Home Publications Teaching Dataset Press
User Authentication in Social SystemsSocial systems today most commonly rely on passwords to authenticate users. Unfortunately, two serious issues in this paradigm are: 1) users will inevitably forget their passwords, and 2) their passwords could be compromised by attackers. To solve the first issue, service providers often provide users with backup authentication mechanisms to help them regain access to their accounts when they forget their passwords. However, current widely used backup authentication mechanisms such as security questions and alternate email addresses are insecure or unreliable or both. To mitigate the attack damage of the second issue, service providers often adopt an auxiliary authentication mechanism to further verify the identities of the users when they detect suspicious activities on the accounts. However, widely adopted auxiliary authentication mechanisms including CAPTCHA and security questions are also shown to have low security and usability guarantees. Given the increasing availability of users' social data, social systems like Facebook are beginning to leverage social data to design more secure and usable backup and auxiliary authentication mechanisms. Based on how the social data is used, we classify social data based authentication mechanisms into trustee-based social authentication (used for backup authentication) and knowledge-based social authentication (used for auxiliary authentication). For instance, Microsoft researchers implemented a trustee-based social authentication prototype and integrated it into Microsoft's Windows Live ID system; Facebook launched a trustee-based social authentication system called Trusted Contacts in May, 2013, and Facebook also has a knowledge-based social authentication system called social authentication in use since January, 2011.
Our work aims to make trustee-based social authentications and knowledge-based social authentications more secure and usable. In particular, we proposed new attacks to trustee-based social authentications, a probabilistic security model to formalize the threat of the attacks and their costs for attackers, and defenses against the attacks. Our results have strong implications for the design of more secure trustee-based social authentications. Our ongoing researches focus on designing more secure and usable knowledge-based social authentications.