Major Universities Explore Password Alternatives

Sophos blog Naked Security recently reported that Cambridge and Oxford are both working on modern alternatives to passwords. The Cambridge Computer Laboratory and Oxford BioChronometrics both seek to address the rising need for new alternatives to password-based authentication via their new programs Pico and eDNA, respectively.


Photo: leungchopan / Shutterstock

Naked Security explains:

We choose them badly, we’re not good at remembering them, we reuse them across different sites. Companies struggle with appropriate policies internally, and websites, even major brands, don’t enforce strong rules either.

Passwords are regularly leaked in data breaches and need to be reset, with sloppy approaches to alerting people putting them further at risk.

Pico creator Frank Stajano elaborates that different systems have different password requirements, users are instructed not to write them down, and even those who have found the “perfect” password are forced to change them every few months. “In fact, it’s absolutely impossible to follow all these rules at once,” according to Stajano, even for security experts themselves. On top of the difficulty passwords present on the user end, they are easy to breach from a security standpoint.

Pico was originally introduced in Stajano’s paper Pico: No more passwords! The system consists of a small authentication device (the Pico) and several wearable electronic devices (“Picosiblings”) that inform the Pico it is in the possession of the correct user. As Naked Security describes it, these Picosiblings give the wearer “an electronic aura.”

In his paper, Stajano listed his minimum requirements for a suitable password replacement system: the replacement had to be memoryless (so the user does not have to remember any “secrets”), scalable (so as to be effective for a wide variety of systems), and of course, secure.  He also included the additional requirements one would need for a “token-based” system; namely, the Pico and its siblings would have to be loss- and theft-resistant.

On top of these basic requirements, Stajano adds that Pico provides usability- and security-related benefits that passwords do not currently have, and includes in his paper desirable properties “that are not goals for Pico” but might be considered in later implementations. Among other things, these desirable properties include the ability to deploy Pico without the need to change apps or clients.

So far, potential threats in the literature appear limited to relay attacks. Stajano’s team at Cambridge proposes to deflect relay attacks between the Pico and its siblings with “session delegation.”

With accurate timing of the challenges and responses we can detect a relay attack because no remote attacker can respond as quickly as a genuine Picosibling that is within arm’s reach.

Stajano is still working on a solution for relay attacks between the Pico and web browsers. Results will be published in a forthcoming paper.

Pico’s implementation is currently open-source, with automatic updates for users in the future. When asked why a separate device for the Pico rather than a convenient mobile app, the Pico team explains that “phones nowadays are general purpose programmable web-connected computers on which people download and execute arbitrary code… we want Pico to be a non-programmable, single-purpose gadget.”

Pico is currently being funded by the European Research Council.

Meanwhile, Oxford BioChronometrics is taking a more personal approach with its eDNA (electronically Defined Natural Attributes) project. The team is calling its methodology Human Recognition Technology. BioChronometrics uses subtle interactive behaviors to create an electronic signature called eDNA. These interactive behaviors may include the way a user swipes a screen, types on a keyboard, and hundreds of other physical variables. According to the project website, “while bots, hackers and scammers can perhaps mimic a few of these behaviors, nothing is able to replicate them all.”

Pico’s rebuttal to biometric inputs revolves around the potential for surveillance and collusion. According to the Pico FAQ, a biometric system would allow for multiple interfaces to “collude” due to the unique nature of these personal behaviors:

Your biometrics identify you uniquely and therefore they allow colluding verifiers to link your activities across domains. So your employer, your mental health clinic, your political party, your telecomms provider and so forth (not to mention your friendly government agencies, which already do) would be in a position to build a dossier of everything you do and everywhere you go.

Naked Security however, speculates that a program like Pico could be too expensive and burdensome for the typical user. The report suggests that while it might become the new authentication method of choice for those who can budget for high-end security measures (such as governments), a more user-friendly biometric system such as eDNA would likely become more popular with the general public.