Repository logo
 

Pico in the Wild: Replacing Passwords, One Site at a Time

Published version
Peer-reviewed

Type

Conference Object

Change log

Authors

Aebischer, S 
Dettoni, C 
Jenkinson, G 
Krol, KK 
Llewellyn-Jones, D 

Abstract

Passwords are a burden on the user, especially nowadays with an increasing number of accounts and a proliferation of different devices. Pico is a token-based login method that does not ask users to remember any secrets, nor require keyboard entry of one-time passwords. We wish to evaluate its claim of being simultaneously more usable and more secure than passwords, whilst testing its support for frictionless deployment to web-based services. Our main aim is to collect actionable intelligence on how to improve it. In our study, we teamed up with an Alexa Top 500 website, Gyazo, to offer this alternative login mechanism to users intent on performing a real task of image sharing. We focused on the ecological validity of the trial, and gained knowledge both through the challenges of the trial and the results generated. Users appreciated the ability to avoid password entry but the overall benefit was mitigated by the existing measures put in place by Gyazo to minimise the number of times users are presented with a password entry box. Our main finding is that providing enough benefit requires a solution that applies across sites, rather than focusing on authentication for a single site in isolation.

Description

Keywords

Journal Title

Conference Name

EuroUSEC: European Workshop on Usable Security

Journal ISSN

Volume Title

Publisher

Internet Society
Sponsorship
We would also like to thank the European Research Council (ERC) for funding this research through grant StG 307224 (Pico) and the Engineering and Physical Sciences Research Council (EPSRC) through grant EP/M019055/1.