Images and codes could provide secure alternative to multiple device password systems

December 23, 2015
Credit: George Hodan/Public Domain

A system using images and a one-time numerical code could provide a secure and easy to use alternative to multi-factor methods dependent on hardware or software and one-time passwords, a study by Plymouth University suggests.

Researchers from the Centre for Security Communication and Network Research (CSCAN) believe their new multi-level authentication system GOTPass could be effective in protecting personal online information from hackers.

It could also be easier for users to remember, and be less expensive for providers to implement since it would not require the deployment of potentially costly hardware systems.

Writing in Information Security Journal: A Global Perspective, researchers say the system would be applicable for online banking and other such services, where users with several accounts would struggle to carry around multiple devices, to gain access.

They also publish the results of a series of tests, demonstrating that out of 690 hacking attempts - using a range of guesswork and more targeted methods - there were just 23 successful break-ins.

PhD student Hussain Alsaiari, who led the study, said: "Traditional passwords are undoubtedly very usable but regardless of how safe people might feel their information is, the password's vulnerability is well known. There are alternative systems out there, but they are either very costly or have deployment constraints which mean they can be difficult to integrate with existing systems while maintaining user consensus. The GOTPass system is easy to use and implement, while at the same time offering users confidence that their information is being held securely."

To set up the GOTPass system, users would have to choose a unique username and draw any shape on a 4x4 unlock pattern, similar to that already used on mobile devices. They will then be assigned four random themes, being prompted to select one image from 30 in each.

When they subsequently log in to their account, the user would enter their username and draw the pattern lock, with the next screen containing a series of 16 images, among which are two of their selected images, six associated distractors and eight random decoys.

Correctly identifying the two images would lead to the generated eight-digit random code located on the top or left edges of the login panel which the user would then need to type in to gain access to their information.

Initial tests have shown the system to be easy to remember for users, while security analysis showed just eight of the 690 attempted hackings were genuinely successful, with a further 15 achieved through coincidence.

Dr Maria Papadaki, Lecturer in Network Security at Plymouth University and director of the PhD research study, said: "In order for online security to be strong it needs to be difficult to hack, and we have demonstrated that using a combination of graphics and one-time password can achieve that. This also provides a low cost alternative to existing token-based multi-factor systems, which require the development and distribution of expensive hardware devices. We are now planning further tests to assess the long-term effectiveness of the GOTPass , and more detailed aspects of usability."

Explore further: Comfort is important in identification

More information: H. Alsaiari et al. Secure Graphical One Time Password (GOTPass): An Empirical Study, Information Security Journal: A Global Perspective (2015). DOI: 10.1080/19393555.2015.1115927

Related Stories

Comfort is important in identification

December 10, 2015

VTT Technical Research Centre of Finland has conducted a study about user attitudes to different personal identification methods. The most popular identification methods were internet banking access codes and passwords. The ...

Amazon orders reset for some customers' passwords

November 25, 2015

Amazon.com has required an undisclosed number of customers to reset passwords to their online accounts after the company said some passwords "may have been improperly stored" on devices.

Recommended for you

US prepares to cede key role for internet

September 29, 2016

The US government is set to cut the final thread of its oversight of the internet, yielding a largely symbolic but nevertheless significant role over the online address system.

Android's Nougat update isn't flashy, but still pretty handy

September 28, 2016

Nougat, Google's latest update of its Android smartphone software, isn't particularly flashy; you might not even notice what's different about it at first. But it offers a number of practical time-saving features, plus a ...

MIT's flea market specializes in rare, obscure electronics

September 25, 2016

Once a month in the summer, a small parking lot on the Massachusetts Institute of Technology's campus transforms into a high-tech flea market known for its outlandish offerings. Tables overflow with antique radio equipment, ...

First test of driverless minibus in Paris Saturday

September 24, 2016

The French capital's transport authority will on Saturday carry out its first test of a driverless minibus, in the hope that regular routes for the hi-tech vehicles will be up and running within two years.

1 comment

Adjust slider to filter visible comments by rank

Display comments: newest first

antialias_physorg
5 / 5 (2) Dec 23, 2015
Initial tests have shown the system to be easy to remember for users, while security analysis showed just eight of the 690 attempted hackings were genuinely successful, with a further 15 achieved through coincidence.

Is it just me or does a 23 out of 690 failure rate seem not particularly secure for a system that is rather covoluted/time-consuming for the user?

It's also pointless to delineate genuinely successful hacking from coincidental hacking. If the hacker gets in he gets in - whether it was an accident or plannned is besides the point.

From their analysis it seems that just going at it with a shotgun (pure luck) instead of a structured hacking attack is twice more likely to succeed. I.e. this is hackable by unskilled hackers better than by intentional ones.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.