research-article

It's not what you know, but who you know: a social approach to last-resort authentication

Authors:

Stuart Schechter,

Serge Egelman,

Robert W. ReederAuthors Info & Claims

CHI '09: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

Pages 1983 - 1992

https://doi.org/10.1145/1518701.1519003

Published: 04 April 2009 Publication History

Get Access

Abstract

Backup authentication mechanisms help users who have forgotten their passwords regain access to their accounts-or at least try. Today's systems fall short in meeting both security and reliability requirements. We designed, built, and tested a new backup authentication system that employs a social-authentication mechanism. The system employs trustees previously appointed by the account holder to verify the account holder's identity. We ran three experiments to determine whether the system could (1) reliably authenticate account holders, (2) resist email attacks that target trustees by impersonating account holders, and (3) resist phone-based attacks from individuals close to account holders. Results were encouraging: seventeen of the nineteen participants who made the effort to call trustees authenticated successfully. However, we also found that users must be reminded of who their trustees are. While email-based attacks were largely unsuccessful, stronger countermeasures will be required to counter highly-personalized phone-based attacks.

References

[1]

J. Brainard, A. Juels, R. L. Rivest, M. Szydlo, and M. Yung. Fourth-factor authentication: somebody you know. In CCS '06: Proceedings of the 13th ACM Conference on Computer and Communications Security, pages 168--178, New York, NY, USA, 2006. ACM.

Digital Library

Google Scholar

[2]

T. Bridis. Hacker impersonated Palin, stole e-mail password, Sept. 18, 2008. Associated Press.

Google Scholar

[3]

S. Brostoff and A. M. Sasse. Ten strikes and you're out: Increasing the number of login attempts can improve password usability. In Proceedings of CHI 2003 Workshop on HCI and Security Systems, 2003.

Google Scholar

[4]

CommonwealthBank. NetBank NetCode SMS, 2008. http://www.commbank.com.au/netbank/netcodesms/.

Google Scholar

[5]

CREDANT Technologies. Mountains of mobiles left in the back of New York cabs, 16, 2008. http://www.credant.com/mountains-of-mobiles-left-inthe-back-of-new-york-cabs.html.

Google Scholar

[6]

Google Inc. Contact Us - Google Accounts Help, 2008. http://www.google.com/support/accounts/bin/request.py?hl=en&contact type=ara&ctx=accounts&uses apps=no&product=other&submit=Continue.

Google Scholar

[7]

M. Jakobsson, E. Stolterman, S. Wetzel, and L. Yang. Love and authentication. In CHI '08: Proceeding of the Twenty-Sixth Annual SIGCHI Conference on Human Factors in Computing Systems, pages 197--200, New York, NY, USA, 2008. ACM.

Digital Library

Google Scholar

[8]

Microsoft Corporation. Complete the form below for Windows Live ID validation, 2008. https://support.live.com/eform.aspx?productKey=wlidvalidation&ct=eformcs&scrx=1.

Google Scholar

[9]

J. Podd, J. Bunnell, and R. Henderson. Cost-effective computer security: Cognitive and associative passwords. In OZCHI '96: Proceedings of the 6th Australian Conference on Computer-Human Interaction (OZCHI '96), page 304, Washington, DC, USA, 1996. IEEE Computer Society.

Digital Library

Google Scholar

[10]

A. Rabkin. Personal knowledge questions for fallback authentication: security questions in the era of facebook. In SOUPS '08: Proceedings of the 4th Symposium on Usable Privacy and Security, pages 13--23, New York, NY, USA, 2008. ACM.

Digital Library

Google Scholar

[11]

SafeNet, Inc. 2004 annual password survey results, 2005. http://www.safenetinc.com/news/view.asp?news ID=239.

Google Scholar

[12]

S. Schechter, A. J. Bernheim Brush, and S. Egelman. Its no secret: Measuring the security and reliability of authentication via 'secret' questions. In submission.

Google Scholar

[13]

K.-P. L. Vu, R. W. Proctor, A. Bhargav-Spantzel, B.-L. B. Tai, J. Cook, and E. E. Schultz. Improving password security and memorability to protect personal and organizational information. Int. J. Hum.-Comput. Stud., 65(8):744--757, 2007.

Digital Library

Google Scholar

[14]

M. Zviran and W. J. Haga. User authentication by cognitive passwords: an empirical assessment. In JCIT: Proceedings of the Fifth Jerusalem Conference on Information technology, pages 137--144, Los Alamitos, CA, USA, 1990. IEEE Computer Society Press

Digital Library

Google Scholar

Cited By

View all

Han JWong DFu ZKang B(2024)AuthZit: Personalized Visual-Spatial and Loci-Tagging Fallback Authentication2024 IEEE 29th Pacific Rim International Symposium on Dependable Computing (PRDC)10.1109/PRDC63035.2024.00025(120-130)Online publication date: 13-Nov-2024
https://doi.org/10.1109/PRDC63035.2024.00025
Klivan SHöltervennhoff SHuaman NKrause ASimko LAcar YFahl SMeng WJensen CCremers CKirda E(2023)"We've Disabled MFA for You": An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery DeploymentsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623180(3138-3152)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623180
Seaborn K(2023)Interacting with Masculinities: A Scoping ReviewExtended Abstracts of the 2023 CHI Conference on Human Factors in Computing Systems10.1145/3544549.3585770(1-12)Online publication date: 19-Apr-2023
https://dl.acm.org/doi/10.1145/3544549.3585770
Show More Cited By

