Bootstrapping Adoption of the Pico Password Replacement System
In previous work we presented Pico, an authentication system designed to be both more usable and more secure than passwords. One unsolved problem was that Pico, in its quest to explore the whole solution space without being bound by compatibility shackles, requires changes at both the prover and the verifier, which makes it hard to convince anyone to adopt it: users won’t buy an authentication gadget that doesn’t let them log into anything and service providers won’t support a system that no users are equipped to log in with. In this paper we present three measures to break this vicious circle, starting with the “Pico Lens” browser add-on that rewrites websites on the fly so that they appear Pico-enabled. Our add-on offers the user most (though not all) of the usability and security benefits of Pico, thus fostering adoption from users even before service providers are on board. This will enable Pico to build up a user base. We also developed a server-side Wordpress plugin which can serve both as a reference example and as a useful enabler in its own right (as Wordpress is one of the leading content management platforms on the web). Finally, we developed a software version of the Pico client running on a smartphone, the Pico App, so that people can try out Pico (at the price of slightly reduced security) without having to acquire and carry another gadget. Having broken the vicious circle we’ll be in a stronger position to persuade providers to offer support for Pico in parallel with passwords.
KeywordsVicious Circle Authentication Protocol Visual Code Content Management System Password Manager
We gratefully acknowledge the European Research Council for funding this research under grant 307224.
We also thank Roel Peeters et al. for their independent implementation of Pico and for sharing pre-publication drafts of their work “Towards Building the Pico: The Security Perspective” (still in submission at the time of writing), from which we adopted the SIGMA-I protocol for mutual authentication.
- 2.Bonneau, J.: Guessing human-chosen secrets. Ph.D. thesis, University of Cambridge, May 2012. http://www.jbonneau.com/doc/2012-jbonneau-phd_thesis.pdf
- 3.Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP ’12, pp. 553–567. IEEE Computer Society, Washington (2012). http://dx.doi.org/10.1109/SP.2012.44
- 4.Bonneau, J., Preibusch, S.: The password thicket: technical and market failures in human authentication on the web. In: WEIS 2010 (2010)Google Scholar
- 6.Hancke, G.P., Kuhn, M.G.: An RFID distance bounding protocol. In: Proceedings of the First International Conference on Security and Privacy for Emerging Areas in Communications Networks, SECURECOMM ’05, pp. 67–73. IEEE Computer Society, Washington (2005). http://dx.doi.org/10.1109/SECURECOMM.2005.56
- 7.ISO: Information technology–automatic identification and data capture techniques–QR Code 2005 bar code symbology specification. ISO 18004:2006, International Organization for Standardization, Geneva, Switzerland (2006)Google Scholar
- 9.Laurie, B., Singer, A.: Choose the red pill and the blue pill: a position paper. In: Proceedings of the 2008 Workshop on New Security Paradigms, NSPW ’08, pp. 127–133. ACM, New York (2008). http://doi.acm.org/10.1145/1595676.1595695
- 11.Stajano, F.: Pico: no more passwords!. In: Christianson, B., Crispo, B., Malcolm, J., Stajano, F. (eds.) Security Protocols 2011. LNCS, vol. 7114, pp. 49–81. Springer, Heidelberg (2011)Google Scholar
- 12.Stannard, O., Stajano, F.: Am I in good company? A privacy-protecting protocol for cooperating ubiquitous computing devices. In: Christianson, B., Malcolm, J., Stajano, F., Anderson, J. (eds.) Security Protocols 2012. LNCS, vol. 7622, pp. 223–230. Springer, Heidelberg (2012). http://dx.doi.org/10.1007/978-3-642-35694-0_24 CrossRefGoogle Scholar
- 14.Wong, F.-L., Stajano, F.: Multi-channel protocols. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2005. LNCS, vol. 4631, pp. 112–127. Springer, Heidelberg (2007). http://www.cl.cam.ac.uk/fms27/papers/2005-WongSta-multichannel.pdf, updated version in IEEE Pervasive Computing 6(4), 31–39 (2007) Google Scholar