New Google sign in and GOTPass to make signing in easier and more secure | tech | Hindustan Times
Today in New Delhi, India
Mar 30, 2017-Thursday
-°C
New Delhi
  • Humidity
    -
  • Wind
    -

New Google sign in and GOTPass to make signing in easier and more secure

tech Updated: Dec 25, 2015 16:29 IST
GOTPass

Researchers from the Centre for Security Communication and Network Research (CSCAN) believe their new multi-level authentication system called GOTPass could be effective in protecting personal online information from hackers. It could also be easier for users to remember and less expensive for providers to implement(Pixabay)

The option to log in on websites like Zomato and BookMyShow through Google or Facebook have helped cut down on the number of passwords one needs to remember. However, images and codes, which provide a more secure alternative, are set to make the multi-device password system a history.

According to a new study by Plymouth University, a system using images and a one-time numerical code could provide a more secure and easy-to-use alternative to multi-factor methods dependent on hardware, software or one-time passwords.

Researchers from the Centre for Security Communication and Network Research (CSCAN) believe their new multi-level authentication system — called GOTPass — could be effective in protecting personal online information from hackers. It could also be easier for users to recall and less expensive for providers to implement.

The system would be applicable for online banking and other such services, where users with several accounts struggle to carry around multiple devices to gain access, researchers said.

They also published the results of a series of security tests that demonstrated 23 successful attempts out of 690 hacking attempts. The hacking methods involved a wide range of guesswork as well as more targeted methods.

Hussain Alsaiari, who led the study, said that the GOTPass system is easy to use and implement, while offering users the confidence that their information is being held securely.

Getting through GOTPass

To set up the GOTPass system, users would have to choose a unique username and draw any shape on a 4x4 unlock pattern, similar to that already used on mobile devices.

They will then be assigned four random themes, being prompted to select one image from 30 in each.

When they subsequently log in to their account, the user would enter their username and draw the pattern lock, with the next screen containing a series of 16 images, among which are two of their selected images, six associated distractors and eight random decoys.

Correctly identifying the two images generates the eight-digit random code located on the top or left edges of the login panel which the user would then need to type in to gain access to their information.

Initial tests have shown the system to be easy to remember for users, while security analysis showed just eight of the 690 attempted hackings were genuinely successful, with a further 15 achieved through coincidence.

The study appears in Information Security Journal: A Global Perspective.

Google’s new authentication method:

While GOTPass is cutting costs by eliminating the need of hardware from authentication process, Google is putting the phone at the centre of its authentication. Google account holders are receiving invitation to try out a new log in method. User RP1226 on Reddit shared these steps involved in the new login method on the webiste.

RP1226 shared the new authentication method being tested by Google on Reddit.

“You go into a computer and type in your email. Then you get a message on your phone to allow the login. If you hit yes, the computer logs into your Google account without a password.

Go to google.com to test out the log in. (granted that i’m not logged in.)

Enter in email address into sign in page and hit next.

Next page tells you to check your phone and enter the challenge. (I had tried this this morning and it didn’t ask me to enter a challenge. But as I was going through the process this time, I was had a challenge.)

On the phone I get a notification “Trying to sign in?”

Opening the notification I’m asked if i’m trying to sign in from another computer. I answer yes.

Next I have to enter the challenge. In this case the number on the screen is 21.

Now on my computer, I’m logged into the google page.”

The thought behind the new authentication process is to make it convenient by linking the process to a device we always carry. It resembles the OTP process for card and online banking transactions which are plagued by issues they have addressed.

Unlike the OTP method, the new sign-in method is linked to your phone instead of the sim card. So, when you change your phone, Google will have to be informed about it.

In case you lose your phone, we hope that you have a lockscreen password that’s not “0000” because the person who finds it could potentially access your account using the phone. In that case, use device manager to locate your phone and lock/track it remotely or just de-register from the service.

But how will you sign in to your account if you don’t have a phone? On the desktop site, even if you are trying out the new sign in method that needs your phone to vouch for you, you can always click on the use password instead option. This will also be helpful when your phone is dead and you desperately need to sign in.

Also, you can turn off the use your phone to sign in feature from Sign in and Security section in Google Accounts. Which makes this method more of a quick sign in option to eliminate typing out passwords while keeping your accounts secure.

However, the true mettle of the method will only be tested when it comes out of the invite system and hackers begin to target it.

Enter your email address in the browser.

Then you get a message on your phone to allow the login. If you hit yes, the computer logs into your Google account without a password.

Go to google.com (http://google.com/) to test out the log in. Enter in your email address on the sign in page and hit next.

The next page tells you to check your phone and enter the challenge.

On the phone I get a notification “Trying to sign in?”

Opening the notification I’m asked if i’m trying to sign in from another computer. I answer yes.

Next I have to enter the challenge. In this case the number on the screen is 21.

Now on my computer, I’m logged into the google page.

The thought behind the new authentication process is to make it convenient by linking the process to a device we always carry. It resembles the OTP process for card and online banking transactions and addresses the issues that plague these processes.

Unlike the OTP method, the new sign-in method is linked to your phone instead of the sim card. So, when you change your phone, Google will have to be informed about it.

In case you lose your phone, we hope that you have a lock-screen password that’s not 0000 because the person who finds it could potentially access your account using the phone. In that case, use device manager to locate your phone and lock/track it remotely or just get unregistered from the service.

So how do you sign-in if you don’t have a phone?

On the desktop site, you can simply click on the use password option. This will also come in handy when your phone is dead.

In your security settings, you can also turn off the ‘use your phone to sign-in’ feature. This makes the method more of a quick sign-in option to eliminate typing out passwords while keeping your accounts secure.

However, the true mettle of the method will only be tested when it comes out of the invite system and into hackers’ domain at large.