype, he said ‘Is that it?’.
A graphical system like Shayype will always win over horrendous ‘strong’ passwords, which we know people struggle to recall and use. Because of the problems people
MIT: What are you planning to do to take Shayype and Cloud-pin Ltd to the next level?
JC: We have three potential routes forward. First, from an SME perspective, we aim to create a network of sector-specific IT company partners that are able to re-sell and install Shayype Keycloak. Alongside this, we want to offer a solution for individuals using Gmail and Google apps. We believe that having the equivalent of two factor authentication but without requiring any extra devices, even a phone, will be amazing. We’re aiming to launch a crowdfunding campaign for this project, so watch this space. Thirdly, we see a future for Shayype in areas like blockchain and IoT.
MIT: Does the channel have a role to play in driving take-up of the technology?
JC: Certainly. Shayype has the potential to increase security in almost any scenario you can think of. We’re just starting to talk to those in the channel and are pleased to see interest rising fast, because it’s clear that Shayype is the first secure ‘knowledge-based’ factor, and the first real advance in authentication in years.