9:00-10:00 Keynote I
Pico: no more passwords!
Frank Stajano, University of Cambridge
Hosted by Hideyuki Tokuda
One consequence of the ubiquity of computing is that we interact with, and have accounts with, many more computer systems than in the past. How should we authenticate to them?
From a usability viewpoint, passwords and PINs have reached the end of
their useful life. Even though they are convenient for implementers, for
users they are increasingly unmanageable. The demands placed on users
(passwords that are unguessable, all different, regularly changed and
never written down) are no longer reasonable now that each person has to
manage dozens of passwords. Yet we can't abandon passwords until we come
up with an alternative method of user authentication that is both usable
We present an alternative design based on a hardware token called Pico that relieves the user from having to remember passwords and PINs. Unlike most alternatives, Pico doesn't merely address the case of web passwords: it also applies to all the other contexts in which users must at present remember passwords, passphrases and PINs. Besides relieving the user from memorization efforts, the Pico solution scales to thousands of credentials, provides “continuous authentication” and is resistant to brute force guessing, dictionary attacks, phishing and keylogging.