Are pictures more secure than passwords?

News
30 Dec, 2015

Plymouth University's secure method could replace multi-factor authentication and one-time passwords

Researchers at Plymouth University have developed a numerical-based security system that could replace traditional passwords and multi-factor authentication.

GOTPass, developed by the Centre for Security Communication and Network Research (CSCAN). is a one-time numerical code that doesn't depend on hardware or software to work.

It can prevent hackers from accessing confidential information, while also making it easier for users to remember and cheaper for providers to implement in comparison to developing their own multi-layered security solutions.

The solution would come in particularly useful for users who have multiple accounts with the same provider or use different devices to access their accounts.

To set up a GOTPass account, users need to create a user name and draw a pattern in a 4x4 grid, similar to using an unlock pattern on a smartphone. They must then choose one image from each of four different themes presented to them.

When they log in to a website using the GOTPass system, they will be asked to enter their unique pattern and choose two images from those presented that correlate with step two of the account setup.

When carried out successfully, they will be given an eight-digit, randomly generated code that they must enter into the login screen when directed.

“In order for online security to be strong it needs to be difficult to hack, and we have demonstrated that using a combination of graphics and one-time password can achieve that,” said Dr Maria Papadaki, Lecturer in Network Security at Plymouth University and director of the PhD research study.

“This also provides a low cost alternative to existing token-based multi-factor systems, which require the development and distribution of expensive hardware devices. We are now planning further tests to assess the long-term effectiveness of the GOTPass system, and more detailed aspects of usability.”

The researchers published the results of trials in the Information Security Journal: A Global Perspective, revealing that the new solution stopped 97 per cent of hacks getting through, out of 690 attempts, showing it is a highly effective method for preventing attacks.

“Traditional passwords are undoubtedly very usable but regardless of how safe people might feel their information is, the password’s vulnerability is well known,” said PhD student Hussain Alsaiari, who led the research.

“There are alternative systems out there, but they are either very costly or have deployment constraints which mean they can be difficult to integrate with existing systems while maintaining user consensus."

Alsaiari added: “The GOTPass system is easy to use and implement, while at the same time offering users confidence that their information is being held securely.”