The project has been built by researchers at the University of Plymouth and is known as GOTPass. It is based around a pattern lock — similar to the feature already available on Android smartphones — and memorable pictures or emoji.
When the user needs to login to their device, they draw their pattern as usual. A grid of 16 different emoji and icons is then displayed. Two of the images are selected from ones the user picked during setup. Tapping the two correct icons generates a one-time passcode that can be used to gain access to the device.
Unlike other techniques used to enforce two-factor authentication, GOTPass does not require two different devices to be used. The entire process can be completed in the login form of an app, website or phone. The researchers suggest this makes it useful for services like online banking which are often accessed on the go when a user may not have more than one device with them.
In tests conducted by the research group, hackers managed to break through the system 23 times out of 690 attempts, suggesting GOTPass is an effective way to maintain security in around 97 percent of attacks. Further analysis showed only eight of the 23 attacks were “genuinely successful” demonstrations of hacking as the remaining 15 were later discovered to have been coincidental.
University of Plymouth PhD student Hussain Alsaiari, the leader of the study, said: “Traditional passwords are undoubtedly very usable but regardless of how safe people might feel their information is, the password’s vulnerability is well known. There are alternative systems out there, but they are either very costly or have deployment constraints which mean they can be difficult to integrated with existing systems while maintaining user consensus. The GOTPass system is easy to use and implement, while at the same time offering users confidence that their information is being held securely.”
Feedback from users has so far been positive. Pictures and symbols are easier to remember than lengthy passwords but can still provide the same level of security as the ubiquitous phrases, if deployed correctly.
Dr Maria Papadaki, Lecturer in Network Security at Plymouth University and director of the study, said: “In order for online security to be strong it needs to be difficult to hack, and we have demonstrated that using a combination of graphics and one-time password can achieve that. This also provides a low cost alternative to existing token-based multi-factor systems, which require the development and distribution of expensive hardware devices. We are now planning further tests to assess the long-term effectiveness of the GOTPass system, and more detailed aspects of usability.”
Systems such as GOTPass are likely to become more popular in the future as consumers and businesses adopt emerging authentication technologies. A report earlier this month concluded passwords are likely to remain the most popular authentication method for devices and services until at least 2025 though, indicating it will take time to get people using methods like GOTPass.
