International Research Journal of Engineering and Technology (IRJET)
e-ISSN: 2395 -0056
Volume: 04 Issue: 04 | Apr -2017
p-ISSN: 2395-0072
www.irjet.net
Security of Trustee Based Social Authentication Prof. S.N. Maitri1, Mayur Agnihotri 2, Ashutosh Borde3, Pratik Salvi4 1 H.O.D.,
Dept. of ComputerEngg., Trinity Academy Of Engineering, Pune. 2,3,4 Student, Trinity Academy Of Engineering, Pune. ---------------------------------------------------------------------***---------------------------------------------------------------------
Abstract – Now-a-days, the trend is to authenticate users
with the help of their friends. This technique is commonly known as ‘trustee-based social authentication’. This method is most likely destined to be successful as compared to its competitors. It involves a user who selects a few trusted associates from his friend list. These trusted associates are known as ‘trustees’. When the user wishes to recover his account, the service provider sends verification codes which are unique in nature to the user’s trustees. A recovery threshold (k) is set and when the user obtains these k verification codes from his trustees, he is directed to reset his password. Access is given to the account of the user by using some backup authentication mechanisms. Here, we propose to introduce a pioneering framework of attacks, which we will refer to as ‘forest fire attacks’ wherein compromised users are obtained in small number by the attacker and iterative attacks are done on the remaining users by using the trustee networks. Key Words: Social authentication, security model, backup authentication, forest fire attacks.
1. INTRODUCTION Authentication has become important for organizations to provide accuracy and consistency in security against thefts and terrorism. Web services such as Gmail, Facebook, and online banking very often use passwords for authentication purposes but they come across two serious issues like: users forgetting passwords, and passwords being changed and, therefore, accounts being compromised by the attackers. Hence a backup authentication mechanism is often provided by these web services to the users to help them redeem access to their accounts. Unfortunately, now a-days, widely used backup authentication mechanisms such as alternate email addresses and security questions are vulnerable to attacks. Security questions can be easily speculated and phished. The user may even forget the answers to the particular security questions. Also, previously set alternate email address may expire with time or upon change of institutions. Hence, it is essential to design a dependable and steadfast backup authentication mechanism. In fact, our experimental results show that setting the recovery threshold to be four could better balance between security and usability. Let us have a detailed look about the working of trustee-based social authentication system. Here we have a © 2017, IRJET
|
Impact Factor value: 5.181
|
social network of different users and then we will introduce a trustee network for a user. Here we will see two phases: 1.1 Registration Phase The system will help to select the user with trustees in this phase. The user is proven to be genuine with help of a password, and then the user or the service provider will select a few friends (eg.3) as the user’s trustees. These friends are the user’s friends from the social network. 1.2 Recovery Phase In this phase if the user forgets password or the users account is compromised and the password is changed by the attacker. The user can recover the password using his/her trustees. The service provider will help in the password recovery. The user will send an account recovery request to the service provider along with her user-name/email address. The service provider will authenticate the user’s trustees and send verification codes to the trustees. The user can obtain the verification codes from the trustees via mails or call them or meet them in person. If the user obtains a recovery threshold (the minimum number of codes required for authentication) of the verification codes and send them to the service provider, then the user is considered genuine and is directed to reset his/her password. As the user can forget the trustees the service provider will help the user to remember his/her trustees. Let us consider Facebook’s Trustee-Based Social Authentication: Facebook’s trustee-based social authentication system is called Trusted Friends, whose improved version is Trusted Contacts. In the Registration Phase of Facebook’s Trustee-Based Social Authentication, a user selects three to five friends from his/her friend list as trustees. The recovery threshold is also set to be three. Facebook does not remind a user of his or her trustees, but it asks the user to type in the names of his or her trustees instead. However, once the user gets one trustee correctly, Facebook will remind him or her of the remaining trustees. We will show that the service provider will put a constraint on the user to select a specific number of trustees such that no user can be a trustee of too many other users. This helps in giving more security. In fact, our experimental results show that setting the recovery threshold to be four could better balance between security and usability.
ISO 9001:2008 Certified Journal
|
Page 1704