Pico: no more passwords

The invention of Pico [Stajano 2011] was prompted by pleas for help from friends and family. People are burdened with password rules that are impossible to follow because they are mutually contradictory (create complex and hard-to-guess passwords; never write them down; change them every few months; never reuse them across accounts; etc). Then, when accounts are hacked, users are blamed for not having followed the impossible rules. This is ridiculous. I believe we computer people have a moral duty to offer a better deal to the rest of humanity. Pico, named after 15th century philosopher Pico della Mirandola, famous for his prodigious memory, is a physical device that remembers thousands of strong login credentials on your behalf. Pico never asks you to remember any secrets to log in: it is easier to use and much more secure than passwords.

We developed and trialled a variety of prototypes of Pico. By involving users, listening to what they said and observing what they did, we learnt much about what would work in practice and we changed the design accordingly. I had originally envisaged Pico as a dedicated electronic token, in theory much more secure than a program running on a general purpose smartphone platform; but our user studies taught us that, in practice, people would forget to carry the token with them, forget to recharge it and generally not accept it easily into their daily routine. The current prototype of Pico is implemented as a smartphone app, with back-end software on the computer and in the browser.

Pico exploits proximity to provide "continuous authentication": go near your computer to log in, and move away to log out. A configurable system of alerts and subtle confirmations prevents misuse by attackers while minimizing user effort. This means you'll never leave your computer unlocked by accident while you're away, but at the same time you'll never be locked out while at your desk, even if you don't touch keyboard or mouse for half an hour because you're on the phone. There are safeguards against the theft or loss of your smartphone.

We also prototyped further developments besides this core functionality. The Pico Lens lets you log into websites that don't support Pico yet; but, unlike the password manager in your browser, it resists man-in-the-browser attacks. The Picosiblings are additional wearable devices whose presence unlocks the Pico, adding extra security but without requiring you to type a PIN. The Reverse Web Proxy lets websites become Pico-compatible without modifying their backend. The Cold Boot Protection safeguards most of the credentials in the Pico even if the device is stolen while in use.

To maximise adoption and societal benefit, we did not file any patents about Pico and we released our reference implementation as open source. Similar techniques to the ones described in my 2011 paper are currently being used by a variety of major industry players. The FIDO consortium standardizes the use of an authenticator device with a different public key pair for every account. Apple, Google and Windows are all offering some form of authentication via mobile or wearable devices.

After collecting the usual marks of academic esteem (papers, invited talks, academic promotions) we were keen to bring Pico's benefits to actual users. We thus founded a company, Cambridge Authentication, to bring this research to market and ensure it will continue beyond the end of the ERC project. Pico is currently being trialled in a UK government agency. For our customers, Pico quickly pays for itself many times over through increased security and productivity.