Pico: no more passwords!

Frank Stajano

Pico is a research project to liberate computer users from the inconvenience and insecurity of passwords. The primary design directive is: you won't have to remember any secrets to authenticate.

The inadequacy of passwords is often noted and many researchers have attempted to provide replacements; yet we still use more passwords today than we ever did. But if you could afford total freedom to redesign the world and do things right, what would you produce instead of passwords? Pico is a clean-slate design, free from compatibility shackles: we won't presume to displace passwords overnight but we want to have a good solution ready for the day that people (and businesses) really can't stand passwords any more.

password pain

Technically, we move from "something you know" (dozens of passwords) to "something you have" (crypto gadgets that you wear). We address common problems of existing authentication tokens, such as having to have a different token for each verifier or having to remember further meta-secrets to unlock the tokens. More importantly, we base our development cycle on a user-driven quick prototyping philosophy: it has to be more convenient than passwords for non-geeks.

In 2012 the European Research Council of the EU awarded me a generous grant to develop Pico. Thanks to them I am now assembling an interdisciplinary team that will eventually comprise several post-doctoral researchers and graduate students, including members with expertise in interaction design, experimental psychology and embedded hardware, besides computer security. The project is hosted at the Computer Security Group of the University of Cambridge Computer Laboratory. The intellectual property of all work developed under the project will be released openly and will not be patented.

Would you like to be part of the élite team that will develop, deploy and iteratively redesign a working version of Pico? Then go to the bottom of this page and get in touch! I am looking for applicants right now.


I discussed my ideas about Pico with several audiences, on at least the following occasions. Check them out for background on the project.

This research was first presented at the 19th International Workshop on Security Protocols, held in Cambridge, UK in March 2011. The proceedings were published by Springer-Verlag in the Lecture Notes in Computer Science series, issue 7114. The full text of the revised paper, "Pico: no more passwords!", © Springer-Verlag, is available online and so is the transcript of the ensuing discussion.
Invited talk at ISSA Ireland (Information Systems Security Association) National Conference, Dublin, Ireland.
Invited talk at Passwords^11, Bergen, Norway.
Security and Human Behaviour 2011, Carnegie Mellon University, Pittsburgh, PA, USA.
Invited talk at USENIX Security 2011, San Francisco, CA, USA. Presentation video available.
Invited talk at IEEE RTCSA (Real-Time Computer Systems and Applications), Toyama, Japan.

Press coverage

Contributors so far

Job offers

I am looking for exceptionally talented PhD-grade research associates from various backgrounds who want to make a dent in the universe. If you want to be part of the team that will make Pico a reality, get in touch with me (email frank dot stajano minus minus picopage at cl dot cam dot ac dot uk), even if you don't exactly match one of the currently published profiles. I will also consider pre-PhD applications for a research assistant post from outstanding applicants, as well as graduate student positions for MPhil or PhD.

password pain

Back to Frank Stajano's home page

CSS Valid
     HTML 4.0! validated (recheck) Get Acrobat Reader