New Security Login Invention Replaces Passwords With Images

A new security login system developed at Plymouth University uses patterns drawn and images chosen by the user combined with a one time numerical code instead of traditional passwords.

Researchers at Plymouth University’s Centre for Security Communication and Network Research (CSCAN) have developed the system called GOTPass which it is hoped could increase security, reduce costs and make it easier for users to remember.

How Does It Work?

Using this system involves setting up an account by creating a username, by drawing a pattern in a 4 x 4 grid, and by choosing one image from 4 different themes. When a person then needs to log in to a website using the system they will be asked to enter their pattern and to choose 2 images from those presented to them that relate to the image theme they chose on sign up. If this first stage is successful the user is then given an 8 digit, randomly generated ‘one time use’ code that they can use to log in with.

Is It Likely To Be Successful?

The measures for success with the GOTPass system are likely to be whether it stops hacks, whether it’s easy for people to use, and whether it’s easy and affordable for website owners to implement.

Results published in the Information Security Journal: A Global Perspective by the system’s developers showed that it stopped 97% cent of hacks out of 690 attempts. These figures indicate that it could prove very effective at preventing hackers. It is also the case that the vulnerability of just a password is well known and well established judging by the numbers and frequency of hacks on password based systems.

In terms of how easy it is for us to use, drawing a pattern is not complicated or time particularly time consuming and many people are familiar with an unlock pattern on a smartphone. Picking themed images is also relatively simple, and meaningful images are arguably easier to recall than a series of letters and numbers.

Most of us are also familiar with multi-step online login processes (CAPTCHA, verifying email accounts, texting of PINs etc), and in the light of recent high profile hacks (JD Wetherspoon and TalkTalk) it is unlikely that we would object strongly to better online security. With new data protection regulations due in 2017, it is also likely that organisations will favour systems that can save them from the lawsuit and reputation damage fallout that hacks can bring.

In terms of cost of implementation, the GOTPass system does not require the relatively expensive hardware devices that current token-based multi-factor systems do, and therefore it has the potential to be relatively inexpensive.

More Tests

The developers of the GOTPass system are now reported to be carrying out further tests to maximise ease of use and to establish the long term effectiveness.