New Security Login Invention Replaces Passwords With Images
A new security login system developed at Plymouth University
uses patterns drawn and images chosen by the user combined with a one time numerical code
instead of traditional passwords.
Researchers at Plymouth University’s Centre for
Security Communication and Network Research (CSCAN) have developed the system called GOTPass which
it is hoped could increase security, reduce costs and make it easier for users to
How Does It Work?
system involves setting up an account by creating a username, by drawing a pattern in a 4 x 4
grid, and by choosing one image from 4 different themes. When a person then needs to log in to a
website using the system they will be asked to enter their pattern and to choose 2 images from
those presented to them that relate to the image theme they chose on sign up. If this first
stage is successful the user is then given an 8 digit, randomly generated ‘one time use’ code that
they can use to log in with.
Is It Likely To Be
The measures for success with the GOTPass
system are likely to be whether it stops hacks, whether it’s easy for people to use, and whether
it’s easy and affordable for website owners to implement.
Results published in
the Information Security Journal: A Global Perspective by the system’s developers showed that it
stopped 97% cent of hacks out of 690 attempts. These figures indicate that it could prove very
effective at preventing hackers. It is also the case that the vulnerability of just a password
is well known and well established judging by the numbers and frequency of hacks on password based
In terms of how easy it is for us to use, drawing a pattern is not
complicated or time particularly time consuming and many people are familiar with an unlock
pattern on a smartphone. Picking themed images is also relatively simple, and meaningful images
are arguably easier to recall than a series of letters and numbers.
Most of us
are also familiar with multi-step online login processes (CAPTCHA, verifying email accounts,
texting of PINs etc), and in the light of recent high profile hacks (JD Wetherspoon and TalkTalk)
it is unlikely that we would object strongly to better online security. With new data protection
regulations due in 2017, it is also likely that organisations will favour systems that can save
them from the lawsuit and reputation damage fallout that hacks can bring.
terms of cost of implementation, the GOTPass system does not require the relatively expensive
hardware devices that current token-based multi-factor systems do, and therefore it has the
potential to be relatively inexpensive.
The developers of the GOTPass system are now
reported to be carrying out further tests to maximise ease of use and to establish the long term