Social Authentication: Vulnerabilities, Mitigations, and Redesign - DEEPSEC 2014

A87dd450496fa9c95cc16f7d77c340a3?s=47 Marco Lancini
November 21, 2014

Social Authentication: Vulnerabilities, Mitigations, and Redesign - DEEPSECĀ 2014

I delivered a talk based on this presentation at DEEPSEC 2014 (https://deepsec.net/) in Vienna (November 21st, 2014).

Description: We pointed out the security weaknesses of using Social Authentication (SA) as part of a two-factor authentication scheme, focusing on Facebook's deployment.
We have empirically calculated the probability of an attacker obtaining the information necessary to solve SA tests when relying on publicly accessible data as well as following a more active approach to gather restricted information.
We have designed an automated attack able to break the SA, to demonstrate the feasibility of carrying out large-scale attacks against social authentication with minimal effort on behalf of an attacker.
We then revisited the SA concept and proposed reSA, a two-factor authentication scheme that can be easily solved by humans but is robust against face-recognition software.

A87dd450496fa9c95cc16f7d77c340a3?s=128

Marco Lancini

November 21, 2014
Tweet