High-value services have introduced two-factor authentication to prevent adversaries from compromising accounts using stolen credentials. Facebook has recently released a two-factor authentication mechanism, referred to as Social Authentication (SA). We designed and implemented an automated system able to break the SA, to demonstrate the feasibility of carrying out large-scale attacks against social authentication with minimal effort on behalf of an attacker. We then revisited the SA concept and propose reSA, a two-factor authentication scheme that can be easily solved by humans but is robust against face-recognition software.
This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences“. Edited by Stefan Schumacher and René Pfeiffer
%0 Journal Article
%1 mjs:Lancini:SocAuth
%A Lancini, Marco
%D 2014
%K 2fa ds15 mjsarticle two-factor_authentication
%N 2
%P 476-492
%T Social Authentication
%U http://www.sicherheitsforschung-magdeburg.de/uploads/journal/MJS_032_Lancini_SocialAuthentication.pdf
%V 8
%X High-value services have introduced two-factor authentication to prevent adversaries from compromising accounts using stolen credentials. Facebook has recently released a two-factor authentication mechanism, referred to as Social Authentication (SA). We designed and implemented an automated system able to break the SA, to demonstrate the feasibility of carrying out large-scale attacks against social authentication with minimal effort on behalf of an attacker. We then revisited the SA concept and propose reSA, a two-factor authentication scheme that can be easily solved by humans but is robust against face-recognition software.
This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences“. Edited by Stefan Schumacher and René Pfeiffer
@article{mjs:Lancini:SocAuth,
abstract = {High-value services have introduced two-factor authentication to prevent adversaries from compromising accounts using stolen credentials. Facebook has recently released a two-factor authentication mechanism, referred to as Social Authentication (SA). We designed and implemented an automated system able to break the SA, to demonstrate the feasibility of carrying out large-scale attacks against social authentication with minimal effort on behalf of an attacker. We then revisited the SA concept and propose reSA, a two-factor authentication scheme that can be easily solved by humans but is robust against face-recognition software.
This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences“. Edited by Stefan Schumacher and René Pfeiffer},
added-at = {2021-09-19T18:42:17.000+0200},
author = {Lancini, Marco},
biburl = {https://www.bibsonomy.org/bibtex/26e7870c4919cbaeb4131eb2ecf88b918/steschum},
interhash = {b498f1c845707a7c5d89a7dbe245ebe1},
intrahash = {6e7870c4919cbaeb4131eb2ecf88b918},
issn = {2192-4260},
journaltitle = {Magdeburger Journal zur Sicherheitsforschung},
keywords = {2fa ds15 mjsarticle two-factor_authentication},
number = 2,
pages = {476-492},
subtitle = {Vulnerabilities, Mitigations, and Redesign},
timestamp = {2021-10-22T17:15:30.000+0200},
title = {Social Authentication},
url = {http://www.sicherheitsforschung-magdeburg.de/uploads/journal/MJS_032_Lancini_SocialAuthentication.pdf},
urldate = {2014-11-13},
volume = 8,
year = 2014
}