{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,7,30]],"date-time":"2025-07-30T11:47:35Z","timestamp":1753876055413,"version":"3.41.2"},"reference-count":40,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2020,11,18]],"date-time":"2020-11-18T00:00:00Z","timestamp":1605657600000},"content-version":"vor","delay-in-days":322,"URL":"http:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"European Research Council","award":["StG 307224"],"award-info":[{"award-number":["StG 307224"]}]},{"DOI":"10.13039\/501100000266","name":"Engineering and Physical Sciences Research Council","doi-asserted-by":"crossref","award":["EP\/M019055\/1"],"award-info":[{"award-number":["EP\/M019055\/1"]}],"id":[{"id":"10.13039\/501100000266","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2020,1,1]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>Pico is a token-based login method that claims to be simultaneously more usable and more secure than passwords. It does not ask users to remember any secrets, nor to type one-time passwords. We evaluate Pico\u2019s claim with two deployments and user studies, one on a web-based service and another within an organization. Our main aim is to collect actionable intelligence on how to improve the usability and deployability of Pico. In our first study we team up with an established website, Gyazo, to offer this alternative login mechanism to users intent on performing a real task of image sharing. From the lessons of this first study, we retarget Pico\u2019s focus from replacing web passwords to replacing desktop login passwords; and thus in our second study we engage with a government organization, Innovate UK, to offer employees the ability to lock and unlock their computer automatically based on proximity. We focus particularly on the ecological validity of the trials and we thereby gain valuable insights into the viability of Pico, not only through the actual responses from the participants but also through the many practical challenges we had to face and overcome. Reflecting on the bigger picture, from our experience we believe the security usability community would greatly benefit from pushing towards greater ecological validity in published work, despite the considerable difficulties and costs involved.<\/jats:p>","DOI":"10.1093\/cybsec\/tyaa010","type":"journal-article","created":{"date-parts":[[2020,11,18]],"date-time":"2020-11-18T18:06:31Z","timestamp":1605722791000},"source":"Crossref","is-referenced-by-count":0,"title":["Deploying authentication in the wild: towards greater ecological validity in security usability studies"],"prefix":"10.1093","volume":"6","author":[{"given":"Seb","family":"Aebischer","sequence":"first","affiliation":[{"name":"Computer Laboratory, University of Cambridge, Cambridge, UK"}]},{"given":"Claudio","family":"Dettoni","sequence":"additional","affiliation":[{"name":"Computer Laboratory, University of Cambridge, Cambridge, UK"}]},{"given":"Graeme","family":"Jenkinson","sequence":"additional","affiliation":[{"name":"Computer Laboratory, University of Cambridge, Cambridge, UK"}]},{"given":"Kat","family":"Krol","sequence":"additional","affiliation":[{"name":"Computer Laboratory, University of Cambridge, Cambridge, UK"}]},{"given":"David","family":"Llewellyn-Jones","sequence":"additional","affiliation":[{"name":"Computer Laboratory, University of Cambridge, Cambridge, UK"}]},{"given":"Toshiyuki","family":"Masui","sequence":"additional","affiliation":[{"name":"Faculty of Science and Technology, Keio University Shonan Fujisawa Campus, Fujisawa, Kanagawa, Japan"},{"name":"Nota Inc., Japan"}]},{"given":"Frank","family":"Stajano","sequence":"additional","affiliation":[{"name":"Computer Laboratory, University of Cambridge, Cambridge, UK"}]}],"member":"286","published-online":{"date-parts":[[2020,11,18]]},"reference":[{"first-page":"49","year":"2011","author":"Stajano","key":"2020111811162073300_tyaa010-B1"},{"first-page":"197","year":"2014","author":"Jenkinson","key":"2020111811162073300_tyaa010-B2"},{"first-page":"400","year":"2003","author":"Krawczyk","key":"2020111811162073300_tyaa010-B3"},{"first-page":"172","year":"2014","author":"Stajano","key":"2020111811162073300_tyaa010-B4"},{"first-page":"61","year":"2014","author":"Stajano","key":"2020111811162073300_tyaa010-B5"},{"first-page":"212","year":"2015","author":"Stajano","key":"2020111811162073300_tyaa010-B6"},{"first-page":"1313","year":"2014","author":"Stafford-Fraser","key":"2020111811162073300_tyaa010-B7"},{"year":"2016","author":"Payne","key":"2020111811162073300_tyaa010-B8"},{"year":"2017","author":"Aebischer","key":"2020111811162073300_tyaa010-B9"},{"key":"2020111811162073300_tyaa010-B10","doi-asserted-by":"crossref","first-page":"77","DOI":"10.1191\/1478088706qp063oa","article-title":"Using