It’s Not What You Know, But Who You Know: A social approach to last-resort authentication

Backup authentication mechanisms help users who have forgotten their passwords regain access to their accounts—or at least try. Today’s systems fall short in meeting both security and reliability requirements. The security and reliability of today’s backup authentication mechanisms have significant room for improvement. We designed, built, and tested a new authentication system that employs social-authentication. The system employs trustees previously appointed by the account holder to verify the account holder’s identity. We ran three experiments to determine whether the system could (1) reliably authenticate account holders, (2) resist email attacks that target trustees by impersonating account holders, and (3) resist phone-based attacks from individuals close to account holders. Results were encouraging: seventeen of the nineteen participants who made the effort to call trustees authenticated successfully. However, we also found that users must be reminded of who their trustees are. While email-based attacks were largely unsuccessful, stronger countermeasures will be required to counter highly-personalized phone-based attacks.