Authentication Method Using Pictures Instead Of Passwords Defended Against 98 Percent Of Attacks

Authentication Method Using Pictures Instead Of Passwords Defended Against 98 Percent Of Attacks

Memorizing several passwords for multiple accounts is not really something that the average Internet user wants to do. Researchers from the University of Plymouth in the United Kingdom want passwords to be replaced with pictures.

The researchers want to solve the problem of Internet users who need to remember more than one password that often needs to be typed in every day. For instance, a user might use different passwords for a Facebook (NASDAQ: FB) account and their Twitter (NASDAQ: TWTR) account.

Dubbed as GOTPass or Graphical One Time Password, it seeks to end the problem of the so-called password fatigue. The study was published in the Information Security Journal: A Global Perspective.

Possible Replacement For Multi-Factor Methods

Media and Communications Officer Alan Williams wrote about the new study from the university's Centre for Security Communication and Network Research. The new method would use images and a one-time numerical code that would hopefully replace multi-factor methods.

The user will type a one-tine number code that will depend on the system's generated sequence of confidential images in a pre-determined image format. To demonstrate its ability, the researchers simulated hacking attacks.

Nearly Unhackable

Impressively, 98 percent of the 690 attempts to penetrate the GOTPass system failed, according to Hacked. The researchers used three different types of attacks: intersection, guessing and shoulder-surfing. This leaves about 13 successful attacks.

GOTPass uses a 4 x 4 grid, which can be familiar to Android phone owners who use the unlock pattern scheme. The user will choose a pattern and then select an image from 30 random emoji like pictures.

Once four grid images are chosen, the passcode is then generated. The method strays a bit far from the usual password generation method where the user decides what phrase or combination of numbers and letters to put in.

At first, the GOTPass login process can be intimidating. The user would need to input the username and then the chosen pattern lock. It doesn't end there.

Next, 16 images are generated, two of which should be familiar for the user as they have been chosen when they generated their passwords. Once the correct images are selected by the user, the one-time passcode will be shown and should be entered.

GOTPass vs Traditional Password Systems

Traditional passwords are effective when hackers were not that prevalent decades ago. A simple Nokia 3310 bar phone could be protected by a PIN whenever it is turned on. The only way for another person to know the PIN was to watch when the user types it in or through a complicated method using various cables and software.

As handsets started to evolve, security has become more of an issue. With new features and specifications, phones became harder to protect.

Smartphones today can be easily connected to a computer. Because of easy connectivity, hackers can easily change settings and unlock phones using customized software or some Android Debug Bridge codes.

Simple passwords can now be easily cracked using brute force attacks with the help of password dictionaries, which are often formed from leaked databases in the Internet. Social engineering can even be used to simply dupe the user into giving out information or even the password itself.

Expensive Alternative Systems

Ph.D. student Hussain Alsaiari said that there are already alternative password systems that can be used to secure accounts and databases. However, such systems are very costly and often have constraints when it comes to deployment methods.

"There are alternative systems out there, but they are either very costly or have deployment constraints which mean they can be difficult to integrate with existing systems while maintaining user consensus. The GOTPass system is easy to use and implement, while at the same time offering users confidence that their information is being held securely," said Alsaiari.

Google's Password-Free Method

Google (NASDAQ: GOOG) has been reportedly testing a new method that would eliminate passwords in the security equation. The search engine giant wants their user's smartphones to be the "password" needed to log in on an account.

When a Google user enters a username, the system would notify the registered smartphone. The account will only be opened once the user confirms the login from the smartphone.

If the smartphone is not available, a password could still be used to login, which really defeats the whole purpose of the no password method. Google could still be tinkering with the method.

Emoji Passcodes

While the GOTPass uses emoji like images, there is already a British firm that offers an emoji passcode service for banks. The method literally uses emojis as a passcode instead of the usual text phrase or number combination.

One good reason the firm believes why the emoji method is more effective than the traditional password is the huge number of unique combinations. They believe that it would be harder to crack for hackers, but they did not say that it was entirely impossible to do so.

Effective Security Systems Must Be Harder to Crack

Both the emoji passcode service and GOTPass are indeed harder to crack. Dr Maria Papadaki, who directed the study, believes that not only is the GOTPass method difficult to penetrate, it is also cheaper to implement for companies and enterprises.

"In order for online security to be strong it needs to be difficult to hack, and we have demonstrated that using a combination of graphics and one-time password can achieve that. This also provides a low cost alternative to existing token-based multi-factor systems, which require the development and distribution of expensive hardware devices. We are now planning further tests to assess the long-term effectiveness of the GOTPass system, and more detailed aspects of usability," said Dr Papadaki in the official Plymouth University blog post.

Researchers and tech companies seem to be testing the waters for newer methods to protect everyone from malicious attackers. They have enough reason to do so as 2015 was not a good year for cyber security.

Hackers have increased their attacks not only on personal computer users, but also for mobile device owners and even government systems as well. Choosing a solid authentication method is just the first line of defence for such attacks.

The paper is titled "Secure Graphical One Time Password (GOTPass): An Empirical Study". It was authored by H. Alsaiari, M. Papadaki, Dr Paul Dowland and Prof Steven Furnell.





Scroll to Top