User authentication by cognitive passwords: an empirical assessment
JCIT Proceedings of the fifth Jerusalem conference on Information technology
Cost-Effective Computer Security: Cognitive and Associative Passwords
OZCHI '96 Proceedings of the 6th Australian Conference on Computer-Human Interaction (OZCHI '96)
Fourth-factor authentication: somebody you know
Proceedings of the 13th ACM conference on Computer and communications security
Improving password security and memorability to protect personal and organizational information
International Journal of Human-Computer Studies
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Personal knowledge questions for fallback authentication: security questions in the era of Facebook
Proceedings of the 4th symposium on Usable privacy and security
1 + 1 = you: measuring the comprehensibility of metaphors for configuring backup authentication
Proceedings of the 5th Symposium on Usable Privacy and Security
Towards active detection of identity clone attacks on online social networks
Proceedings of the first ACM conference on Data and application security and privacy
Forcing johnny to login safely: long-term user study of forcing and training login mechanisms
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
A field study of user behavior and perceptions in smartcard authentication
INTERACT'11 Proceedings of the 13th IFIP TC 13 international conference on Human-computer interaction - Volume Part IV
SP'11 Proceedings of the 19th international conference on Security Protocols
Forcing Johnny to login safely
Journal of Computer Security - Research in Computer Security and Privacy: Emerging Trends
Hi-index | 0.01 |
Backup authentication mechanisms help users who have forgotten their passwords regain access to their accounts-or at least try. Today's systems fall short in meeting both security and reliability requirements. We designed, built, and tested a new backup authentication system that employs a social-authentication mechanism. The system employs trustees previously appointed by the account holder to verify the account holder's identity. We ran three experiments to determine whether the system could (1) reliably authenticate account holders, (2) resist email attacks that target trustees by impersonating account holders, and (3) resist phone-based attacks from individuals close to account holders. Results were encouraging: seventeen of the nineteen participants who made the effort to call trustees authenticated successfully. However, we also found that users must be reminded of who their trustees are. While email-based attacks were largely unsuccessful, stronger countermeasures will be required to counter highly-personalized phone-based attacks.