Pico in the Wild: Replacing Passwords, One Site at a Time
View / Open Files
Authors
Aebischer, S
Dettoni, C
Jenkinson, Graeme
Krol, Kat
Llewellyn-Jones, David
Masui, T
Publication Date
2017-04-29Conference Name
EuroUSEC: European Workshop on Usable Security
Publisher
Internet Society
Language
eng
Type
Conference Object
This Version
VoR
Metadata
Show full item recordCitation
Aebischer, S., Dettoni, C., Jenkinson, G., Krol, K., Llewellyn-Jones, D., Masui, T., & Stajano, F. (2017). Pico in the Wild: Replacing Passwords, One Site at a Time. EuroUSEC: European Workshop on Usable Security. https://doi.org/10.14722/eurousec.2017.23017
Abstract
Passwords are a burden on the user, especially nowadays with an increasing number of accounts and a proliferation of different devices. Pico is a token-based login method that does not ask users to remember any secrets, nor require keyboard entry of one-time passwords. We wish to evaluate its claim of being simultaneously more usable and more secure than passwords, whilst testing its support for frictionless deployment to web-based services. Our main aim is to collect actionable intelligence on how to improve it. In our study, we teamed up with an Alexa Top 500 website, Gyazo, to offer this alternative login mechanism to users intent on performing a real task of image sharing. We focused on the ecological validity of the trial, and gained knowledge both through the challenges of the trial and the results generated. Users appreciated the ability to avoid password entry but the overall benefit was mitigated by the existing measures put in place by Gyazo to minimise the number of times users are presented with a password entry box. Our main finding is that providing enough benefit requires a solution that applies across sites, rather than focusing on authentication for a single site in isolation.
Sponsorship
We would also like to thank the European Research Council (ERC) for funding this research through grant StG 307224 (Pico) and the Engineering and Physical Sciences Research Council (EPSRC) through grant EP/M019055/1.
Identifiers
External DOI: https://doi.org/10.14722/eurousec.2017.23017
This record's URL: https://www.repository.cam.ac.uk/handle/1810/265227
Rights
Licence:
http://www.rioxx.net/licenses/all-rights-reserved