thematic analysis in psychology","volume":"3","author":"Braun","year":"2006","journal-title":"Qualitative Research in Psychology"},{"volume-title":"Statistical Methods for Rates and Proportions","year":"2013","author":"Fleiss","key":"2020111811162073300_tyaa010-B11"},{"first-page":"1","year":"2010","author":"Flor\u00eancio","key":"2020111811162073300_tyaa010-B12"},{"year":"2016","author":"Krol","key":"2020111811162073300_tyaa010-B13"},{"first-page":"601","year":"2006","author":"Wu","key":"2020111811162073300_tyaa010-B14"},{"year":"2015","author":"Krol","key":"2020111811162073300_tyaa010-B15"},{"key":"2020111811162073300_tyaa010-B16","doi-asserted-by":"crossref","first-page":"594","DOI":"10.1145\/359168.359172","article-title":"Password security: A case history","volume":"22","author":"Morris","year":"1979","journal-title":"CACM"},{"key":"2020111811162073300_tyaa010-B17","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/2333112.2333114","article-title":"Graphical passwords: Learning from the first twelve years","volume":"44","author":"Biddle","year":"2012","journal-title":"ACM Computing Surveys (CSUR)"},{"key":"2020111811162073300_tyaa010-B18","first-page":"11","article-title":"On user choice in graphical password schemes","volume":"13","author":"Davis","year":"2004","journal-title":"USENIX Security"},{"first-page":"88","year":"2010","author":"Brostoff","key":"2020111811162073300_tyaa010-B19"},{"first-page":"71","year":"2015","author":"Krol","key":"2020111811162073300_tyaa010-B20"},{"year":"2010","author":"Beautement","key":"2020111811162073300_tyaa010-B21"},{"first-page":"607","year":"2014","author":"Bonneau","key":"2020111811162073300_tyaa010-B22"},{"year":"2016","author":"Krol","key":"2020111811162073300_tyaa010-B23"},{"first-page":"2667","year":"2014","author":"Felt","key":"2020111811162073300_tyaa010-B24"},{"first-page":"405","year":"2000","author":"Brostoff","key":"2020111811162073300_tyaa010-B25"},{"year":"2009","author":"Strouble","key":"2020111811162073300_tyaa010-B26"},{"year":"2014","author":"Steves","key":"2020111811162073300_tyaa010-B27"},{"first-page":"456","year":"2018","author":"Colnago","key":"2020111811162073300_tyaa010-B28"},{"key":"2020111811162073300_tyaa010-B29","doi-asserted-by":"crossref","first-page":"10","DOI":"10.1109\/30.125076","article-title":"Active badges and personal interactive computing objects","volume":"38","author":"Want","year":"1992","journal-title":"IEEE Transactions on Consumer Electronics"},{"first-page":"274","year":"1997","author":"Landwehr","key":"2020111811162073300_tyaa010-B30"},{"year":"1999","author":"Landwehr","key":"2020111811162073300_tyaa010-B31"},{"first-page":"1","year":"2002","author":"Corner","key":"2020111811162073300_tyaa010-B32"},{"key":"2020111811162073300_tyaa010-B33","doi-asserted-by":"crossref","first-page":"1489","DOI":"10.1109\/TMC.2006.169","article-title":"Mobile device security using transient authentication","volume":"5","author":"Nicholson","year":"2006","journal-title":"IEEE Transactions on Mobile Computing"},{"first-page":"249","year":"2003","author":"Pashalidis","key":"2020111811162073300_tyaa010-B34"},{"first-page":"243","year":"2005","author":"Linden","key":"2020111811162073300_tyaa010-B35"},{"first-page":"383","year":"2010","author":"Inglesant","key":"2020111811162073300_tyaa010-B36"},{"first-page":"916","year":"2015","author":"Ruoti","key":"2020111811162073300_tyaa010-B37"},{"first-page":"553","year":"2012","author":"Bonneau","key":"2020111811162073300_tyaa010-B38"},{"volume-title":"Shaping the Future of ICT Research. Methods and Approaches","year":"2012","author":"Crowston","key":"2020111811162073300_tyaa010-B39"},{"year":"2012","author":"Bonneau","key":"2020111811162073300_tyaa010-B40"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/academic.oup.com\/cybersecurity\/article-pdf\/6\/1\/tyaa010\/34385097\/tyaa010.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"http:\/\/academic.oup.com\/cybersecurity\/article-pdf\/6\/1\/tyaa010\/34385097\/tyaa010.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2020,11,18]],"date-time":"2020-11-18T18:06:36Z","timestamp":1605722796000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyaa010\/5989371"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,1,1]]},"references-count":40,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2020,1,1]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyaa010","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"type":"print","value":"2057-2085"},{"type":"electronic","value":"2057-2093"}],"subject":[],"published-other":{"date-parts":[[2020]]},"published":{"date-parts":[[2020,1,1]]},"article-number":"tyaa010"}}