research-article

It's not what you know, but who you know: a social approach to last-resort authentication

Authors:
Stuart Schechter

Microsoft Research, Redmond, WA, USA

Microsoft Research, Redmond, WA, USA
View Profile

,
Serge Egelman

Carnegie Mellon University, Pittsburgh, PA, USA

Carnegie Mellon University, Pittsburgh, PA, USA
View Profile

,
Robert W. Reeder

Microsoft, Redmond, WA, USA

Microsoft, Redmond, WA, USA
View Profile

CHI '09: Proceedings of the SIGCHI Conference on Human Factors in Computing SystemsApril 2009Pages 1983–1992https://doi.org/10.1145/1518701.1519003

Published:04 April 2009Publication History

CHI '09: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

Pages 1983–1992

ABSTRACT

Backup authentication mechanisms help users who have forgotten their passwords regain access to their accounts-or at least try. Today's systems fall short in meeting both security and reliability requirements. We designed, built, and tested a new backup authentication system that employs a social-authentication mechanism. The system employs trustees previously appointed by the account holder to verify the account holder's identity. We ran three experiments to determine whether the system could (1) reliably authenticate account holders, (2) resist email attacks that target trustees by impersonating account holders, and (3) resist phone-based attacks from individuals close to account holders. Results were encouraging: seventeen of the nineteen participants who made the effort to call trustees authenticated successfully. However, we also found that users must be reminded of who their trustees are. While email-based attacks were largely unsuccessful, stronger countermeasures will be required to counter highly-personalized phone-based attacks.

References

J. Brainard, A. Juels, R. L. Rivest, M. Szydlo, and M. Yung. Fourth-factor authentication: somebody you know. In CCS '06: Proceedings of the 13th ACM Conference on Computer and Communications Security, pages 168--178, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
T. Bridis. Hacker impersonated Palin, stole e-mail password, Sept. 18, 2008. Associated Press.Google Scholar
S. Brostoff and A. M. Sasse. Ten strikes and you're out: Increasing the number of login attempts can improve password usability. In Proceedings of CHI 2003 Workshop on HCI and Security Systems, 2003.Google Scholar
CommonwealthBank. NetBank NetCode SMS, 2008. http://www.commbank.com.au/netbank/netcodesms/.Google Scholar
CREDANT Technologies. Mountains of mobiles left in the back of New York cabs, 16, 2008. http://www.credant.com/mountains-of-mobiles-left-inthe-back-of-new-york-cabs.html.Google Scholar
Google Inc. Contact Us - Google Accounts Help, 2008. http://www.google.com/support/accounts/bin/request.py?hl=en&contact type=ara&ctx=accounts&uses apps=no&product=other&submit=Continue.Google Scholar
M. Jakobsson, E. Stolterman, S. Wetzel, and L. Yang. Love and authentication. In CHI '08: Proceeding of the Twenty-Sixth Annual SIGCHI Conference on Human Factors in Computing Systems, pages 197--200, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
Microsoft Corporation. Complete the form below for Windows Live ID validation, 2008. https://support.live.com/eform.aspx?productKey=wlidvalidation&ct=eformcs&scrx=1.Google Scholar
J. Podd, J. Bunnell, and R. Henderson. Cost-effective computer security: Cognitive and associative passwords. In OZCHI '96: Proceedings of the 6th Australian Conference on Computer-Human Interaction (OZCHI '96), page 304, Washington, DC, USA, 1996. IEEE Computer Society. Google ScholarDigital Library
A. Rabkin. Personal knowledge questions for fallback authentication: security questions in the era of facebook. In SOUPS '08: Proceedings of the 4th Symposium on Usable Privacy and Security, pages 13--23, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
SafeNet, Inc. 2004 annual password survey results, 2005. http://www.safenetinc.com/news/view.asp?news ID=239.Google Scholar
S. Schechter, A. J. Bernheim Brush, and S. Egelman. Its no secret: Measuring the security and reliability of authentication via 'secret' questions. In submission.Google Scholar
K.-P. L. Vu, R. W. Proctor, A. Bhargav-Spantzel, B.-L. B. Tai, J. Cook, and E. E. Schultz. Improving password security and memorability to protect personal and organizational information. Int. J. Hum.-Comput. Stud., 65(8):744--757, 2007. Google ScholarDigital Library
M. Zviran and W. J. Haga. User authentication by cognitive passwords: an empirical assessment. In JCIT: Proceedings of the Fifth Jerusalem Conference on Information technology, pages 137--144, Los Alamitos, CA, USA, 1990. IEEE Computer Society Press Google ScholarDigital Library

Index Terms

It's not what you know, but who you know: a social approach to last-resort authentication
1. Human-centered computing
  1. Human computer interaction (HCI)

Recommendations

A method for obtaining digital signatures and public-key cryptosystems

An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key. This has two important consequences: (1) Couriers or other secure means are not needed to ...
Read More
A method for obtaining digital signatures and public-key cryptosystems
Special 25th Anniversary Issue
An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key. This has two important consequences:
- Couriers or other secure means are not needed to transmit ...
Read More
An enhanced dynamic ID-based authentication scheme for telecare medical information systems

The authentication schemes for telecare medical information systems (TMIS) try to ensure secure and authorized access. ID-based authentication schemes address secure communication, but privacy is not properly addressed. In recent times, dynamic ID-based ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CHI '09: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
April 2009
2426 pages
ISBN:9781605582467
DOI:10.1145/1518701
General Chairs:
Dan R. Olsen
Brigham Young University
,
Richard B. Arthur
Brigham Young University
,
Program Chairs:
Ken Hinckley
Microsoft Research
,
Meredith Ringel Morris
Microsoft Research
,
Scott Hudson
Carnegie Mellon University
,
Saul Greenberg
University of Calgary
Copyright © 2009 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 4 April 2009
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
privacy
security
usability testing and evaluation
Qualifiers
- research-article
Conference

Acceptance Rates
CHI '09 Paper Acceptance Rate277of1,130submissions,25%Overall Acceptance Rate6,199of26,314submissions,24%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 48
  Total Citations
  View Citations
- 927
  Total Downloads
- Downloads (Last 12 months)50
- Downloads (Last 6 weeks)8
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.