Home Publications Teaching Dataset Press
Social AuthenticationsWeb services (e.g., Gmail, Facebook, and online Bankings) today most commonly rely on passwords to authenticate users. Unfortunately, two serious issues in this paradigm are: users will inevitably forget their passwords, and their passwords could be compromised and changed by attackers, which result in the failures to access their own accounts. Therefore, web services often provide users with backup authentication mechanisms to help users regain access to their accounts. Unfortunately, current widely used backup authentication mechanisms such as security questions and alternate email addresses are insecure or unreliable or both. Recently, the so-called trustee-based social authentication has attracted increasing attentions and has been shown to be a promising backup authentication mechanism. For instance, Microsoft researchers implemented a prototype and integrated it into Microsoft's Windows Live ID system; and Facebook also has recently launched a similar trustee-based social authentication system called Trusted Contacts in May, 2013.
We perform the first systematic study about the security of trustee-based social authentications. Our results have strong implications for the design of more secure trustee-based social authentications.