Receive our editor’s picks

Dare we dream of a password-free future?

Researchers are developing a device which lets users log in to their accounts without having to enter a password. Image courtesy of the Pico research group

Memorising random strings of letters, numbers and symbols seems like an inevitable nuisance of internet life, but new devices currently under development could ease the burden by rendering passwords a thing of the past.

The devices – which consist either of multiple, physical keys or ‘biometric’ sensors – aim to improve digital security without relying on people to remember passwords at all.

Currently, experts in internet security recommend that every password ought to be a long, unguessable string of letters, numbers and symbols. But since most users need to remember dozens of unique passwords – for everything from internet banking to email and online shops – that recommendation can seem rather optimistic.

Dr Frank Stajano at the University of Cambridge in the UK thinks it is no surprise that people end up using the same passwords for multiple accounts, or writing passwords down on sticky notes, thus undermining their security. ‘I want to relieve the impossible burden that passwords impose on human beings,’ he said.

Backed by a grant from the EU’s European Research Council, Dr Stajano has come up with a small device he calls Pico, which works a bit like an electronic fob. Instead of typing a password into a box, you simply show the Pico to the computer, and a wireless interaction provides the authentication.

It’s not quite that simple, because there is the risk that someone can steal your Pico. That is why Pico comes with several ‘Picosiblings’ – much smaller devices that you can wear, perhaps hidden inside your wallet or shoe.

Users can determine the number of Picosiblings needed to be near the main Pico in order to login to their accounts. Images courtesy of the Pico research group

To provide authentication with a computer, website or other system, the main Pico must detect the presence of several Picosiblings. You could configure Pico to require the detection of more or fewer siblings, depending on how security conscious you are, says Dr Stajano.


To be compatible with secure websites, Pico currently requires an application, called Lens, to be installed in the web browser. The Pico Lens translates the authentication signal coming from the main Pico device into a regular password – albeit one that is so long as to be virtually uncrackable – that the website can recognise.

The Issue

The most common passwords in 2014 were '123456', 'password' and '12345', according to SplashData, which compiles an annual list of the worst offenders. 

Weak passwords like this leave people open to online fraud and 7 % of EU citizens surveyed in 2014 said they had experienced or been the victim of identity theft.

While passwords are one side of the battle in cybersafety, the EU is also working on making sure that Member States and organisations ensure that their digital environment is secure and trustworthy, as part of the Digital Agenda.

In the next phase, however, Dr Stajano is developing code equivalent to Lens that is installed not in a user’s computer, but in the website itself. He says he has an agreement with a website that has millions of real users to test out this version of Pico.

‘We are actively seeking out users who are interested in the technology for its benefits, not just lab rats who will try it because we gave them ten pounds,’ he said.

Dr Stajano is sceptical of one burgeoning area of computer security – the use of biometric sensors, such as those for fingerprints. Unlike passwords, biometric information is personal to the user and cannot be changed, he says, and should not be shared thoughtlessly – for instance, by providing it to different websites.

Dr João Silva, a computer scientist at the Institute for Systems and Computer Engineering, Research and Development (INESC-ID) in Lisbon, Portugal, agrees that biometric information is problematic. But he believes it can still be put to good use in digital security – so long as it doesn’t leave the user’s hands.

Supported by over EUR 3 million from the European Commission, Dr Silva and his colleagues are developing a device that looks like a smartphone case – a ‘Personalised Centralized Authentication System’, or PCAS.

Unlike a normal case, however, PCAS contains several biometric sensors: a camera on the front for face recognition; a camera on the side for palm-print recognition; and a motion sensor which recognises a user based on the unique way he or she moves the smartphone around.

Personal data

By recognising a user’s face, palm print and motion signals, PCAS might one day be able to unlock computers, websites and smartphone apps. In the short term, however, Dr Silva has a more specific goal in mind: the storage and transfer of highly personal data, like medical records and bank details.

 ‘I want to relieve the impossible burden that passwords impose.’

Dr Frank Stajano, University of Cambridge, UK

PCAS has its own memory and processor, which means the biometric information used to unlock it never leaves the device, even when authenticating the user to remote services. This should put at ease those who are concerned about governments or private companies storing private data, says Dr Silva.

Having personal data close at hand might also empower the user, he says. In some countries, personal data like medical records cannot be transferred between institutions without filling out lengthy forms. PCAS opens up the possibility of the user transferring the data themselves.

But what if someone attempts to steal the data, for example by coercion? Stay calm: a second hand gesture, defined by the user, can secretly alert PCAS’s service provider to illicit activity.

Like Dr Stajano, Dr Silva wants his hi-tech smartphone case to eliminate the need for passwords, which he believes are a growing problem. ‘People reuse passwords,’ he said. ‘People don’t like to memorise.’

More info