Social authentication – harder than it looks!

February 22nd, 2012 at 17:10 UTC by Ross Anderson

This is the title of a paper we’ll be presenting next week at the Financial Crypto conference (slides). There is also coverage in the New Scientist.

Facebook has a social authentication mechanism where you may be asked to recognise some of your friends from photos as part of the login process. We analysed this and found it to be vulnerable to guessing by your friends, and also to modern face-recognition systems. Most people want privacy only from those close to them; if you’re having an affair then you want your partner to not find out but you don’t care if someone in Mongolia learns about it. And if your partner finds out and becomes your ex, then you don’t want them to be able to cause havoc on your account. Celebrities are similar, except that everyone is their friend (and potentially their enemy).

Second, if someone outside your circle of friends is doing a targeted attack on you, then by friending your friends they can get some access to your social circle to collect photos, which they might use in image-recognition software or even manually to pass the test.

Once this paper had been accepted to FC, we had an interesting discussion with Facebook’s security team. They told us that the social captcha mechanism was used to solve the problem of large-scale phishing attacks. They knew it was not very effective against friends, and especially not against a jilted former lover. For that, they maintain that the local police and courts are an effective solution. They also claim that although small-scale face recognition is doable, their scraping protection prevents it being used at large scales.

This is all fair comment, but points to a deeper issue. Users thinking about Facebook security see it in terms of their own protection, and think of their ex or their rivals; Facebook also sees it in terms of its own protection, and thinks of Indonesian gangs doing industrial-scale phishing for spam. As large-scale businesses come to dominate online, the difference between “security for me” and “security for them” may get ever larger.

Entry filed under: Academic papers, News coverage, Privacy technology, Security economics, Security psychology, Usability

6 comments Add your own

  • 1. Nicholas Bohm  |  February 22nd, 2012 at 18:36 UTC

    This typifies the need for scepticism about assertions that “X is more secure.”

    The necessary response is, “More secure for whom, me or you?”

  • 2. Larry Armstrong  |  February 22nd, 2012 at 22:46 UTC

    Another problem is when many people change their profile pictures to cartoon or movie characters. Is Joe Smith’s icon the catroon chicken this month or Dirty Harry?

  • 3. anon  |  February 24th, 2012 at 02:51 UTC

    @larry: FB’s facial recognition tech is good enough that I imagine that is not a problem. Further, they don’t have to show you the profile pic: they can arguably show any pic that was tagged, esp. a pic in which both you and your friend are tagged. And you can click next if you feel like “This pic doesn’t show the face clearly enough”

  • 4. Verity  |  February 27th, 2012 at 15:23 UTC

    The social authentication just provides a different way for you to get locked out of your account. I don’t tend to look at photos on Facebook, and I’m poor at recognising faces, so I find it very difficult if I have to use this mechanism. I suspect this means that it’s easier for some of my friends to pretend to be me than it is for me to show that I’m me.

  • 5. Jon G  |  February 29th, 2012 at 14:12 UTC

    @Verity this is where a truly refined system that ‘knew’ you would come in. Too many correct answers would be a fail…

    But I’m not sure what the problem is here: nobody could possibly think a ‘recognize this circle of friends’ feature would be secure within that circle of friends so it doesn’t seem that FB users have been tricked or lost any tangible security. I think a lot more could be done to protect people from their friends by teaching them to take better care of their smartphones ;-)

    I agree with your final point – that security isn’t always ‘for the user’ – but there’s nothing new there and this feature isn’t a striking example of that.

  • 6. Clive Robinson  |  March 16th, 2012 at 10:14 UTC

    It saddens me that an idea to replace known to be broken password systems should be implemented in such a poor way.

    The original idea for using photos “known to the user” but importantly “not known to others” has been around since before graphical displays were comman (thing thirty or more years).

    The fact that Facebook has taken what may have been a good system and fatally weakened it by not obaying “Not known to others” rule means that not only will they get credit for an idea that is not theirs but effectivly ruined the potential reputation of the system.

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


Calendar

February 2012
M T W T F S S
« Jan   Mar »
 12345
6789101112
13141516171819
20212223242526
272829