Skip to main content

Pico: No More Passwords!

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 7114)


From a usability viewpoint, passwords and PINs have reached the end of their useful life. Even though they are convenient for implementers, for users they are increasingly unmanageable. The demands placed on users (passwords that are unguessable, all different, regularly changed and never written down) are no longer reasonable now that each person has to manage dozens of passwords. Yet we can’t abandon passwords until we come up with an alternative method of user authentication that is both usable and secure.

We present an alternative design based on a hardware token called Pico that relieves the user from having to remember passwords and PINs. Unlike most alternatives, Pico doesn’t merely address the case of web passwords: it also applies to all the other contexts in which users must at present remember passwords, passphrases and PINs. Besides relieving the user from memorization efforts, the Pico solution scales to thousands of credentials, provides “continuous authentication” and is resistant to brute force guessing, dictionary attacks, phishing and keylogging.


  • Smart Card
  • Security Protocol
  • Visual Code
  • Docking Station
  • Secure Socket Layer

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

It’s OK to skip all these gazillions of footnotes.

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-642-25867-1_6
  • Chapter length: 33 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   69.99
Price excludes VAT (USA)
  • ISBN: 978-3-642-25867-1
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   89.99
Price excludes VAT (USA)


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. Adams, A., Angela Sasse, M.: Users are not the enemy. Communications of the ACM 42(12), 40–46 (1999),

    CrossRef  Google Scholar 

  2. Anderson, R., Bond, M.: The Man-in-the-Middle Defence. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols. LNCS, vol. 5087, pp. 153–156. Springer, Heidelberg (2009),

    CrossRef  Google Scholar 

  3. Beautement, A., Angela Sasse, M., Wonham, M.: The compliance budget: managing security behaviour in organisation. In: Proc. New Security Paradigms Workshop 2008, pp. 47–58. ACM (2008),

  4. Bonneau, J., Preibusch, S.: The password thicket: technical and market failures in human authentication on the web. In: Proc. 9th Workshop on the Economics of Information Security (June 2010),

  5. Choudary, O.: The Smart Card Detective: a hand-held EMV interceptor. Master’s thesis, University of Cambridge (2010),

  6. Corner, M.D., Noble, B.D.: Zero-interaction authentication. In: Proc. ACM MobiCom 2002, pp. 1–11 (2002),

  7. Desmedt, Y., Burmester, M., Safavi-Naini, R., Wang, H.: Threshold Things That Think (T4): Security Requirements to Cope with Theft of Handheld/Handless Internet Devices. In: Proc. Symposium on Requirements Engineering for Information Security (2001)

    Google Scholar 

  8. Desmedt, Y., Jajodia, S.: Redistributing Secret Shares to New Access Structures and Its Applications. Tech. Rep. ISSE-TR-97-01, George Mason University (July 1997),

  9. Drimer, S., Murdoch, S.J.: Keep your enemies close: distance bounding against smartcard relay attacks. In: Proc. USENIX Security Symposium, pp. 87–102 (August 2007),

  10. Florêncio, D., Herley, C.: One-Time Password Access to Any Server without Changing the Server. In: Wu, T.-C., Lei, C.-L., Rijmen, V., Lee, D.-T. (eds.) ISC 2008. LNCS, vol. 5222, pp. 401–420. Springer, Heidelberg (2008),

    CrossRef  Google Scholar 

  11. Florêncio, D., Herley, C.: Where do security policies come from? In: Proc. SOUPS 2010, pp. 10:1–10:14. ACM (2010),

  12. Florêncio, D., Herley, C., Coskun, B.: Do strong web passwords accomplish anything? In: Proc. USENIX HOTSEC 2007, pp. 10:1–10:6 (2007),

  13. Hancke, G.P., Kuhn, M.G.: An RFID Distance Bounding Protocol. In: Proc. IEEE SECURECOMM 2005, pp. 67–73 (2005),

  14. Hao, F., Anderson, R., Daugman, J.: Combining Crypto with Biometrics Effectively. IEEE Transactions on Computers 55(9), 1081–1088 (2006),

    CrossRef  Google Scholar 

  15. Herley, C.: So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users. In: Proc. New Security Paradigms Workshop 2009. ACM (2009),

  16. Herley, C., van Oorschot, P.C.: A Research Agenda Acknowledging the Persistence of Passwords (in submission, 2011)

    Google Scholar 

  17. Jakobsson, M., Akavipat, R.: Rethinking Passwords to Adapt to Constrained Keyboards (2011) (in submission),

  18. Johnson, M., Moore, S.: A New Approach to E-Banking. In: Erlingsson, Ú., et al. (eds.) Proc. 12th Nordic Workshop on Secure IT Systems (NORDSEC 2007), pp. 127–138 (October 2007),

  19. Kristol, D.M., Gabber, E., Gibbons, P.B., Matias, Y., Mayer, A.: Design and implementation of the Lucent Personalized Web Assistant (LPWA). Tech. rep., Bell Labs (1998)

    Google Scholar 

  20. Landwehr, C.E.: Protecting unattended computers without software. In: Proceedings of the 13th Annual Computer Security Applications Conference, pp. 274–283. IEEE Computer Society, Washington, DC, USA (December 1997), ISBN O-8186-8274-4,

    CrossRef  Google Scholar 

  21. Landwehr, C.E., Latham, D.L.: Secure Identification System. US Patent 5,892,901, filed 1997-06-10, granted 1999-04-06 (1999)

