Bootstrapping Adoption of the Pico Password Replacement System

Frank Stajano, Graeme Jenkinson, Jeunese Payne, Max Spencer, Quentin Stafford-Fraser, Chris Warrington
Proc. Security Protocols XXII - 22nd International Workshop Cambridge, UK, March 19-21, 2014
In previous work we presented Pico, an authentication system designed to be both more usable and more secure than passwords. One unsolved problem was that Pico, in its quest to explore the whole solution space without being bound by compatibility shackles, requires changes at both the prover and the verifier, which makes it hard to convince anyone to adopt it: users won't buy an authentication gadget that doesn't let them log into anything and service providers won't support a system that no users are equipped to log in with. In this paper we present three measures to break this vicious circle, starting with the "Pico Lens" browser add-on that rewrites websites on the fly so that they appear Pico-enabled. Our add-on offers the user most (though not all) of the usability and security benefits of Pico, thus fostering adoption from users even before service providers are on board. This will enable Pico to build up a user base. We also developed a server-side Wordpress plugin which can serve both as a reference example and as a useful enabler in its own right (as Wordpress is one of the leading content management platforms on the web). Finally, we developed a software version of the Pico client running on a smartphone, the Pico App, so that people can try out Pico (at the price of slightly reduced security) without having to acquire and carry another gadget. Having broken the vicious circle we'll be in a stronger position to persuade providers to offer support for Pico in parallel with passwords.

Available here: PDF