On 7th of June Frank Stajano was giving a talk on Pico. Pico is basically his answer to the question “how we could get rid of passwords”. There was one thing that made me really sad about his talk, it was that Pico does not exist yet. At the moment it is an idea about a device which will help us to get rid of the passwords and the problems around them. Let me try to picture his idea:
One of the main concepts is, that the future user is carrying a device with him, which can communicate to the computer/device/what ever in front of him via radio signals. This device is called Pico. Pico will have (at least) two buttons, one for giving credentials and one for creating new credentials. Additionally Pico will have a camera to take pictures. If the user now is going to login to … whatever, he is presented a picture with a QR Code. This QR Code will have a hash of a certificate together with some nonce. The device where the user is going to login will send out a public key together with the nonce. If the user wants to login, he takes a picture of the QR code and verifies that QR Code and public key are matching. If they match Pico checks if there are already credentials for this system (identified by the public key). The user can now push the button to login on the device and identifies himself to the system.
You should now ask, and how does the user authenticate himself to Pico? The answer to this is both easy and brilliant, he does this by carrying around some devices, which he calls Picosiblings. Small devices which are used as tokens, communicating with Pico. Each token will give Pico some information about the Key Pico is internally using. only if there are k out of n siblings available Pico is able to access the identities stored in the memory.
Unfortunately to describe everything in the details which would be needed to see how sexy his solution is, I would have to create a blog of its own to describe it. Therefore I suggest:
- take a look on the video of the conference
- talk and listen to him.
At this point, I can only say thank you for the talk and Frank, put me on top of the list of betatesters as soon you need one.