I received my PinSentry from a certain UK High Street bank today, and so far I don’t see where it’s going. This device, produced by Gemalto (http://www.gemalto.com//press/archives/2007/04-18-2007-Barclays.pdf) allows two factor authentication using a customers ‘Chip and Pin’ card.

This doesn’t really change anything as the numbers generated by the device (at least in identify mode) can be created one by one offline, written down and then later used sequentially. I’ve seen enough people with pin numbers on Post-It’s attached to their cards to know that it won’t be long before the notes also contains PinSentry numbers. FaultyFlipper has some good discussion of peoples feelings towards the devices as well as the reasons it may have been introduced.

I’ve had a quick look at the numbers generated, and they seem to follow a sequential pattern of random increments. A very quick phase-space analysis of one hundred numbers from the device shows no discernable patterns, but more numbers are needed to carry this out thoroughly.

If anyone is interested in sample output from the device, I can supply the numbers I have used for testing. Likewise if you’d like to supply me with some numbers (and not any personal details) let me know.