Index Terms

It's not what you know, but who you know: a social approach to last-resort authentication
1. Human-centered computing
  1. Human computer interaction (HCI)

Recommendations

A method for obtaining digital signatures and public-key cryptosystems

An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key. This has two important consequences: (1) Couriers or other secure means are not needed to ...
A method for obtaining digital signatures and public-key cryptosystems
Special 25th Anniversary Issue
An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key. This has two important consequences:
- Couriers or other secure means are not needed to transmit ...
An enhanced dynamic ID-based authentication scheme for telecare medical information systems

The authentication schemes for telecare medical information systems (TMIS) try to ensure secure and authorized access. ID-based authentication schemes address secure communication, but privacy is not properly addressed. In recent times, dynamic ID-based ...

Comments

Information & Contributors

Information

Published In

CHI '09: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

April 2009

2426 pages

ISBN:9781605582467

DOI:10.1145/1518701

General Chairs:
Dan R. Olsen
Brigham Young University
,
Richard B. Arthur
Brigham Young University
,
Program Chairs:
Ken Hinckley
Microsoft Research
,
Meredith Ringel Morris
Microsoft Research
,
Scott Hudson
Carnegie Mellon University
,
Saul Greenberg
University of Calgary

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 April 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CHI '09

Sponsor:

CHI '09: CHI Conference on Human Factors in Computing Systems

April 4 - 9, 2009

MA, Boston, USA

Acceptance Rates

CHI '09 Paper Acceptance Rate 277 of 1,130 submissions, 25%;

Overall Acceptance Rate 6,199 of 26,314 submissions, 24%

Upcoming Conference

CHI 2025

Sponsor:
sigchi

ACM CHI Conference on Human Factors in Computing Systems

April 26 - May 1, 2025

Yokohama , Japan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

49
Total Citations
View Citations
942
Total Downloads

Downloads (Last 12 months)29
Downloads (Last 6 weeks)5

Reflects downloads up to 08 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Han JWong DFu ZKang B(2024)AuthZit: Personalized Visual-Spatial and Loci-Tagging Fallback Authentication2024 IEEE 29th Pacific Rim International Symposium on Dependable Computing (PRDC)10.1109/PRDC63035.2024.00025(120-130)Online publication date: 13-Nov-2024
https://doi.org/10.1109/PRDC63035.2024.00025
Klivan SHöltervennhoff SHuaman NKrause ASimko LAcar YFahl SMeng WJensen CCremers CKirda E(2023)"We've Disabled MFA for You": An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery DeploymentsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623180(3138-3152)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623180
Seaborn K(2023)Interacting with Masculinities: A Scoping ReviewExtended Abstracts of the 2023 CHI Conference on Human Factors in Computing Systems10.1145/3544549.3585770(1-12)Online publication date: 19-Apr-2023
https://dl.acm.org/doi/10.1145/3544549.3585770
Wu YEdwards WDas S(2022)SoK: Social Cybersecurity2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833757(1863-1879)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833757
Sadkhan S(2022)Security of Cloud Networks – Status, Challenges and Future Trends2022 8th International Engineering Conference on Sustainable Technology and Development (IEC)10.1109/IEC54822.2022.9807474(247-252)Online publication date: 23-Feb-2022
https://doi.org/10.1109/IEC54822.2022.9807474
Micallef NArachchilage N(2021)Understanding users’ perceptions to improve fallback authenticationPersonal and Ubiquitous Computing10.1007/s00779-021-01571-yOnline publication date: 23-May-2021
https://doi.org/10.1007/s00779-021-01571-y
Dabbour NSomayaji A(2020)Towards In-Band Non-Cryptographic AuthenticationProceedings of the New Security Paradigms Workshop 202010.1145/3442167.3442180(20-33)Online publication date: 26-Oct-2020
https://dl.acm.org/doi/10.1145/3442167.3442180
Gilsenan CAlomar NHuang AEgelman SAlexander PDavidson DChoi B(2020)Decentralized backup and recovery of TOTP secretsProceedings of the 7th Symposium on Hot Topics in the Science of Security10.1145/3384217.3386396(1-2)Online publication date: 21-Sep-2020
https://dl.acm.org/doi/10.1145/3384217.3386396
Han JBi XKim HWoo SSun HShieh SGu GAteniese G(2020)PassTag: A Graphical-Textual Hybrid Fallback Authentication SystemProceedings of the 15th ACM Asia Conference on Computer and Communications Security10.1145/3320269.3384737(60-72)Online publication date: 5-Oct-2020
https://dl.acm.org/doi/10.1145/3320269.3384737
Yan ZYang CYou WGuo JZhang JZheng YMa J(2020)Achieving secure and convenient WLAN sharing in personalIET Information Security10.1049/iet-ifs.2020.0134Online publication date: 14-Jul-2020
https://doi.org/10.1049/iet-ifs.2020.0134
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Abstract

References

Cited By

Index Terms

Recommendations

A method for obtaining digital signatures and public-key cryptosystems

A method for obtaining digital signatures and public-key cryptosystems

An enhanced dynamic ID-based authentication scheme for telecare medical information systems

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Login options

Full Access

View options

PDF

eReader

Share

Share this Publication link

Share on social media

Affiliations