Pico in the Wild: Replacing Passwords, One Site at a Time
EuroUSEC: European Workshop on Usable Security
MetadataShow full item record
Aebischer, S., Dettoni, C., Jenkinson, G., Krol, K., Llewellyn-Jones, D., Masui, T., & Stajano, F. (2017). Pico in the Wild: Replacing Passwords, One Site at a Time. EuroUSEC: European Workshop on Usable Security. https://doi.org/10.14722/eurousec.2017.23017
Passwords are a burden on the user, especially nowadays with an increasing number of accounts and a proliferation of different devices. Pico is a token-based login method that does not ask users to remember any secrets, nor require keyboard entry of one-time passwords. We wish to evaluate its claim of being simultaneously more usable and more secure than passwords, whilst testing its support for frictionless deployment to web-based services. Our main aim is to collect actionable intelligence on how to improve it. In our study, we teamed up with an Alexa Top 500 website, Gyazo, to offer this alternative login mechanism to users intent on performing a real task of image sharing. We focused on the ecological validity of the trial, and gained knowledge both through the challenges of the trial and the results generated. Users appreciated the ability to avoid password entry but the overall benefit was mitigated by the existing measures put in place by Gyazo to minimise the number of times users are presented with a password entry box. Our main finding is that providing enough benefit requires a solution that applies across sites, rather than focusing on authentication for a single site in isolation.
We would also like to thank the European Research Council (ERC) for funding this research through grant StG 307224 (Pico) and the Engineering and Physical Sciences Research Council (EPSRC) through grant EP/M019055/1.
External DOI: https://doi.org/10.14722/eurousec.2017.23017
This record's URL: https://www.repository.cam.ac.uk/handle/1810/265227