Share on Facebook Tweet on Twitter Share on LinkedIn Share by email
It's Not What You Know, But Who You Know: A social approach to last-resort authentication

Stuart Schechter, Serge Egelman, and Robert W. Reeder

Abstract

Backup authentication mechanisms help users who have forgotten their passwords regain access to their accounts---or at least try. Today's systems fall short in meeting both security and reliability requirements. The security and reliability of today's backup authentication mechanisms have significant room for improvement. We designed, built, and tested a new authentication system that employs social-authentication. The system employs trustees previously appointed by the account holder to verify the account holder's identity. We ran three experiments to determine whether the system could (1) reliably authenticate account holders, (2) resist email attacks that target trustees by impersonating account holders, and (3) resist phone-based attacks from individuals close to account holders. Results were encouraging: seventeen of the nineteen participants who made the effort to call trustees authenticated successfully. However, we also found that users must be reminded of who their trustees are. While email-based attacks were largely unsuccessful, stronger countermeasures will be required to counter highly-personalized phone-based attacks.

Details

Publication typeInproceedings
Published inCHI '09: Proceeding of the twenty-seventh annual SIGCHI conference on Human factors in computing systems
AddressNew York, NY, USA
PublisherACM
> Publications > It's Not What You Know, But Who You Know: A social approach to last-resort authentication