Future authentication systems (IRIS)

Lead Research Organisation: University of Cambridge
Department Name: Computer Laboratory

Abstract

Memorizing a different unguessable password for every account is impossible: "Pick something you can't remember, then don't write it down". Pico (short video at http://mypico.org), under development at the University of Cambridge, is a novel system that lets you log in by waving an electronic device at your screen, without remembering any secrets or typing anything. The main problem faced by Pico is deployment: how to convince the major web sites to support it?
The proposed research consists of deploying Pico onto an existing high-traffic web site in the Alexa top 1000, http://gyazo.com, which already has a population of 7 million users, and to learn useful practical lessons from this deployment. These will inform and inspire further development of Pico. The experience gained will make it easier to persuade other existing sites to support Pico alongside passwords.

Planned Impact

Between them, the PI and the Fellow have an outstanding track record on impact. The PI is the author of two papers with over 1000 citations and the Fellow is the author of 3 high-usability systems with over a million users.
Insofar as this research is a stepping stone towards universal deployment of Pico, and an enabler for Pico adoption by all the major web sites, the ultimate indirect impact is potentially extremely broad: everyone who must use passwords on the web will benefit from this work. More directly, the research will benefit the webmasters who are considering offering support for Pico but hesitate because they don't want to go first. This project will bridge the gap from theory to practice and will prove to them that the technology is mature. Academically, it will also constructively prove that individual professors can do effective large-scale security usability research involving millions of users (real users, not mturkers or captive undergraduates) without having to beg for the cooperation of the big Internet companies.

Publications

10 25 50
 
Description We have tested, with the cooperation of users of an existing website, a novel login method that does not involve passwords. Our findings have been written up in an academic paper, accepted for presentation at EURO USEC 2017. Further development has been carried out and then tested in collaboration with a government agency, Innovate UK. A journal paper updating the original workshop paper and describing the additional developments is currently undergoing peer review.
Exploitation Route Improvements in usability and security of user authentication will have very wide applicability since everyone has to log into computers and websites.
Sectors Aerospace, Defence and Marine,Communities and Social Services/Policy,Creative Economy,Digital/Communication/Information Technologies (including Software),Education,Financial Services, and Management Consultancy,Healthcare,Government, Democracy and Justice,Culture, Heritage, Museums and Collections,Security and Diplomacy,Other

URL https://www.repository.cam.ac.uk/bitstream/handle/1810/265227/eurousec2017_17_Aebischer_paper.pdf?sequence=1&isAllowed=y
 
Description The findings from this collaboration, and in particular the user study with the commercial Gyazo website, have been used to inform and direct the plans of a startup borne out of the parent ERC Pico grant that was the umbrella under which the IRIS collaboration was hosted. A workshop publication produced during this collaboration and listed as one of the outputs (Aebischer et al, "Pico in the Wild: Replacing Passwords, One Site at a Time", Proc. EuroUSEC 2017) was identified by the program chairs as one of the top papers at the workshop. We have been invited to expand it and resubmit it to the Journal of Cybersecurity. We are currently doing that. Peer review of the journal submission is ongoing at the time of writing.
First Year Of Impact 2017
Sector Digital/Communication/Information Technologies (including Software)
Impact Types Societal,Economic

 
Description Keio sabbatical of Prof Toshiyuki Masui 
Organisation Keio University
Department Faculty of Environment and Information Studies
Country Japan 
Sector Academic/University 
PI Contribution Hosting the academic visitor, providing access to our codebase, defining criteria for integration of our authentication method to their website.
Collaborator Contribution Visiting us, learning about our codebase, providing access to their website.
Impact One output accepted for publication but still in press. EpisoPass: Password Management based on Episodic Memories (Full Paper) Toshiyuki Masui in Proceedings of Passwords 2016, Springer LNCS, to appear
Start Year 2015