Among the several backup authentication mechanisms, authenticating users with the help of their friends (i.e., trustee-based social authentication) has been shown to be a promising backup authentication mechanism. A user in this system is associated with a few trustees that were selected from the user’s friends. When the user wants to regain access to the account, the service provider sends different verification codes to the user’s trustees. The user must obtain at least k (i.e., recovery threshold) verification codes from the trustees before being directed to reset his or her password. In this paper, we provide the first systematic study about the security of trusteebased social authentications. In particular, we first introduce a novel framework of attacks, which we call forest fire attacks. In these attacks, an attacker initially obtains a small number of compromised users, and then the attacker iteratively attacks the rest of users by exploiting trustee-based social authentications. Then, we construct a probabilistic model to formalize the threats of forest fire attacks and their costs for attackers. Moreover, we introduce various defense strategies. Finally, we apply our framework to extensively evaluate various concrete attack and defense strategies using three real-world social network datasets. Our results have strong implications for the design of more secure trustee-based social authentications.

L. A. Adamic and E. Adar, “Friends and neighbors on the web,” Social

Netw., vol. 25, no. 3, pp. 211–230, 2003.

(2013, May). BadRank [Online]. Available: http://pr.efactory.de/epr0.

Shtml

J. Bonneau and S. Preibusch, “The password thicket: Technical and

market failures in human authentication on the web,” in Proc. 9th Workshop Econ. Inform. Security (WEIS), 2010.

J. Brainard, A. Juels, R. Rivest, M. Szydlo, and M. Yung, “Fourth-factor

authentication: Somebody you know,” in Proc. 13th ACM Conf. Comput. Commun. Security (CCS), 2006.

J. Podd, J. Bunnell, and R. Henderson, “Cost-effective computer security:

Cognitive and associative passwords,” in Proc. 6th Australian Conf. Comput.-Human Interact., 1996.

D. Easley and J. Kleinberg, Networks, Crowds, and Markets: Reasoning About a Highly Connected World. Cambridge, U.K.: Cambridge Univ. Press, 2010.

(2013, May). Facebook’s Trusted Contacts [Online]. Available: goo.gl/xHmVHA

(2011, Oct.). Facebook’s Trusted Friends [Online]. Available: goo.gl/KdyYXJ

H. Gao, J. Hu, C. Wilson, Z. Li, Y. Chen, and B. Zhao, “Detecting and characterizing social spam campaigns,” in Proc. Internet Meas. Conf. (IMC), 2010.

E. Gilbert and K. Karahalios, “Predicting tie strength with social media,” in Proc. SIGCHI Conf. Human Factors Comput. Syst., 2009.

N. Z. Gong et al., “Evolution of social-attribute networks: Measurements, modeling, and implications using Google+,” in Proc. ACM Conf. Internet Meas. Conf. (IMC), 2012.

H. Kim, J. Tang, and R. Anderson, “Social authentication: Harder than

it looks,” in Proc. Financial Cryptography (FC), 2012.