Social authentication and solar storms

Well, I thought it was ironic that the biggest solar storm in years is hitting the earth tonight … while CanSecWest is on …

So far today we have had talks on security (and vulnerabilities) during the boot process, a talk on pen testing (and the presenter seemed to be alternately talking about how to choose a pen tester, and how to do pen testing), and social authentication.

The social authentication talk was by Alex Rice from Facebook.  He noted that, even though Facebook only challenges a small fraction of a percent of logins, given the user base that means more then a million every day.  When a login is challenged, a standard response has been the good old “security questions”: mother’s maiden name, birthdate, and other pieces of information that might not be too hard for someone intent on breaking into your account to find out.

Alex went through the limitations of security questions, and then moved to other possibilities.  Security questions comes under the heading of “things you know,” so they looked at “things you have.”  For example, you have to have an email address, so there is the possibility of a challenge sent to your email.  (Google, of course, figures that everyone in the world has a cell phone that can receive text messages.)

Recently, Facebook has started to use the photos that people post on their pages, particularly those that have been tagged.  Basically, if your login gets challenged, you will be shown a series of pictures, and you should be able to identify who is, or is not, in the picture, out of your list of friends.  This is the subject of a blog post noting that it isn’t perfect.

There are additional problems.  As the post notes, the situation is less than ideal if you have a huge number of “friends.”  (As Bruce Schneier’s new book notes, if you have more than 150 friends, you probably aren’t friends with many of them.)  Even if you do know your “friends,” there is nothing to say that any given picture of them will be recognizable.  In fact, since the system relies on tagging, there are going to be pictures of weird objects that people have deliberately tagged as themselves, in joking fashion.

Therefore, this system is definitely not perfect, as the questions at the end pointed out.  Unfortunately, Alex had passed, rather quickly, over an important point.  The intent of the system, in Facebook’s opinion, was to reduce the amount of account spam sent via accounts that had been compromised.  In that regard, the system probably works very well.  False logins get challenged.  Some of the challenges are false positives.  The photo system is a means of allowing a portion (a fairly large portion, probably) of users to recover their accounts quickly.  For the remaining accounts, there are other means to recover the account, even though these are more time-consuming for both Facebook and the user.  This system does reduce the total amount of time spent by both users (in the aggregate, even if individual users may feel hard done by) and Facebook.

Share