Swivel is a multi-factor authentication system. The core of the solution is Swivel's patented one-time code (OTC) extraction protocol, PINsafe.
A user is sent a security string, the user then combines this security string with their PIN number to derive a one-time code. They then use this one-time code to authenticate themselves.
The strength of this system is that the user needs both the security string and their PIN in order to authenticate. The one-time code extraction protocol is simple to use, the PIN determines which characters are to be used and in which order, for the one-time code.
The example above shows how a PIN of 1370 is combined with the security string to create the one-time code 5240. PINs can be from 4 digits to 10 digits long. Security strings can be letters, numbers or a mixture of both.
This approach gives the following advantages:
- The one-time code that the user enters is different for every authentication which provides defense against key-logging attacks, and many simple man-in-the-middle and phishing attacks.
- The user never enters their PIN to authenticate, again providing defense against the attacks listed above.
- As authentication requires two elements, the security string can be sent via a different channel to the authentication request, providing defense against man-in-the-middle attacks.
- The delivery of the security string can be tied to a specific device, eg a mobile phone, providing a two-factor authentication solution.
The beauty of this model is that it can be implemented in a number of ways to give different user experiences and different strengths of authentication. For example the security string can be displayed as an obfuscated (TURing) image on a VPN logon page or delivered via a text message to a user's mobile phone.