Home Publications Teaching Dataset Press
User Authentication in Social SystemsSocial systems today most commonly rely on passwords to authenticate users. Unfortunately, two serious issues in this paradigm are: 1) users will inevitably forget their passwords, and 2) their passwords could be compromised by attackers. Therefore, service providers often provide users with backup authentication mechanisms to solve the first issue and adopt auxiliary authentication mechanisms (they are launched when suspicious account activities are detected) to mitigate the second issue. Given the increasing availability of users' social data, social systems like Facebook are beginning to leverage social data to design more secure and usable backup and auxiliary authentication mechanisms. Based on how the social data is used, we classify social data based authentication mechanisms into trustee-based social authentication (used for backup authentication) and knowledge-based social authentication (used for auxiliary authentication). For instance, Facebook launched a trustee-based social authentication system called Trusted Contacts in May, 2013, and Facebook also has a knowledge-based social authentication system called social authentication in use since January, 2011; Microsoft researchers implemented a trustee-based social authentication prototype and integrated it into Microsoft's Windows Live ID system.
Our work aims to make trustee-based social authentications and knowledge-based social authentications more secure and usable. In particular, we proposed new attacks to trustee-based social authentications, a probabilistic security model to formalize the threat of the attacks and their costs for attackers, and defenses against the attacks. Our results have strong implications for the design of more secure trustee-based social authentications. Our ongoing researches focus on designing more secure and usable knowledge-based social authentications.