With cyber security a top priority these days, researchers from Plymouth University’s Center for Security Communication and Network Research have been working on an alternative to multi-factor methods dependent on hardware or software and one-time passwords. The Plymouth team is using images and one-time numerical codes in a new multi-level authentication system it calls GOTPass, which could be effective in protecting personal online information from hackers.
The new system could also be easier for users to remember, as well as less expensive for providers to implement since it would not require the deployment of costly hardware systems.
According to the researchers, GOTPass would be implemented in online banking and like services where users with several accounts are forced to carry around multiple devices in order to gain access.
The team published a series of security tests in which there were only 23 successful break-ins out of 690 hacking attempts.
“Traditional passwords are undoubtedly very usable but regardless of how safe people might feel their information is, the password’s vulnerability is well known. There are alternative systems out there, but they are either very costly or have deployment constraints which mean they can be difficult to integrate with existing systems while maintaining user consensus,” says Hussain Alsaiari, PhD student who led the study. ”The GOTPass system is easy to use and implement, while at the same time offering users confidence that their information is being held securely.”
In order to set up the GOTPass system, users would have to choose a unique username and draw any shape on a 4x4 unlock pattern – similar to methods already used on mobile devices. They would then be assigned four random themes, being prompted to select one image from 30 in each.
When they gain access to their account, the user would enter his or her username and draw the pattern lock. The next screen would contain a series of 16 images, two of which are their selected images (the other images are distracters and random decoys).
When the user correctly identifies the two images it would lead to the generated eight-digit random code located on the edges of the login panel, which the user would then need to type in to gain access to their information.
“In order for online security to be strong it needs to be difficult to hack, and we have demonstrated that using a combination of graphics and one-time password can achieve that. This also provides a low cost alternative to existing token-based multi-factor systems, which require the development and distribution of expensive hardware devices. We are now planning further tests to assess the long-term effectiveness of the GOTPass system, and more detailed aspects of usability,” says Dr. Maria Papadaki, Lecturer in Network Security at Plymouth University and director of the PhD research study.