Pico is a password replacement system currently under development at the University of Cambridge. The Pico project’s strap line is: No more passwords! But is that right, should this really be our goal when designing new authentication schemes?
Category Archives: Security
Security related posts
Why password managers (sometimes) fail
In a paper the Pico team are about to present at the Passwords 2014 conference in Trondheim, we introduce our proposal for Password Manager Friendly (PMF) semantics. PMF semantics are designed to give developers and maintainers of password managers a bit of a break and, more importantly, to improve the user experience.
For the details of the PMF proposal please read my post Why password managers (sometimes) fail on the Lightbluetouchpaper blog (the blog of the Security research group at the University of Cambridge).
0303
0303 – the PIN of the guy in front of me in Boots at the weekend. All your secrets are belonging to me.
Pico in the Guardian
Delegation’s what you need (for usable security)
I heart PINs is a sorry tale of failed delegation (of a burglar alarm PIN). That failure was two-fold. Firstly, delegating a static shared secret such as a PIN or password invariably results in it being written down. Once written down the PIN has become a bearer token, fundamentally changing the security properties of the system. This introduces new threats whilst potentially mitigating others (given the importance of availability, loss of the token is a significant concern).
Continue reading Delegation’s what you need (for usable security)