Fig 1 - uploaded by Graeme Jenkinson
Content may be subject to copyright.
Source publication
Passwords are a burden on the user, especially nowadays with an increasing number of accounts and a proliferation of different devices. Pico is a token-based login method that does not ask users to remember any secrets, nor require keyboard entry of one-time passwords. We wish to evaluate its claim of being simultaneously more usable and more secur...
Contexts in source publication
Context 1
... Pico implementation does not affect image upload and the identity token, but rather focuses on access to the website. As show in Figure 1, Pico adds a QR code to the login page that a user scans with their smartphone. The user loads up the Pico app on their phone, scans the QR code and is then presently logged in to the site. ...
Context 2
... main change was to inject a few additional <script> HTML elements into the login page. These elements pulled in our own Javascript source that performed some client-side re-writing of the page to inject the dynamic Pico QR code into the login page (the result of which was as shown earlier in Figure 1). The second change was to add a new page that we passed to potential study participants. ...
Similar publications
p>The rejuvenation of applications to harmonize with technological watch is the major challenge for all computer boxes, frameworks and languages are constantly proliferating by offering a range of improvements in terms of security and performance, which pushes all applications to invest in order to align oneself, to orient oneself towards another p...
Citations
... Users liked the lack of passwords in a review of Pico's usage in the wild (Aebischera et al., 2017). Although just 11 people participated in this field survey, the results are positive for FIDO2 adoption. ...
ABSTRACT
The continuous rates of account hacking and data leaks have put online users at risk of losing valuable data. The traditional password-based authentication has failed to suffice, as hackers have found it very easy to breach these protocols and get hold of users’ data. This has led to the development of more secured protocols like the FIDO2 passwordless authentication. Thus, this research was undertaken to investigate the Effectiveness of FIDO2 Passwordless Authentication for Online Users. One of the objectives of this research is to investigate how passwordless authentication can help solve the security issues that arise for users in an online environment.The study made use of both primary data and secondary data. The study found that FIDO2 passwordless authentication is a very secured method of protecting online users, however, the risk of losing the security key and the hassle involved in retrieving access have limited the adoption of the authentication protocol. The research however recommends that FIDO Alliance should develop easier methods of recovery. This would help improve user experience and lead to a higher adoption rate.
... For a hardware wallet to function properly as a password vault, it should interact with the user's web browser through client-side software which can facilitate two-way communication channels via USB, Bluetooth, WIFI, NFC, RFID, IR, and LAN. Aebischer et al. (2017) stated that a token-based authentication system called Common Access Card (CAC) introduced to the US Department of Defense (DoD) made a significant impact on organization productivity and a loss of $10.4 million. Stajano (2011) stated that if any mechanism is going to be invented to overcome this password problem and users are no longer needed for remembering unguessable secrets, it should fulfil at least three requirements of memoryless, scalable, secure, loss-resistance, and theft resistance. ...
... Stajano (2011) mentioned that smartphones are generalpurpose networked devices with great ecosystems for numerous security threats and users would not enjoy the security of their sensitive data on such devices. Aebischer et al. (2017) conducted a study evaluating the Pico system for replacing passwords exploring the areas of usability, deployability, and security. With the results of prior research on the usability of token-based authentication and identified problems with the hardware-based Pico system, the Pico project was later focused on the implementation of a smartphone application. ...
... Lack of credentials recovery and backward compatibility. Aebischer et al. (2017) Studied the Common Access Card (CAC) token-based authentication system for the US Department of Defence (DoD). Showed significant impact on organization productivity. ...
For over six decades, passwords have served as the primary authentication mechanism for almost all modern computer systems. However, password management is a challenging task for most computer users, and that has led users to many malpractices that open the door for most information security breaches over time. Despite many efforts, no alternative solution has ever succeeded in replacing passwords as the primary authentication mechanism. As a result, users are now heavily relying on password managers to alleviate the burden of manual password management. This paper addresses the topic of password management about different types of password managers and their inherent limitations. By evaluating the existing password management approaches and identifying potential improvements, this paper aims to signify an important research gap that exists in the study area; the need for fully automating the process of manual password management.
... The methods discussed in [9,10] shows the limitat ions of password-less authentication. As proposed by Stajano [11,12] for replacing password with hardware token, there are various design perspectives associated with U2F and FIDO2. Figure 1 shows the Access Control Authentication Methods. ...
In the technology today, user-based
authentication and password are now widely used in all
information systems and services. Most of the university also
uses this type of authentication method for many services, but
the password is in danger. By providing a password-protected
verification system for the most usable and secure
organization. In the old days, the password was used as the
best authentication system to prevent unauthorized access.
