ABSTRACT
Backup authentication mechanisms help users who have forgotten their passwords regain access to their accounts-or at least try. Today's systems fall short in meeting both security and reliability requirements. We designed, built, and tested a new backup authentication system that employs a social-authentication mechanism. The system employs trustees previously appointed by the account holder to verify the account holder's identity. We ran three experiments to determine whether the system could (1) reliably authenticate account holders, (2) resist email attacks that target trustees by impersonating account holders, and (3) resist phone-based attacks from individuals close to account holders. Results were encouraging: seventeen of the nineteen participants who made the effort to call trustees authenticated successfully. However, we also found that users must be reminded of who their trustees are. While email-based attacks were largely unsuccessful, stronger countermeasures will be required to counter highly-personalized phone-based attacks.
- J. Brainard, A. Juels, R. L. Rivest, M. Szydlo, and M. Yung. Fourth-factor authentication: somebody you know. In CCS '06: Proceedings of the 13th ACM Conference on Computer and Communications Security, pages 168--178, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
- T. Bridis. Hacker impersonated Palin, stole e-mail password, Sept. 18, 2008. Associated Press.Google Scholar
- S. Brostoff and A. M. Sasse. Ten strikes and you're out: Increasing the number of login attempts can improve password usability. In Proceedings of CHI 2003 Workshop on HCI and Security Systems, 2003.Google Scholar
- CommonwealthBank. NetBank NetCode SMS, 2008. http://www.commbank.com.au/netbank/netcodesms/.Google Scholar
- CREDANT Technologies. Mountains of mobiles left in the back of New York cabs, 16, 2008. http://www.credant.com/mountains-of-mobiles-left-inthe-back-of-new-york-cabs.html.Google Scholar
- Google Inc. Contact Us - Google Accounts Help, 2008. http://www.google.com/support/accounts/bin/request.py?hl=en&contact type=ara&ctx=accounts&uses apps=no&product=other&submit=Continue.Google Scholar
- M. Jakobsson, E. Stolterman, S. Wetzel, and L. Yang. Love and authentication. In CHI '08: Proceeding of the Twenty-Sixth Annual SIGCHI Conference on Human Factors in Computing Systems, pages 197--200, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- Microsoft Corporation. Complete the form below for Windows Live ID validation, 2008. https://support.live.com/eform.aspx?productKey=wlidvalidation&ct=eformcs&scrx=1.Google Scholar
- J. Podd, J. Bunnell, and R. Henderson. Cost-effective computer security: Cognitive and associative passwords. In OZCHI '96: Proceedings of the 6th Australian Conference on Computer-Human Interaction (OZCHI '96), page 304, Washington, DC, USA, 1996. IEEE Computer Society. Google ScholarDigital Library
- A. Rabkin. Personal knowledge questions for fallback authentication: security questions in the era of facebook. In SOUPS '08: Proceedings of the 4th Symposium on Usable Privacy and Security, pages 13--23, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- SafeNet, Inc. 2004 annual password survey results, 2005. http://www.safenetinc.com/news/view.asp?news ID=239.Google Scholar
- S. Schechter, A. J. Bernheim Brush, and S. Egelman. Its no secret: Measuring the security and reliability of authentication via 'secret' questions. In submission.Google Scholar
- K.-P. L. Vu, R. W. Proctor, A. Bhargav-Spantzel, B.-L. B. Tai, J. Cook, and E. E. Schultz. Improving password security and memorability to protect personal and organizational information. Int. J. Hum.-Comput. Stud., 65(8):744--757, 2007. Google ScholarDigital Library
- M. Zviran and W. J. Haga. User authentication by cognitive passwords: an empirical assessment. In JCIT: Proceedings of the Fifth Jerusalem Conference on Information technology, pages 137--144, Los Alamitos, CA, USA, 1990. IEEE Computer Society Press Google ScholarDigital Library
Index Terms
- It's not what you know, but who you know: a social approach to last-resort authentication
Recommendations
A method for obtaining digital signatures and public-key cryptosystems
An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key. This has two important consequences: (1) Couriers or other secure means are not needed to ...
A method for obtaining digital signatures and public-key cryptosystems
Special 25th Anniversary IssueAn encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key. This has two important consequences:
- Couriers or other secure means are not needed to transmit ...
An enhanced dynamic ID-based authentication scheme for telecare medical information systems
The authentication schemes for telecare medical information systems (TMIS) try to ensure secure and authorized access. ID-based authentication schemes address secure communication, but privacy is not properly addressed. In recent times, dynamic ID-based ...
Comments