It's not what you know, but who you know

Schechter, Stuart; Egelman, Serge; Reeder, Robert W.

doi:10.1145/1518701.1519003

Cited by 57 publications

(9 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In [31], the authors introduced a new social authentication approach based on trustees, that will allow users to access their accounts after having forgotten or lost the credentials. Trustees, that are people chosen by the account holders, will have the burden of identifying the account holder either in person (identification by appearance) or by phone (identification by voice).…”

Section: Related Workmentioning

confidence: 99%

“…Other approaches, instead, rely on people to securely recover the password. In [31], for example, the authors introduced a new social authentication approach based on trustees. Trustees are people selected by the account holder that will have the burden of identifying her either in person (identification by appearance) or by phone (identification by voice).…”

Section: Other Password Recovery Mechanismsmentioning

confidence: 99%

See 1 more Smart Citation

A Longitudinal Study on Web-Sites Password Management (in)Security: Evidence and Remedies

Raponi¹,

Pietro²

2020

IEEE Access

View full text Add to dashboard Cite

Single-factor password-based authentication is generally the norm to access online Web-sites. While single-factor authentication is well known to be a weak form of authentication, a further concern arises when considering the possibility for an attacker to recover the user passwords by leveraging the loopholes in the password recovery mechanisms. Indeed, the adoption by a Web-site of a poor password management system makes useless even the most robust password chosen by the registered users. In this paper, building on the results of our previous work, we study the possible attacks to on-line password recovery systems analyzing the mechanisms implemented by some of the most popular Web-sites. In detail, we provide several contributions: (i) we revise and detail the attacker model; (ii) we provide an updated analysis with respect to a preliminary study we carried out in December 2017; (iii) we perform a brand new analysis of the current top 200 Alexa's Web-sites of five major EU countries; and, (iv) we propose Maildust, a working open-source module that could be adopted by any Web-site to provide registered users with a password recovery mechanism to prevent mail service provider-level attacks. Overall, it is striking to notice how the analyzed Web-sites have made little (if any) effort to become compliant with the GDPR regulation, showing that the objective to have basic user protection mechanisms in place-despite the fines threatened by GDPR-is still far, mainly because of sub-standard security management prac-

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Other Password Recovery Mechanismsmentioning

confidence: 99%

A Longitudinal Study on Web-Sites Password Management (in)Security: Evidence and Remedies

Raponi¹,

Pietro²

2020

IEEE Access

View full text Add to dashboard Cite

show abstract

“…In trustee-based social authentication [11], [12], [13], [14], [15], the user or the service provider pre-selects a few friends of the user as trustees, who aid the user in the authentication process. Knowledge-based social authentication [3], [2], [4], [5], [6] utilizes a user's friends' information for authentication, and thus knowledge-based social authentication relies on the user's knowledge about their friends.…”

Section: Related Workmentioning

confidence: 99%

“…Originally, Brainard et al combined trustee-based social authentications with other authenticators (e.g., passwords) as a two-factor authentication mechanism. Later, trustee-based social authentication was adapted to be used as a backup authenticator [13], [14], [12]. For instance, Schechter et al [12] designed and built a prototype of trusteebased social authentication system which was integrated into Microsoft's Windows Live ID system.…”

Section: Related Workmentioning

confidence: 99%

“…Later, trustee-based social authentication was adapted to be used as a backup authenticator [13], [14], [12]. For instance, Schechter et al [12] designed and built a prototype of trusteebased social authentication system which was integrated into Microsoft's Windows Live ID system. Facebook announced its trustee-based social authentication system called Trusted Friends in October 2011 [13], and it was redesigned to be Trusted Contacts [14] in May 2013.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

New Directions in Social Authentication

Jain¹,

Gong

Basuroy

et al. 2015

Proceedings 2015 Workshop on Usable Security

View full text Add to dashboard Cite

Web services are increasingly adopting auxiliary authentication mechanisms to supplement the security provided by conventional password verification. In the domain of social network based web-services, Facebook has pioneered the use of social authentication as an auxiliary authentication mechanism. If Facebook detects a user login under suspicious circumstances, then users are asked to verify information about their friends (in addition to verifying their passwords). However, recent work has shown that Facebook's social authentication is insecure. In this work-in-progress, we propose to rethink the design of social authentication. Our key insight is that online social network (OSN) operators are privy to large amounts of private data generated by users, including information about users' online interactions. Based on this insight, we architect a system for social authentication that asks users to verify information about their social contacts and their interactions. Our system leverages information protected by privacy policies of OSNs to resist attacks, such as questions based on private user interactions including exchanging messages and poking social contacts. We implemented our system prototype as a Facebook application, and performed a preliminary user study to evaluate feasibility of the approach. Our initial experiments have been encouraging; we find that users have high rates of recall for information generated in the context of OSN interactions. Overall, our work provides a promising new direction for the secure and usable deployment of social authentication. Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment.

show abstract

A Spark Is Enough in a Straw World: A Study of Websites Password Management in the Wild

Raponi

Pietro

2018

Security and Trust Management

View full text Add to dashboard Cite

The widespread usage of password authentication in online websites leads to an ever-increasing concern, especially when considering the possibility for an attacker to recover the user password by leveraging the loopholes in the password recovery mechanisms. Indeed, if a website adopts a poor password management system, this choice makes useless even the most robust password chosen by its users. In this paper, we first provide a survey of currently adopted password recovery mechanisms. Later, we model an attacker with different capabilities and we show how current password recovery mechanisms can be exploited in our attacker model. Then, we provide a thorough analysis of the password management of some of the Alexa's top 200 websites in different countries, including England, France, Germany, Spain and Italy. Of these 1,000 websites, 722 do not require authentication-and hence are excluded by our study-, while out of the remaining 278 we focused on 174-since 104 demanded a complex registration procedure. Of these 174, almost 25% of the them have critical vulnerabilities, while 44% have some form of vulnerability. Finally, we propose some effective countermeasures and we point out that, by considering the entry into force of the General Data Protection Regulation (GDPR) in May, 2018, most of websites are not compliant with the legislation and may incur in heavy fines. This study, other than being important on its own since it highlights some severe current vulnerabilities and proposes corresponding remedies, has the potential to also have a relevant impact on the EU industrial ecosystem.

show abstract

It's not what you know, but who you know

Cited by 57 publications

References 9 publications

A Longitudinal Study on Web-Sites Password Management (in)Security: Evidence and Remedies

A Longitudinal Study on Web-Sites Password Management (in)Security: Evidence and Remedies

New Directions in Social Authentication

A Spark Is Enough in a Straw World: A Study of Websites Password Management in the Wild

Contact Info

Product

Resources

About