University of Plymouth plans to exchange passwords for pictures
UK researchers could improve security and overcome password fatigue
UK scientists have developed a way for ordinary users to overcome the problem of reusing the same password on multiple sites as well as having to remember a host of passwords.
The researchers, based at the University of Plymouth, said that password fatigue could be addressed by using a combination of images and one-time numerical codes to gain access to systems.
Working out of the the Centre for Security Communication and Network Research (CSCAN), researcher believe that this new multi-level authentication system GOTPass (Graphical One Time Password) could be effective in protecting personal online information from hackers.
They claim the system could also be easier for users to remember, and be less costly for providers to implement since it would not require the deployment of potentially costly hardware systems.
The system would enable users to choose a unique username and draw any shape on a 4x4 unlock pattern, similar to that already used on mobile devices. They will then be assigned four random themes, being prompted to select one image from 30 in each.
When logging into an account, the user would enter their username and draw the pattern lock, with the next screen containing a series of 16 images, among which are two of their selected images, six associated distractors and eight random decoys.
If the user identifies the correct two images, this would then generate an eight-digit random code located on the top or left edges of the login panel which the user would then need to type in to gain access to their information.
Initial tests of the system have shown it to be easy for users to remember, while security analysis showed just eight of the 690 attempted hackings were genuinely successful, with a further 15 achieved through coincidence.
"In order for online security to be strong it needs to be difficult to hack, and we have demonstrated that using a combination of graphics and one-time password can achieve that. This also provides a low-cost alternative to existing token-based multi-factor systems, which require the development and distribution of expensive hardware devices," added Dr Maria Papadaki, a lecturer in network security at Plymouth University and director of the study.
"We are now planning further tests to assess the long-term effectiveness of the GOTPass system, and more detailed aspects of usability."
David Ferbrache, technical director at KPMG's cyber-security practice, told SCMagazineUK.com that passwords are “broken”.
“They have become one of the weakest links in our security chain,” he said. “People are being forced to adopt more and more convoluted passwords, while simultaneously trying to avoid the temptation to reuse those super strong passwords.
“It is high time we moved to more sophisticated approach to authenticating people which blends biometrics, behavioural analysis and contextual information rather than relying on knowledge of a single increasingly user unfriendly password.”