New Directions in Social Authentication

Web services are increasingly adopting auxiliary authentication mechanisms to supplement the security provided by conventional password verification. In the domain of social network based web-services, Facebook has pioneered the use of social authentication as an auxiliary authentication mechanism. If Facebook detects a user login under suspicious circumstances, then users are asked to verify information about their friends (in addition to verifying their passwords). However, recent work has shown that Facebook’s social authentication is insecure. In this work-in-progress, we propose to rethink the design of social authentication. Our key insight is that online social network (OSN) operators are privy to large amounts of private data generated by users, including information about users’ online interactions. Based on this insight, we architect a system for social authentication that asks users to verify information about their social contacts and their interactions. Our system leverages information protected by privacy policies of OSNs to resist attacks, such as questions based on private user interactions including exchanging messages and poking social contacts. We implemented our system prototype as a Facebook application, and performed a preliminary user study to evaluate feasibility of the approach. Our initial experiments have been encouraging; we find that users have high rates of recall for information generated in the context of OSN interactions. Overall, our work provides a promising new direction for the secure and usable deployment of social authentication.