On the Security of Trustee-Based Social
Authentications
Abstract:
Recently, authenticating users with the help of their friends (i.e., trustee-based social
authentication) has been show into be a promising backup authentication mechanism. A user in
this system is associated with a few trustees that were selected from the user’s friends. When the
user wants to regain access to the account, the service provider sends different verification codes
to the user’s trustees. The user must obtain at least k(i.e., recovery threshold) verification codes
from the trustees before being directed to reset his or her password. In this paper, we provide the
first systematic study about the security of trustee based social authentications. In particular, we
first introduce a novel framework of attacks, which we call forest fire attacks. In these attacks, an
attacker initially obtains a small number of compromised users, and then the attacker iteratively
attacks the rest of users by exploiting trustee-based social authentications. Then, we construct a
probabilistic model to formalize the threats of forest fire attacks and their costs for attackers.
Moreover, we introduce various defense strategies. Finally, we apply our frame work to
extensively evaluate various concrete attack and defense strategies using three real-world social
network datasets. Our results have strong implications for the design of more secure trusteebased social authentications
Existing System:
Existing backup systems may use ‘secret’ personal questions and alternate email
addresses for backup authentication in the event users forget or loses his access credentials.
However, these methods are frequently unreliable. For personal questions, users often forget
their answers, especially when answers are case and punctuation sensitive. It is also common for
acquaintances of the respective users to be able to guess the answers, even acquaintances not
closely associated with the respective account holders or users. In existing methods, many times
the questions are not applicable to the general public, not memorable, ambiguous, easily
guessable with no knowledge of the account holder, or easily guessable with minimal knowledge
of the account holder.
www.chennaisunday.com
Problems on existing system:
1. An account holder who tries to authenticate an account using an alternate email address
many times finds that the configured address expired upon a change of job, school or
Internet service provider. Since other websites rely on email addresses to authenticate
their account holders when passwords fail, it is especially important for webmail
providers to have a secure and reliable authentication mechanism of last resort.
2. The ubiquity of mobile phones has made them an attractive option for backup
authentication. Some entities already send SMS messages containing authorization codes
to supplement primary authentication for high-risk transactions. However, authenticating
users by their mobile phones alone is risky as phones are frequently shared or lost .
Proposed System:
A social authentication system for backup account recovery is described. The backup account
recovery system provides for an account holder to obtain his or her password in the event the
account holder is unable to gain access to an account using the primary authentication method.
The social authentication system allows the account holder to contact several trustees that were
previously selected and identified. Upon being unable to gain access to an account, the account
holder contacts one or more trustees to inform them that the account holder needs to regain
access to the account and therefore needs to obtain an account recovery code from each trustee.
Each trustee may then contact the account recovery system which resides in servers accessible on
the Internet. The account recovery system then verifies that the trustee's contact information
matches that of a previously identified trustee for the specified account holder. Once the trustee's
contact information has been verified to match that of a previously identified trustee for the
specified account holder, the account recovery system begins a back and forth dialog with the
trustee, whereby the trustees provide information, transmit a link and code provided by the
account recovery system, vouch for their contact with the account holder and pledge that the
statements they have provided are accurate and that the trustees agree on the course of action.
www.chennaisunday.com
Once this dialog is successfully completed, each trustee is provided with a unique account
recovery code, which is then provided to the account holder. Once the required account recovery
codes has been received, the account holder is able to use them to obtain access to the account.
Advantages:
The social authentication system is a system in which account holders initially appoint and later
rely on account trustees to help them authenticate.
Architecture:-
.
Implementation:
Implementation is the stage of the project when the theoretical design is turned out
into a working system. Thus it can be considered to be the most critical stage in achieving a
www.chennaisunday.com
successful new system and in giving the user, confidence that the new system will work and
be effective.
The implementation stage involves careful planning, investigation of the existing
system and it’s constraints on implementation, designing of methods to achieve changeover
and evaluation of changeover methods.
