Skip to main content
Book cover

International Workshop on Security Protocols

Security Protocols 2011: Security Protocols XIX pp 49–81Cite as

Pico: No More Passwords!

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 7114)

Abstract

From a usability viewpoint, passwords and PINs have reached the end of their useful life. Even though they are convenient for implementers, for users they are increasingly unmanageable. The demands placed on users (passwords that are unguessable, all different, regularly changed and never written down) are no longer reasonable now that each person has to manage dozens of passwords. Yet we can’t abandon passwords until we come up with an alternative method of user authentication that is both usable and secure.

We present an alternative design based on a hardware token called Pico that relieves the user from having to remember passwords and PINs. Unlike most alternatives, Pico doesn’t merely address the case of web passwords: it also applies to all the other contexts in which users must at present remember passwords, passphrases and PINs. Besides relieving the user from memorization efforts, the Pico solution scales to thousands of credentials, provides “continuous authentication” and is resistant to brute force guessing, dictionary attacks, phishing and keylogging.

Keywords

  • Smart Card
  • Security Protocol
  • Visual Code
  • Docking Station
  • Secure Socket Layer

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

It’s OK to skip all these gazillions of footnotes.

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-642-25867-1_6
  • Chapter length: 33 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   69.99
Price excludes VAT (USA)
  • ISBN: 978-3-642-25867-1
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   89.99
Price excludes VAT (USA)
Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Adams, A., Angela Sasse, M.: Users are not the enemy. Communications of the ACM 42(12), 40–46 (1999), http://hornbeam.cs.ucl.ac.uk/hcs/people/documents/Angela%20Publications/1999/p40-adams.pdf

    CrossRef  Google Scholar 

  2. Anderson, R., Bond, M.: The Man-in-the-Middle Defence. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols. LNCS, vol. 5087, pp. 153–156. Springer, Heidelberg (2009), http://www.cl.cam.ac.uk/~mkb23/research/Man-in-the-Middle-Defence.pdf

    CrossRef  Google Scholar 

  3. Beautement, A., Angela Sasse, M., Wonham, M.: The compliance budget: managing security behaviour in organisation. In: Proc. New Security Paradigms Workshop 2008, pp. 47–58. ACM (2008), http://hornbeam.cs.ucl.ac.uk/hcs/people/documents/Adam%27s%20Publications/Compliance%20Budget%20final.pdf

  4. Bonneau, J., Preibusch, S.: The password thicket: technical and market failures in human authentication on the web. In: Proc. 9th Workshop on the Economics of Information Security (June 2010), http://preibusch.de/publications/Bonneau_Preibusch__password_thicket.pdf

  5. Choudary, O.: The Smart Card Detective: a hand-held EMV interceptor. Master’s thesis, University of Cambridge (2010), http://www.cl.cam.ac.uk/~osc22/docs/mphil_acs_osc22.pdf

  6. Corner, M.D., Noble, B.D.: Zero-interaction authentication. In: Proc. ACM MobiCom 2002, pp. 1–11 (2002), http://www.sigmobile.org/awards/mobicom2002-student.pdf

  7. Desmedt, Y., Burmester, M., Safavi-Naini, R., Wang, H.: Threshold Things That Think (T4): Security Requirements to Cope with Theft of Handheld/Handless Internet Devices. In: Proc. Symposium on Requirements Engineering for Information Security (2001)

    Google Scholar 

  8. Desmedt, Y., Jajodia, S.: Redistributing Secret Shares to New Access Structures and Its Applications. Tech. Rep. ISSE-TR-97-01, George Mason University (July 1997), ftp://isse.gmu.edu/pub/techrep/9701jajodia.ps.gz

  9. Drimer, S., Murdoch, S.J.: Keep your enemies close: distance bounding against smartcard relay attacks. In: Proc. USENIX Security Symposium, pp. 87–102 (August 2007), http://www.cl.cam.ac.uk/~sd410/papers/sc_relay.pdf

  10. Florêncio, D., Herley, C.: One-Time Password Access to Any Server without Changing the Server. In: Wu, T.-C., Lei, C.-L., Rijmen, V., Lee, D.-T. (eds.) ISC 2008. LNCS, vol. 5222, pp. 401–420. Springer, Heidelberg (2008), http://research.microsoft.com/~cormac/Papers/otpaccessanyserver.pdf

    CrossRef  Google Scholar 

  11. Florêncio, D., Herley, C.: Where do security policies come from? In: Proc. SOUPS 2010, pp. 10:1–10:14. ACM (2010), http://research.microsoft.com/pubs/132623/WhereDoSecurityPoliciesComeFrom.pdf

  12. Florêncio, D., Herley, C., Coskun, B.: Do strong web passwords accomplish anything? In: Proc. USENIX HOTSEC 2007, pp. 10:1–10:6 (2007), http://research.microsoft.com/pubs/74162/hotsec07.pdf

  13. Hancke, G.P., Kuhn, M.G.: An RFID Distance Bounding Protocol. In: Proc. IEEE SECURECOMM 2005, pp. 67–73 (2005), http://www.cl.cam.ac.uk/~mgk25/sc2005-distance.pdf

