Fourth-factor authentication

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Fourth-factor authentication: somebody you know

Full text

Pdf (372 KB)

Source

Conference on Computer and Communications Security archive
Proceedings of the 13th ACM conference on Computer and communications security table of contents

Alexandria, Virginia, USA

SESSION: Privacy and authentication table of contents

Pages: 168 - 178

Year of Publication: 2006

ISBN:1-59593-518-5

Authors

John Brainard	RSA Laboratories, Bedford, MA
Ari Juels	RSA Laboratories, Bedford, MA
Ronald L. Rivest	MIT CSAIL, Cambridge, MA
Michael Szydlo	RSA Laboratories, Bedford, MA
Moti Yung	RSA Laboratories, Bedford, MA

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACM: Association for Computing Machinery

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 34, Downloads (12 Months): 305, Citation Count: 2

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1180405.1180427 What is a DOI?

ABSTRACT

User authentication in computing systems traditionally depends on three factors: something you have (e.g., a hardware token), something you are (e.g., a fingerprint), and something you know (e.g., a password). In this paper, we explore a fourth factor, the social network of the user, that is, somebody you know.Human authentication through mutual acquaintance is an age-old practice. In the arena of computer security, it plays roles in privilege delegation, peer-level certification, help-desk assistance, and reputation networks. As a direct means of logical authentication, though, the reliance of human being on another has little supporting scientific literature or practice.In this paper, we explore the notion of vouching, that is, peer-level, human-intermediated authentication for access control. We explore its use in emergency authentication, when primary authenticators like passwords or hardware tokens become unavailable. We describe a practical, prototype vouching system based on SecurID, a popular hardware authentication token. We address traditional, cryptographic security requirements, but also consider questions of social engineering and user behavior.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	v-GO SSPR 5.0 product description. Referenced 2006 at www.passlogix.com.
	2	Simple Distributed Security Infrastructure (SDSI) web page, 2001. Referenced 2006 at http://theory.lcs.mit.edu/~cis/sdsi.html.
	3	PeopleSoft and Courion deliver integrated password management solution, 27 August 2001. Press release. Referenced 2006 at www.courion.com.
	4	Matt Blaze , Joan Feigenbaum , Angelos D. Keromytis, KeyNote: Trust Management for Public-Key Infrastructures (Position Paper), Proceedings of the 6th International Workshop on Security Protocols, p.59-63, April 15-17, 1998
	5	Matt Blaze , Joan Feigenbaum , Martin Strauss, Compliance Checking in the PolicyMaker Trust Management System, Proceedings of the Second International Conference on Financial Cryptography, p.254-274, February 23-25, 1998
	6	W. Eazel. 'Live phishing' experiment nets consumers hook, line, and sinker. SC Magazine, 8 November 2005. Referenced 2006 at www.scmagazine.com.
	7	C. Ellison. UPnP security ceremonies design document: For UPnP device architecture 1.0, 3 October 2003. Referenced 2006 at http://www.upnp.org.
	8	C. Ellison, SPKI Requirements, RFC Editor, 1999
	9	V. Griffith and M. Jakobsson. Messin' with Texas: Deriving mothers' maiden names using public records. In J. Ioannidis, A. D. Keromytis, and M. Yung, editors, Applied Cryptography and Network Security (ACNS), pages 91--103. Springer-Verlag, 2005. LNCS no. 3531.
	10	RSA Security Inc. RSA SecurID authenticators, 2006. Product Specification. Referenced 2006 at www.rsasecurity.com.
	11	J. Jubak. Globalization isn't what's killing GM. MSN Money, 29 November 2005. Referenced 2006 at moneycentral.msn.com.
	12	D. V. Klein. Foiling the cracker: A survey of and improvements to, password security. In UNIX Security II: USENIX Workshop Proceedings, pages 5--14, Berkeley, CA, 1990.
	13	J. Leyden. Office workers give away passwords for a cheap pen. The Register, 18 April 2003. Referenced 2006 at www.theregister.co.uk.
	14	Jonathan M. McCune , Adrian Perrig , Michael K. Reiter, Seeing-Is-Believing: Using Camera Phones for Human-Verifiable Authentication, Proceedings of the 2005 IEEE Symposium on Security and Privacy, p.110-124, May 08-11, 2005 [doi>10.1109/SP.2005.19]
	15	Kevin D. Mitnick , William L. Simon , William Simon, The Art of Deception: Controlling the Human Element of Security, John Wiley & Sons, Inc., New York, NY, 2002
	16	T. Pullar-Strecker. NZ bank adds security online. Sidney Morning Herald, 8 November 2004. Referenced 2006 at www.smh.com.au.
	17	B. Ross, C. Jackson, N. Miyake, D. Boneh, and J. Mitchell. Stronger password authentication using browser extensions. In P. McDaniel, editor, USENIX Security, pages 17--32, 2005.

CITED BY 2

	Stuart Schechter , Robert W. Reeder, 1 + 1 = you: measuring the comprehensibility of metaphors for configuring backup authentication, Proceedings of the 5th Symposium on Usable Privacy and Security, July 15-17, 2009, Mountain View, California
	Stuart Schechter , Serge Egelman , Robert W. Reeder, It's not what you know, but who you know: a social approach to last-resort authentication, Proceedings of the 27th international conference on Human factors in computing systems, April 04-09, 2009, Boston, MA, USA