This post is also available in: heעברית (Hebrew)

Researchers from the Centre for Security Communication and Network Research (CSCAN) at Plymouth University have developed a new system for secure, multi-level authentication that could replace cumbersome hardware, software, and one-time password solutions.

The developers behind the system, dubbed GOTPass, believe it could be an effective measure to protect personal online information from cyber criminals. The system combines a one-time numerical code with a unique image chosen by the user. It could be easier for users to remember, and less expensive for providers, as it would not require the deployment of costly hardware solutions.

To set up GOTPass, users would need to choose a unique username and draw a shape on a 4×4 unlock pattern – similar to the system used on smartphones. Next, they will be assigned four random image sets, where they will need to pick one from a selection of thirty in each set.

To log in to their account, users would enter their username and draw the unlock pattern. In the next screen, 16 images appear – two of their previously chosen, six associated distractors, and eight random decoys. Once a user correctly identifies the two pre-selected images, a randomly generated eight-digit code appears that the user would need to type to gain access to their account.

In testing of 690 attempts to hack accounts protected by GOTPass, only 23 were successful. Further analysis revealed that just eight of those were genuinely successful, with another 15 gaining access through coincidence.

“In order for online security to be strong it needs to be difficult to hack, and we have demonstrated that using a combination of graphics and one-time password can achieve that. This also provides a low cost alternative to existing token-based multi-factor systems, which require the development and distribution of expensive hardware devices. We are now planning further tests to assess the long-term effectiveness of the GOTPass system, and more detailed aspects of usability.” said Dr Maria Papadaki, lecturer in Network Security at Plymouth University.