Final Report Summary - PICO (Pico: no more passwords)
We developed and trialled a variety of prototypes of Pico. By involving users, listening to what they said and observing what they did, we learnt much about what would work in practice and we changed the design accordingly. I had originally envisaged Pico as a dedicated electronic token, in theory much more secure than a program running on a general purpose smartphone platform; but our user studies taught us that, in practice, people would forget to carry the token with them, forget to recharge it and generally not accept it easily into their daily routine. The current prototype of Pico is implemented as a smartphone app, with back-end software on the computer and in the browser.
Pico exploits proximity to provide "continuous authentication": go near your computer to log in, and move away to log out. A configurable system of alerts and subtle confirmations prevents misuse by attackers while minimizing user effort. This means you'll never leave your computer unlocked by accident while you're away, but at the same time you'll never be locked out while at your desk, even if you don't touch keyboard or mouse for half an hour because you're on the phone. There are safeguards against the theft or loss of your smartphone.
We also prototyped further developments besides this core functionality. The Pico Lens lets you log into websites that don't support Pico yet; but, unlike the password manager in your browser, it resists man-in-the-browser attacks. The Picosiblings are additional wearable devices whose presence unlocks the Pico, adding extra security but without requiring you to type a PIN. The Reverse Web Proxy lets websites become Pico-compatible without modifying their backend. The Cold Boot Protection safeguards most of the credentials in the Pico even if the device is stolen while in use.
To maximise adoption and societal benefit, we did not file any patents about Pico and we released our reference implementation as open source. Similar techniques to the ones described in my 2011 paper are currently being used by a variety of major industry players. The FIDO consortium standardizes the use of an authenticator device with a different public key pair for every account. Apple, Google and Windows are all offering some form of authentication via mobile or wearable devices.
After collecting the usual marks of academic esteem (papers, invited talks, academic promotions) we were keen to bring Pico's benefits to actual users. We thus founded a company, Cambridge Authentication, to bring this research to market and ensure it will continue beyond the end of the ERC project. Pico is currently being trialled in a UK government agency. For our customers, Pico quickly pays for itself many times over through increased security and productivity.