The mantra of a good algorithm designer is can we do better? For usable security researchers, doing better means delivering low friction solutions that enable end users to go about their business whilst also managing security risks effectively.

As with algorithms, the only interesting problems for usable security involve large n and this means solutions that work for millions or hundreds of millions of people. Cormac Herley states that the cost of one hours time of the 180 million internet users in the US is $2.5billion. If we compare the daily burden of our own authentication at home and at work against this figure, it is clear that current authentication schemes are hugely expensive (and that’s not including the cost of manning help desks for password reset, fraud, lost purchases and so on).

Authentication’s Big-O

By changing the “Big-O” for authentication from quadratic to linear we can transform how users interact with technology and while we’re at it save billions of wasted dollars.

However, despite this the vast majority of research in usable security is focused on providing a sticking plaster for passwords. I strongly believe that experiments on password memorability with small numbers of users (usually MTurkers) isn’t security research, it is just really poor psychology. And that frankly it isn’t good enough.

Can we do better?

So, can we do better than passwords? Well known problems (such as the issues with passwords) rarely have simply solutions. Good. I have no interest in working on problems that have easy solutions. Pico is trying to do better than passwords. At the very least we are tackling the right problem and in usable security research that’s a step in the right direction.