Low-Cost Mitigation Against Cold Boot Attacks for an Authentication Token

Goldberg, Ian; Jenkinson, Graeme; Stajano, Frank

doi:10.1007/978-3-319-39555-5_3

Cited by 2 publications

(1 citation statement)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The work has generated many technical results (e.g. see Goldberg et al, Stajano et al and others [22], [23]), but only one user study has previously been conducted and published on nonfunctional Pico prototypes [20]. Some recent work by Urueña and Soto [24] has sought to empirically assess login times, but currently the work is in its early stages.…”

Section: Related Workmentioning

confidence: 99%

Pico in the Wild: Replacing Passwords, One Site at a Time

Aebischer¹,

Dettoni²,

Jenkinson³

et al. 2017

Proceedings 2nd European Workshop on Usable Security

Self Cite

View full text Add to dashboard Cite

Passwords are a burden on the user, especially nowadays with an increasing number of accounts and a proliferation of different devices. Pico is a token-based login method that does not ask users to remember any secrets, nor require keyboard entry of one-time passwords. We wish to evaluate its claim of being simultaneously more usable and more secure than passwords, whilst testing its support for frictionless deployment to web-based services. Our main aim is to collect actionable intelligence on how to improve it. In our study, we teamed up with an Alexa Top 500 website, Gyazo, to offer this alternative login mechanism to users intent on performing a real task of image sharing. We focused on the ecological validity of the trial, and gained knowledge both through the challenges of the trial and the results generated. Users appreciated the ability to avoid password entry but the overall benefit was mitigated by the existing measures put in place by Gyazo to minimise the number of times users are presented with a password entry box. Our main finding is that providing enough benefit requires a solution that applies across sites, rather than focusing on authentication for a single site in isolation. 1 https://gyazo.com/ Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment.

show abstract

Section: Related Workmentioning

confidence: 99%