It's Not What You Know, But Who You Know
Date: April 2009
Publication: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2009
Page(s): 1983 - 1992
Source 1: http://research.microsoft.com/pubs/79349/paper1459-schechter.pdf
Source 2: http://dl.acm.org/citation.cfm?id=1519003 - Subscription or payment required
Abstract or Summary:
Backup authentication mechanisms help users who have forgotten their passwords regain access to their accounts—or at least try. The security and reliability of today’s backup authentication mechanisms have significant room for improvement. We designed, built, and tested a new authentication system that employs social-authentication. The system employs trustees previously appointed by the account holder to verify the account holder’s identity. We ran three experiments to determine whether the system could (1) reliably authenticate account holders, (2) resist email attacks that target trustees by impersonating account holders, and (3) resist phone-based attacks from individuals close to account holders. Results were encouraging: seventeen of the nineteen participants who made the effort to call trustees authenticated successfully. However, we also found that users must be reminded of who their trustees are. While email-based attacks were largely unsuccessful, stronger countermeasures will be required.
PasswordResearch.com Note: A variation of this paper was published in Proceedings of the 5th Symposium on Usable Privacy and Security, SOUPS'09.
Do you have additional information to contribute regarding this research paper? If so, please email firstname.lastname@example.org with the details.