Future authentication systems (IRIS)

Lead Research Organisation: University of Cambridge


Memorizing a different unguessable password for every account is impossible: "Pick something you can't remember, then don't write it down". Pico (short video at http://mypico.org), under development at the University of Cambridge, is a novel system that lets you log in by waving an electronic device at your screen, without remembering any secrets or typing anything. The main problem faced by Pico is deployment: how to convince the major web sites to support it?
The proposed research consists of deploying Pico onto an existing high-traffic web site in the Alexa top 1000, http://gyazo.com, which already has a population of 7 million users, and to learn useful practical lessons from this deployment. These will inform and inspire further development of Pico. The experience gained will make it easier to persuade other existing sites to support Pico alongside passwords.

Planned Impact

Between them, the PI and the Fellow have an outstanding track record on impact. The PI is the author of two papers with over 1000 citations and the Fellow is the author of 3 high-usability systems with over a million users.
Insofar as this research is a stepping stone towards universal deployment of Pico, and an enabler for Pico adoption by all the major web sites, the ultimate indirect impact is potentially extremely broad: everyone who must use passwords on the web will benefit from this work. More directly, the research will benefit the webmasters who are considering offering support for Pico but hesitate because they don't want to go first. This project will bridge the gap from theory to practice and will prove to them that the technology is mature. Academically, it will also constructively prove that individual professors can do effective large-scale security usability research involving millions of users (real users, not mturkers or captive undergraduates) without having to beg for the cooperation of the big Internet companies.


10 25 50
Description We have tested, with the cooperation of users of an existing website, a novel login method that does not involve passwords. Our findings have been written up in a workshop paper accepted at EURO USEC 2017. Further development has been carried out and then tested in collaboration with a government agency, Innovate UK. A journal paper updating the original workshop paper and describing the additional developments has been published in the Journal of Cybersecurity. Here are the URLs for both papers, since the box that asks me to "provide the most relevant URL(s)" can only cope with one. https://www.repository.cam.ac.uk/handle/1810/265227, https://www.repository.cam.ac.uk/handle/1810/305664
Exploitation Route Improvements in usability and security of user authentication will have very wide applicability since everyone has to log into computers and websites.
Sectors Aerospace, Defence and Marine,Communities and Social Services/Policy,Creative Economy,Digital/Communication/Information Technologies (including Software),Education,Financial Services, and Management Consultancy,Healthcare,Government, Democracy and Justice,Culture, Heritage, Museums and Collections,Security and Diplomacy,Other

URL https://www.repository.cam.ac.uk/handle/1810/305664
Description The findings from this collaboration, and in particular the user study with the commercial Gyazo website, have been used to inform and direct the plans of a startup borne out of the parent ERC Pico grant that was the umbrella under which the IRIS collaboration was hosted. A workshop publication produced during this collaboration and listed as one of the outputs (Aebischer et al, "Pico in the Wild: Replacing Passwords, One Site at a Time", Proc. EuroUSEC 2017) was identified by the program chairs as one of the top papers at the workshop. We have been invited to expand it and resubmit it to the Journal of Cybersecurity. After passing peer review, it was finally published in 2020 (Aebischer et al, "Deploying authentication in the wild: towards greater ecological validity in security usability studies", JCyber 6(1), DOI http://doi.org/10.1093/cybsec/tyaa010).
Sector Digital/Communication/Information Technologies (including Software)
Impact Types Societal,Economic

Description Keio sabbatical of Prof Toshiyuki Masui 
Organisation Keio University
Department Faculty of Environment and Information Studies
Country Japan 
Sector Academic/University 
PI Contribution Hosting the academic visitor, providing access to our codebase, defining criteria for integration of our authentication method to their website.
Collaborator Contribution Visiting us, learning about our codebase, providing access to their website.
Impact One output accepted for publication but still in press. EpisoPass: Password Management based on Episodic Memories (Full Paper) Toshiyuki Masui in Proceedings of Passwords 2016, Springer LNCS, to appear
Start Year 2015