    Google Scholar 

  22. Laurie, B., Singer, A.: Choose the red pill and the blue pill: a position paper. In: Proc. New Security Paradigms Workshop 2008, pp. 127–133. ACM (2008),

  23. Matsumoto, T., Matsumoto, H., Yamada, K., Hoshino, S.: Impact of Artificial Gummy Fingers on Fingerprint Systems. In: Proc. SPIE, Optical Security and Counterfeit Deterrence Techniques IV, vol. 4677 (2002),

  24. McCune, J.M., Perrig, A., Reiter, M.K.: Seeing-Is-Believing: Using Camera Phones for Human-Verifiable Authentication. In: Proc. IEEE Symposium on Security and Privacy 2005, pp. 110–124 (2005), ; updated version in Int. J. Security and Networks 4(1-2), 43–56 (2009),

  25. Nicholson, A., Corner, M.D., Noble, B.D.: Mobile Device Security using Transient Authentication. IEEE Transactions on Mobile Computing 5(11), 1489–1502 (2006),

    CrossRef  Google Scholar 

  26. Norman, D.A.: The Psychology of Everyday Things. Basic Books (1988) ISBN 0-385-26774-6, also published as The Design of Everyday Things (paperback)

    Google Scholar 

  27. Parno, B., Kuo, C., Perrig, A.: Phoolproof Phishing Prevention. In: Di Crescenzo, G., Rubin, A. (eds.) FC 2006. LNCS, vol. 4107, pp. 1–19. Springer, Heidelberg (2006),

    CrossRef  Google Scholar 

  28. Pashalidis, A.: Accessing Password-Protected Resources without the Password. In: Burgin, M., et al. (eds.) Proc. CSIE 2009, pp. 66–70. IEEE Computer Society (2009),

  29. Pashalidis, A., Mitchell, C.J.: A Taxonomy of Single Sign-On Systems. In: Safavi-Naini, R., Seberry, J., et al. (eds.) ACISP 2003. LNCS, vol. 2727, pp. 249–264. Springer, Heidelberg (2003),

    CrossRef  Google Scholar 

  30. Pashalidis, A., Mitchell, C.J.: Impostor: a single sign-on system for use from untrusted devices. In: Proc. IEEE GLOBECOM 2004, vol. 4, pp. 2191–2195 (2004),

  31. Peeters, R., Kohlweiss, M., Preneel, B.: Threshold Things That Think: Authorisation for Resharing. In: Camenisch, J., Kesdogan, D. (eds.) iNetSec 2009. IFIP AICT, vol. 309, pp. 111–124. Springer, Heidelberg (2009),

    CrossRef  Google Scholar 

  32. Peeters, R., Kohlweiss, M., Preneel, B., Sulmon, N.: Threshold things that think: usable authorization for resharing. In: Proceedings of the 5th Symposium on Usable Privacy and Security, SOUPS 2009, p. 18:1. ACM, New York (2009) ISBN 978-1-60558-736-3,

    Google Scholar 

  33. Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger Password Authentication Using Browser Extensions. In: Proc. Usenix Security, pp. 17–32 (2005),

  34. Schechter, S., Egelman, S., Reeder, R.W.: It’s not what you know, but who you know: a social approach to last-resort authentication. In: Proc. CHI 2009, pp. 1983–1992 (2009),

  35. Shamir, A.: How to Share a Secret. Communications of the ACM 22(11), 612–613 (1979),

    CrossRef  MathSciNet  MATH  Google Scholar 

  36. Stajano, F.: The Resurrecting Duckling – What Next? In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2000. LNCS, vol. 2133, pp. 204–214. Springer, Heidelberg (2001),

    CrossRef  Google Scholar 

  37. Stajano, F.: Security for Ubiquitous Computing. Wiley (2002) ISBN 0-470-84493-0, Contains the most complete treatment of the Resurrecting Duckling [38]

    Google Scholar 

  38. Stajano, F., Anderson, R.: The Resurrecting Duckling: Security Issues in Ad-Hoc Wireless Networks. In: Malcolm, J.A., Christianson, B., Crispo, B., Roe, M. (eds.) Security Protocols 1999. LNCS, vol. 1796, pp. 172–182. Springer, Heidelberg (2000),

    CrossRef  Google Scholar 

  39. Stajano, F., Wong, F.-L., Christianson, B.: Multichannel Protocols to Prevent Relay Attacks. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 4–19. Springer, Heidelberg (2010),

    CrossRef  Google Scholar 

  40. Want, R., Hopper, A.: Active Badges and Personal Interactive Computing Objects. IEEE Transactions on Consumer Electronics 38(1), 10–20 (1992),

    CrossRef  Google Scholar 

  41. Wong, F.-L., Stajano, F.: Multi-channel protocols. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2005. LNCS, vol. 4631, pp. 112–127. Springer, Heidelberg (2007), ; updated version in IEEE Pervasive Computing 6(4), 31–39 (2007),

  42. Wong, T.M., Wang, C., Wing, J.M.: Verifiable Secret Redistribution for Archive System. In: IEEE Security in Storage Workshop 2002, pp. 94–105 (2002),

Download references

Author information

Authors and Affiliations


Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Stajano, F. (2011). Pico: No More Passwords!. In: Christianson, B., Crispo, B., Malcolm, J., Stajano, F. (eds) Security Protocols XIX. Security Protocols 2011. Lecture Notes in Computer Science, vol 7114. Springer, Berlin, Heidelberg.

Download citation

  • DOI:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-25866-4

  • Online ISBN: 978-3-642-25867-1

  • eBook Packages: Computer ScienceComputer Science (R0)