Home Publications Teaching Dataset Press
Social AuthenticationSocial systems today most commonly rely on passwords to authenticate users. Two well-known issues in this paradigm are that users will inevitably forget their passwords, and that passwords could be compromised and changed by attackers. As a result, users cannot access their own accounts and lose all the data associated with the accounts. Therefore, service providers often provide a backup authentication mechanism for users to recover accounts. Since existing backup authentication mechanisms such as security questions and alternate emails were shown to be insecure or unreliable or both, social systems aim to leverage social data to design backup authentication mechanisms, i.e., social authentication. For instance, Facebook launched a social authentication system called Trusted Contacts in May 2013. In this mechanism, a user selects a few social friends as his/her trustees who will later help the user to recover his/her lost or compromised account.
I provided a systematic study about the security of trustee-based social authentication mechanisms. In particular, I identified that, unlike other authentication mechanisms, users' security in trustee-based social authentication is correlated, i.e., if a user's trustees are compromised, then the user will also be compromised. Based on this key observation, I proposed a new probabilistic security model to quantify the expected number of users that can be compromised by an attacker with a given resource. I also introduced various attacks and defenses, and I evaluated them quantitatively using my security model on a few social network datasets. My results have strong implications for the design of more secure trustee-based social authentication mechanisms including Facebook's Trusted Contacts.