Now the technology in the authentication system is growing
day by day so that the password is changed to be more secure.
However, the vulnerability of this traditional system has
prompted the industry and researchers to find a new
alternative where there is no threat such as theft, hacking and
cracking passwords. This study discusses in more detail the key
strategies for verifying the authenticity of a password in detail
and sets out an attempt to explain details and process of each
technology. The paper consists of an extensive review of the
research conducted in past several years and this research
study has presented a review of recent research works which
are mainly conducted for improvising the security with the end
to end encryption process.
Keywords— Traditional Authentication, Password less Authentication,
Emerging Authentication, Biometrics, Web Security
... Besides FIDO2, Pico, proposed by Stajano [25], is another example of a token-based login method. In a study by Aebischer et al. [1], users appreciated the ability to avoid passwords because of the known drawbacks, but adoption was still identified as a problem as users prefer to stick to the familiar password-based authentication. We observed a similar phenomenon, among the participants who used a password manager. ...
... All these adoption barriers should be minimized before introducing FIDO2 (with security keys) to replace username and password-based authentication in a company. 1 The participant states that using the security key requires more thinking than entering username and password. ...
... instead of the regular https://www.gyazo.com. Our proxy web server would display a QR code, perform mutual authentication with the user and then embed an authentication cookie provided by Pico into the browser session, before handing over the authenticated user to the real Gyazo website [9]. ...
... The Pico app was downloaded by N 5 ¼ 12 participants but one participant never used it to authenticate. Overall, we recorded 45 authentication events across N 6 ¼ 11 active participants (M ¼ 4.1 authentication events per participant; range: [1][2][3][4][5][6][7][8][9][10][11][12][13][14]. ...
... As we said in the original workshop write-up of the Gyazo study [9], we intended to use our findings to shape the future development of Pico. In this article, we show that we did. ...
Pico is a token-based login method that claims to be simultaneously more usable and more secure than passwords. It does not ask users to remember any secrets, nor to type one-time passwords. We evaluate Pico’s claim with two deployments and user studies, one on a web-based service and another within an organization. Our main aim is to collect actionable intelligence on how to improve the usability and deployability of Pico. In our first study we team up with an established website, Gyazo, to offer this alternative login mechanism to users intent on performing a real task of image sharing. From the lessons of this first study, we retarget Pico’s focus from replacing web passwords to replacing desktop login passwords; and thus in our second study we engage with a government organization, Innovate UK, to offer employees the ability to lock and unlock their computer automatically based on proximity. We focus particularly on the ecological validity of the trials and we thereby gain valuable insights into the viability of Pico, not only through the actual responses from the participants but also through the many practical challenges we had to face and overcome. Reflecting on the bigger picture, from our experience we believe the security usability community would greatly benefit from pushing towards greater ecological validity in published work, despite the considerable difficulties and costs involved.
... This evolution of the Pico concept loses several features such as continuous authentication and the ability to log out from the device; and comes with the intrinsic disadvantages of transferring passwords. The very recently published usability study (April this year) on Pico [1] seems to suggest the that Pico team has abandoned their browser plugin for a reserve proxy setup at the server and is using the Pico prototype (only Android) in 'compatibility mode' (user has to enter his password in the app, no indication whatsoever that the Pico updates the user's password to a longer, hard-to-guess password) without any kind of database locking mechanism (no mention of Pico Siblings as in the original concept or even the use of PIN or fingerprint). In this light, we will evaluate the current Pico in 'compatibility mode' without database locking mechanism. ...
... Bonneau et al. [6] described a general Usability-Deployability-Security evaluation framework, using a concise list of properties, which we will use for our comparison. Table 1 shows the properties attributed to the original Pico description by Stajano [22] as per et al. [6], supplemented with our evaluation of their new direction [1,23] and our n-Auth implementation. In the following sections, we always first state each property together with a short explanation, taken verbatim from [6]. ...
... original Pico [22] current Pico [1,23] n-Auth Security ...
Weak security, excessive personal data collection for user profiling, and a poor user experience are just a few of the many problems that mobile authentication solutions suffer from. Despite being an interesting platform, mobile devices are still not being used to their full potential for authentication. n-Auth is a firm step in unlocking the full potential of mobile devices in authentication, by improving both security and usability whilst respecting the privacy of the user. Our focus is on the combined usage of several strong cryptographic techniques with secure HCI design principles to achieve a better user experience. We specified and built n-Auth, for which robust Android and iOS apps are openly available through the official stores.
