Pico: No More Passwords!

  • Frank Stajano
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7114)


From a usability viewpoint, passwords and PINs have reached the end of their useful life. Even though they are convenient for implementers, for users they are increasingly unmanageable. The demands placed on users (passwords that are unguessable, all different, regularly changed and never written down) are no longer reasonable now that each person has to manage dozens of passwords. Yet we can’t abandon passwords until we come up with an alternative method of user authentication that is both usable and secure.

We present an alternative design based on a hardware token called Pico that relieves the user from having to remember passwords and PINs. Unlike most alternatives, Pico doesn’t merely address the case of web passwords: it also applies to all the other contexts in which users must at present remember passwords, passphrases and PINs. Besides relieving the user from memorization efforts, the Pico solution scales to thousands of credentials, provides “continuous authentication” and is resistant to brute force guessing, dictionary attacks, phishing and keylogging.


Smart Card Security Protocol Visual Code Docking Station Secure Socket Layer 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Adams, A., Angela Sasse, M.: Users are not the enemy. Communications of the ACM 42(12), 40–46 (1999), CrossRefGoogle Scholar
  2. 2.
    Anderson, R., Bond, M.: The Man-in-the-Middle Defence. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols. LNCS, vol. 5087, pp. 153–156. Springer, Heidelberg (2009), CrossRefGoogle Scholar
  3. 3.
    Beautement, A., Angela Sasse, M., Wonham, M.: The compliance budget: managing security behaviour in organisation. In: Proc. New Security Paradigms Workshop 2008, pp. 47–58. ACM (2008),
  4. 4.
    Bonneau, J., Preibusch, S.: The password thicket: technical and market failures in human authentication on the web. In: Proc. 9th Workshop on the Economics of Information Security (June 2010),
  5. 5.
    Choudary, O.: The Smart Card Detective: a hand-held EMV interceptor. Master’s thesis, University of Cambridge (2010),
  6. 6.
    Corner, M.D., Noble, B.D.: Zero-interaction authentication. In: Proc. ACM MobiCom 2002, pp. 1–11 (2002),
  7. 7.
    Desmedt, Y., Burmester, M., Safavi-Naini, R., Wang, H.: Threshold Things That Think (T4): Security Requirements to Cope with Theft of Handheld/Handless Internet Devices. In: Proc. Symposium on Requirements Engineering for Information Security (2001)Google Scholar
  8. 8.
    Desmedt, Y., Jajodia, S.: Redistributing Secret Shares to New Access Structures and Its Applications. Tech. Rep. ISSE-TR-97-01, George Mason University (July 1997),
  9. 9.
    Drimer, S., Murdoch, S.J.: Keep your enemies close: distance bounding against smartcard relay attacks. In: Proc. USENIX Security Symposium, pp. 87–102 (August 2007),
  10. 10.
    Florêncio, D., Herley, C.: One-Time Password Access to Any Server without Changing the Server. In: Wu, T.-C., Lei, C.-L., Rijmen, V., Lee, D.-T. (eds.) ISC 2008. LNCS, vol. 5222, pp. 401–420. Springer, Heidelberg (2008), CrossRefGoogle Scholar
  11. 11.
    Florêncio, D., Herley, C.: Where do security policies come from? In: Proc. SOUPS 2010, pp. 10:1–10:14. ACM (2010),
  12. 12.
    Florêncio, D., Herley, C., Coskun, B.: Do strong web passwords accomplish anything? In: Proc. USENIX HOTSEC 2007, pp. 10:1–10:6 (2007),
  13. 13.
    Hancke, G.P., Kuhn, M.G.: An RFID Distance Bounding Protocol. In: Proc. IEEE SECURECOMM 2005, pp. 67–73 (2005),
  14. 14.
    Hao, F., Anderson, R., Daugman, J.: Combining Crypto with Biometrics Effectively. IEEE Transactions on Computers 55(9), 1081–1088 (2006), CrossRefGoogle Scholar
  15. 15.
    Herley, C.: So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users. In: Proc. New Security Paradigms Workshop 2009. ACM (2009),
  16. 16.
    Herley, C., van Oorschot, P.C.: A Research Agenda Acknowledging the Persistence of Passwords (in submission, 2011)Google Scholar
  17. 17.
    Jakobsson, M., Akavipat, R.: Rethinking Passwords to Adapt to Constrained Keyboards (2011) (in submission),
  18. 18.
    Johnson, M., Moore, S.: A New Approach to E-Banking. In: Erlingsson, Ú., et al. (eds.) Proc. 12th Nordic Workshop on Secure IT Systems (NORDSEC 2007), pp. 127–138 (October 2007),
  19. 19.
    Kristol, D.M., Gabber, E., Gibbons, P.B., Matias, Y., Mayer, A.: Design and implementation of the Lucent Personalized Web Assistant (LPWA). Tech. rep., Bell Labs (1998)Google Scholar
  20. 20.
    Landwehr, C.E.: Protecting unattended computers without software. In: Proceedings of the 13th Annual Computer Security Applications Conference, pp. 274–283. IEEE Computer Society, Washington, DC, USA (December 1997), ISBN O-8186-8274-4, CrossRefGoogle Scholar