  14. Hao, F., Anderson, R., Daugman, J.: Combining Crypto with Biometrics Effectively. IEEE Transactions on Computers 55(9), 1081–1088 (2006), http://sites.google.com/site/haofeng662/biocrypt_TC.pdf

    CrossRef  Google Scholar 

  15. Herley, C.: So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users. In: Proc. New Security Paradigms Workshop 2009. ACM (2009), http://research.microsoft.com/users/cormac/papers/2009/SoLongAndNoThanks.pdf

  16. Herley, C., van Oorschot, P.C.: A Research Agenda Acknowledging the Persistence of Passwords (in submission, 2011)

    Google Scholar 

  17. Jakobsson, M., Akavipat, R.: Rethinking Passwords to Adapt to Constrained Keyboards (2011) (in submission), http://www.markus-jakobsson.com/fastwords.pdf

  18. Johnson, M., Moore, S.: A New Approach to E-Banking. In: Erlingsson, Ú., et al. (eds.) Proc. 12th Nordic Workshop on Secure IT Systems (NORDSEC 2007), pp. 127–138 (October 2007), http://www.matthew.ath.cx/publications/2007-Johnson-ebanking.pdf

  19. Kristol, D.M., Gabber, E., Gibbons, P.B., Matias, Y., Mayer, A.: Design and implementation of the Lucent Personalized Web Assistant (LPWA). Tech. rep., Bell Labs (1998)

    Google Scholar 

  20. Landwehr, C.E.: Protecting unattended computers without software. In: Proceedings of the 13th Annual Computer Security Applications Conference, pp. 274–283. IEEE Computer Society, Washington, DC, USA (December 1997), ISBN O-8186-8274-4, http://www.dtic.mil/cgi-bin/GetTRDoc?Location=U2&doc=GetTRDoc.pdf&AD=ADA465472

    CrossRef  Google Scholar 

  21. Landwehr, C.E., Latham, D.L.: Secure Identification System. US Patent 5,892,901, filed 1997-06-10, granted 1999-04-06 (1999)

    Google Scholar 

  22. Laurie, B., Singer, A.: Choose the red pill and the blue pill: a position paper. In: Proc. New Security Paradigms Workshop 2008, pp. 127–133. ACM (2008), http://www.links.org/files/nspw36.pdf

  23. Matsumoto, T., Matsumoto, H., Yamada, K., Hoshino, S.: Impact of Artificial Gummy Fingers on Fingerprint Systems. In: Proc. SPIE, Optical Security and Counterfeit Deterrence Techniques IV, vol. 4677 (2002), http://cryptome.org/gummy.htm

  24. McCune, J.M., Perrig, A., Reiter, M.K.: Seeing-Is-Believing: Using Camera Phones for Human-Verifiable Authentication. In: Proc. IEEE Symposium on Security and Privacy 2005, pp. 110–124 (2005), http://sparrow.ece.cmu.edu/group/pub/mccunej_believing.pdf ; updated version in Int. J. Security and Networks 4(1-2), 43–56 (2009), http://sparrow.ece.cmu.edu/group/pub/mccunej_ijsn4_1-2_2009.pdf

  25. Nicholson, A., Corner, M.D., Noble, B.D.: Mobile Device Security using Transient Authentication. IEEE Transactions on Mobile Computing 5(11), 1489–1502 (2006), http://prisms.cs.umass.edu/mcorner/papers/tmc_2005.pdf

    CrossRef  Google Scholar 

  26. Norman, D.A.: The Psychology of Everyday Things. Basic Books (1988) ISBN 0-385-26774-6, also published as The Design of Everyday Things (paperback)

    Google Scholar 

  27. Parno, B., Kuo, C., Perrig, A.: Phoolproof Phishing Prevention. In: Di Crescenzo, G., Rubin, A. (eds.) FC 2006. LNCS, vol. 4107, pp. 1–19. Springer, Heidelberg (2006), http://sparrow.ece.cmu.edu/group/pub/parno_kuo_perrig_phoolproof.pdf

    CrossRef  Google Scholar 

  28. Pashalidis, A.: Accessing Password-Protected Resources without the Password. In: Burgin, M., et al. (eds.) Proc. CSIE 2009, pp. 66–70. IEEE Computer Society (2009), http://kyps.net/xrtc/cv/kyps.pdf

  29. Pashalidis, A., Mitchell, C.J.: A Taxonomy of Single Sign-On Systems. In: Safavi-Naini, R., Seberry, J., et al. (eds.) ACISP 2003. LNCS, vol. 2727, pp. 249–264. Springer, Heidelberg (2003), http://www.isg.rhul.ac.uk/cjm/atosso.pdf

    CrossRef  Google Scholar 

  30. Pashalidis, A., Mitchell, C.J.: Impostor: a single sign-on system for use from untrusted devices. In: Proc. IEEE GLOBECOM 2004, vol. 4, pp. 2191–2195 (2004), http://www.isg.rhul.ac.uk/cjm/iassos2.pdf

