Shayype™ is designed to offer a perfect new authentication element/ingredient, with all the simplicity and portability of passwords (no devices to carry, not even a phone), with the strength of OTP-based two-factor.
Traditionally users have had to employ either passwords, some kind of device-based two-factor or biometrics (which we have grave reservations about). (Our research shows most businesses are crying out for a better option than the passwords-or-2fa conundrum!)
However, with Shayype users are presented with OTPs on the screen of whatever devices they’re using – even if they’re not their own (ATM, borrowed machine, web-café, kiosk etc) in a form only they can recognise. The OTPs are concealed in a 5x7 (default size) grid with single digit numbers in each cell, which they “read” using a pre-set secret pattern or shape (e.g. an L-shape, tick etc). NB Shayype can also be used in app form on separate devices.
This means Shayype is:-
- Easier to use & recall
- Shoulder-surfing proof
- A universal authentication tool (user can authenticate or prove “ownership” of an account without any devices, documentation or personal information coming into play)
- Easily re-set (unlike biometrics)
- Codes can be generated for a variety of purposes
- Increases user control over login security (codes are single use and change every time)
- Allows users to authenticate without giving anything at all away (most of today’s systems create further potential GDPR problems by asking for additional attributes like mobile numbers etc)
- Linked to reputable KYC services (Experian, Equifax, Gov.Verify etc) these could “vouch” for users including attributes such as age etc. (KYC services could do an initial 30-minute interview with big data etc just once – and thereafter this level of strong authentication could be “turned on” with a Shayype OTP)
- Ideal for systems like cloud, blockchain, or even BBC “Box”
- Blocks could contain a user’s biometric and private key – securely “fronted” by a Shayype OTP
- Cards could have online “chip & PIN”.
How secure is it? Shayype’s patent applied-for back end uses a new version of Shamir’s Secret Sharing, fragmenting the user token, meaning that even if a hacker were to break in, he/she would not find anything useful (compare this to key-fobs requiring global databases of keys). And our front-end offers four versions designed to offer extreme security – including Shayype Evade which defeats filming/screen-scraping and algorithms designed to work out users’ patterns, as well as Shayype Swipe designed for secure phone use (no code generated – instead user proves ownership of pattern secret on the screen using finger swipes).