  21. 21.
    Landwehr, C.E., Latham, D.L.: Secure Identification System. US Patent 5,892,901, filed 1997-06-10, granted 1999-04-06 (1999)Google Scholar
  22. 22.
    Laurie, B., Singer, A.: Choose the red pill and the blue pill: a position paper. In: Proc. New Security Paradigms Workshop 2008, pp. 127–133. ACM (2008),
  23. 23.
    Matsumoto, T., Matsumoto, H., Yamada, K., Hoshino, S.: Impact of Artificial Gummy Fingers on Fingerprint Systems. In: Proc. SPIE, Optical Security and Counterfeit Deterrence Techniques IV, vol. 4677 (2002),
  24. 24.
    McCune, J.M., Perrig, A., Reiter, M.K.: Seeing-Is-Believing: Using Camera Phones for Human-Verifiable Authentication. In: Proc. IEEE Symposium on Security and Privacy 2005, pp. 110–124 (2005),; updated version in Int. J. Security and Networks 4(1-2), 43–56 (2009),
  25. 25.
    Nicholson, A., Corner, M.D., Noble, B.D.: Mobile Device Security using Transient Authentication. IEEE Transactions on Mobile Computing 5(11), 1489–1502 (2006), CrossRefGoogle Scholar
  26. 26.
    Norman, D.A.: The Psychology of Everyday Things. Basic Books (1988) ISBN 0-385-26774-6, also published as The Design of Everyday Things (paperback)Google Scholar
  27. 27.
    Parno, B., Kuo, C., Perrig, A.: Phoolproof Phishing Prevention. In: Di Crescenzo, G., Rubin, A. (eds.) FC 2006. LNCS, vol. 4107, pp. 1–19. Springer, Heidelberg (2006), CrossRefGoogle Scholar
  28. 28.
    Pashalidis, A.: Accessing Password-Protected Resources without the Password. In: Burgin, M., et al. (eds.) Proc. CSIE 2009, pp. 66–70. IEEE Computer Society (2009),
  29. 29.
    Pashalidis, A., Mitchell, C.J.: A Taxonomy of Single Sign-On Systems. In: Safavi-Naini, R., Seberry, J., et al. (eds.) ACISP 2003. LNCS, vol. 2727, pp. 249–264. Springer, Heidelberg (2003), CrossRefGoogle Scholar
  30. 30.
    Pashalidis, A., Mitchell, C.J.: Impostor: a single sign-on system for use from untrusted devices. In: Proc. IEEE GLOBECOM 2004, vol. 4, pp. 2191–2195 (2004),
  31. 31.
    Peeters, R., Kohlweiss, M., Preneel, B.: Threshold Things That Think: Authorisation for Resharing. In: Camenisch, J., Kesdogan, D. (eds.) iNetSec 2009. IFIP AICT, vol. 309, pp. 111–124. Springer, Heidelberg (2009), CrossRefGoogle Scholar
  32. 32.
    Peeters, R., Kohlweiss, M., Preneel, B., Sulmon, N.: Threshold things that think: usable authorization for resharing. In: Proceedings of the 5th Symposium on Usable Privacy and Security, SOUPS 2009, p. 18:1. ACM, New York (2009) ISBN 978-1-60558-736-3, Google Scholar
  33. 33.
    Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger Password Authentication Using Browser Extensions. In: Proc. Usenix Security, pp. 17–32 (2005),
  34. 34.
    Schechter, S., Egelman, S., Reeder, R.W.: It’s not what you know, but who you know: a social approach to last-resort authentication. In: Proc. CHI 2009, pp. 1983–1992 (2009),
  35. 35.
    Shamir, A.: How to Share a Secret. Communications of the ACM 22(11), 612–613 (1979), MathSciNetCrossRefzbMATHGoogle Scholar
  36. 36.
    Stajano, F.: The Resurrecting Duckling – What Next? In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2000. LNCS, vol. 2133, pp. 204–214. Springer, Heidelberg (2001), CrossRefGoogle Scholar
  37. 37.
    Stajano, F.: Security for Ubiquitous Computing. Wiley (2002) ISBN 0-470-84493-0, Contains the most complete treatment of the Resurrecting Duckling [38]Google Scholar
  38. 38.
    Stajano, F., Anderson, R.: The Resurrecting Duckling: Security Issues in Ad-Hoc Wireless Networks. In: Malcolm, J.A., Christianson, B., Crispo, B., Roe, M. (eds.) Security Protocols 1999. LNCS, vol. 1796, pp. 172–182. Springer, Heidelberg (2000), CrossRefGoogle Scholar
  39. 39.
    Stajano, F., Wong, F.-L., Christianson, B.: Multichannel Protocols to Prevent Relay Attacks. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 4–19. Springer, Heidelberg (2010), CrossRefGoogle Scholar
  40. 40.
    Want, R., Hopper, A.: Active Badges and Personal Interactive Computing Objects. IEEE Transactions on Consumer Electronics 38(1), 10–20 (1992), CrossRefGoogle Scholar
  41. 41.
    Wong, F.-L., Stajano, F.: Multi-channel protocols. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2005. LNCS, vol. 4631, pp. 112–127. Springer, Heidelberg (2007),; updated version in IEEE Pervasive Computing 6(4), 31–39 (2007),
  42. 42.
    Wong, T.M., Wang, C., Wing, J.M.: Verifiable Secret Redistribution for Archive System. In: IEEE Security in Storage Workshop 2002, pp. 94–105 (2002),

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Frank Stajano
    • 1
  1. 1.Computer LaboratoryUniversity of CambridgeCambridgeUK

Personalised recommendations