  31. Peeters, R., Kohlweiss, M., Preneel, B.: Threshold Things That Think: Authorisation for Resharing. In: Camenisch, J., Kesdogan, D. (eds.) iNetSec 2009. IFIP AICT, vol. 309, pp. 111–124. Springer, Heidelberg (2009), http://www.cosic.esat.kuleuven.be/publications/article-1223.pdf

    CrossRef  Google Scholar 

  32. Peeters, R., Kohlweiss, M., Preneel, B., Sulmon, N.: Threshold things that think: usable authorization for resharing. In: Proceedings of the 5th Symposium on Usable Privacy and Security, SOUPS 2009, p. 18:1. ACM, New York (2009) ISBN 978-1-60558-736-3, http://cups.cs.cmu.edu/soups/2009/posters/p1-peeters.pdf

    Google Scholar 

  33. Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger Password Authentication Using Browser Extensions. In: Proc. Usenix Security, pp. 17–32 (2005), http://crypto.stanford.edu/PwdHash/pwdhash.pdf

  34. Schechter, S., Egelman, S., Reeder, R.W.: It’s not what you know, but who you know: a social approach to last-resort authentication. In: Proc. CHI 2009, pp. 1983–1992 (2009), http://research.microsoft.com/pubs/79349/paper1459-schechter.pdf

  35. Shamir, A.: How to Share a Secret. Communications of the ACM 22(11), 612–613 (1979), http://securespeech.cs.cmu.edu/reports/shamirturing.pdf

    CrossRef  MathSciNet  MATH  Google Scholar 

  36. Stajano, F.: The Resurrecting Duckling – What Next? In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2000. LNCS, vol. 2133, pp. 204–214. Springer, Heidelberg (2001), http://www.cl.cam.ac.uk/~fms27/papers/2000-Stajano-duckling.pdf

    CrossRef  Google Scholar 

  37. Stajano, F.: Security for Ubiquitous Computing. Wiley (2002) ISBN 0-470-84493-0, Contains the most complete treatment of the Resurrecting Duckling [38]

    Google Scholar 

  38. Stajano, F., Anderson, R.: The Resurrecting Duckling: Security Issues in Ad-Hoc Wireless Networks. In: Malcolm, J.A., Christianson, B., Crispo, B., Roe, M. (eds.) Security Protocols 1999. LNCS, vol. 1796, pp. 172–182. Springer, Heidelberg (2000), http://www.cl.cam.ac.uk/~fms27/papers/1999-StajanoAnd-duckling.pdf

    CrossRef  Google Scholar 

  39. Stajano, F., Wong, F.-L., Christianson, B.: Multichannel Protocols to Prevent Relay Attacks. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 4–19. Springer, Heidelberg (2010), http://www.cl.cam.ac.uk/~fms27/papers/2009-StajanoWonChr-relay.pdf

    CrossRef  Google Scholar 

  40. Want, R., Hopper, A.: Active Badges and Personal Interactive Computing Objects. IEEE Transactions on Consumer Electronics 38(1), 10–20 (1992), http://nano.xerox.com/want/papers/pico-itce92.pdf

    CrossRef  Google Scholar 

  41. Wong, F.-L., Stajano, F.: Multi-channel protocols. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2005. LNCS, vol. 4631, pp. 112–127. Springer, Heidelberg (2007), http://www.cl.cam.ac.uk/~fms27/papers/2005-WongSta-multichannel.pdf ; updated version in IEEE Pervasive Computing 6(4), 31–39 (2007), http://www.cl.cam.ac.uk/~fms27/papers/2007-WongSta-multichannel.pdf

  42. Wong, T.M., Wang, C., Wing, J.M.: Verifiable Secret Redistribution for Archive System. In: IEEE Security in Storage Workshop 2002, pp. 94–105 (2002), http://www.cs.cmu.edu/~wing/publications/Wong-Winga02.pdf

Download references

Author information

Authors and Affiliations

  1. Computer Laboratory, University of Cambridge, Cambridge, UK

    Frank Stajano

Authors
  1. Frank Stajano
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Computer Science, University of Hertfordshire, AL10 9AB, Hatfield, UK

    Bruce Christianson & James Malcolm & 

  2. Faculty of Mathematical, Physical and Natural Sciences, University of Trento, Via Sommarive 14, 38100, Trento, Italy

    Bruno Crispo

  3. Computer Laboratory, University of Cambridge, 15 JJ Thomson Avenue, CB3 0FD, Cambridge, UK

    Frank Stajano

Rights and permissions

Reprints and Permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Stajano, F. (2011). Pico: No More Passwords!. In: Christianson, B., Crispo, B., Malcolm, J., Stajano, F. (eds) Security Protocols XIX. Security Protocols 2011. Lecture Notes in Computer Science, vol 7114. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-25867-1_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-25867-1_6

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-25866-4

  • Online ISBN: 978-3-642-25867-1

  • eBook Packages: Computer ScienceComputer Science (R0)