Rethinking password security
A new study by Plymouth University suggests that using a combination of pictures and one-time numerical codes could be more secure and easier to use than today’s commonly used multi-factor methods that rely on passwords.
The new multi-level authentication system is called GOTPass. One of the advantages is that it doesn’t require potentially costly hardware systems or accessories like USB authenticators. Instead, users would choose a unique username and dray any shape on a 4×4 unlock pattern, which isn’t unlike your typical smartphone lock screen. They would then be shown four random themes with 30 images each and be required to pick a single image from each one.
Once that’s been taken care of, future login attempts would consist of the user typing in their username and drawing their unlock pattern. They’d then be shown a screen with 16 images containing two of their selected pictures, six associated distractions, and eight random decoys. After selecting the two correct images, the user would be given a randomly generated eight-digit code to log into their account.
It’s basically a new take on two-factor authentication, but without additional hardware. And though it sounds like a complicated process, it’s pretty easy after the initial setup. It’s also more secure, the study says — in a series of security tests involving 690 hacking attempts, there were 23 break-ins using this method. Only eight of those were genuinely successful, with the other 15 “achieved through coincidence.”
“Traditional passwords are undoubtedly very usable but regardless of how safe people might feel their information is, the password’s vulnerability is well known. There are alternative systems out there, but they are either very costly or have deployment constraints which mean they can be difficult to integrate with existing systems while maintaining user consensus. The GOTPass system is easy to use and implement, while at the same time offering users confidence that their information is being held securely,” PhD student and study lead Hussain Alsaiari said.
Expect to see more of this kind of thing as companies look for more secure methods than simple password input. Companies like Google and Yahoo (Account Key) have been testing alternatives, and according to a survey earlier this year, most people are open to the idea of moving on from passwords as a whole.