Main Modules:1. Trustee-Based Social Authentication Module:
A trustee-based social authentication includes two phases:.

Registration Phase:
The system prepares trustees for a user Alice in this phase. Specifically, Alice is
first authenticated with her main authenticator (i.e., password),and then a
few(e.g., 5) friends, who also have accounts in the system, are selected by either
Alice herself or the service provider from Alice’s friend list and are appointed as
Alice’s trustees.

Recovery Phase:
When Alice forgets her password or her password was compromised and changed
by an attacker, she recovers her account with the help of her trustees in this phase.
Specifically, Alice first sends an account recovery request with her user name to
the service provider which then shows Alice an URL. Alice is required to share
this URL with her trustees. Then, her trustees authenticate themselves into the
system and retrieve verification codes using the given URL. Alice then obtains
the verification codes from her trustees via emailing them, calling them, or
meeting them in person. If Alice obtains a sufficient number (e.g., 3)of
verification codes and presents them to the service provider, then Alice is
authenticated and is directed to reset her password. We call the number of
verification codes required to be authenticated the recovery threshold.
2. Security Module:
www.chennaisunday.com
Authentication is essential for securing your account and preventing spoofed messages from
damaging your online reputation. Imagine a phishing email being sent from your mail
because someone had forged your information. Angry recipients and spam complaints
resulting from it become your mess to clean up, in order to repair your reputation. trusteebased social authentication systems ask users to select their own trustees without any
constraint. In our experiments (i.e., Section VII), we show that the service provider can
constrain trustee selections via imposing that no users are selected as trustees by too many
other users, which can achieve better security guarantees.
3. Backup Authentication Module :
A user in this system is associated with a few trustees that were selected from the user’s
friends. When the user wants to regain access to the account, the service provider sends
different verification codes to the user’s trustees. The user must obtain at least k(i.e.,
recovery threshold) verification codes from the trustees before being directed to reset his or
her password. Backup authentication feature allows you to select three to five friends as your
trustees. In cases when you forget your password or your account is hacked, each of these
trustees will be able to get a security code for you. With three security codes, you can recover
your account.
4. Forest Fire Attacks Module:
In a forest fire attack, the attacker first uses traditional methods such as phishing and
guessing to compromise some users (these are called seed users), and then the attacker
propagates the attacks to other users by exploiting the “trusted contacts”.
Our forest fire attacks consist of Ignition Phase and Propagation Phase:
1. Ignition Phase:
An attacker obtains a small number of compromised users which we call seed users. They
would be obtained from phishing attacks, statistical guessing, and password database
leaks, or they could be a coalition of users who collude each other. Indeed, a large
number of social network accounts were reported to be compromised. showing the
feasibility of obtaining compromised seed users.
www.chennaisunday.com
2. Propagation Phase:
Given the seed users, the attacker iteratively attacks other users. In each attack iteration,
the attacker performs one attack trial to each of the uncompromised users according to
some attack ordering of them. In an attack trial to a user u, the attacker sends an account
recovery request with username to the service provider, which issues different
verification codes to trustees. The
goal of the attacker is to obtain verification codes from atleast one trustees. If at least one
trustees of User are already compromised, the attacker can easily compromised user
otherwise, the attacker can impersonate and send a spoofing message to each
uncompromised trustee of user to request the verification code.
System Configuration:
H/W System Configuration:
Processor
- Pentium –III
Speed
- 1.1 Ghz
RAM
- 256 MB(min)
Hard Disk
- 20 GB
Floppy Drive
- 1.44 MB
Key Board
- Standard Windows Keyboard
Mouse
- Two or Three Button Mouse
Monitor
- SVGA
www.chennaisunday.com
S/W System Configuration:
Operating System
:
Windows95/98/2000/XP
Front End
:
Core Java
Database
: Mysql 5.0
Database Connectivity
: JDBC.
www.chennaisunday.com