Backup authentication mechanisms help users who have forgotten their passwords regain access to their accounts-or at least try. Today's systems fall short in meeting both security and reliability requirements. We designed, built, and tested a new backup authentication system that employs a social-authentication mechanism. The system employs trustees previously appointed by the account holder to verify the account holder's identity. We ran three experiments to determine whether the system could (1) reliably authenticate account holders, (2) resist email attacks that target trustees by impersonating account holders, and (3) resist phone-based attacks from individuals close to account holders. Results were encouraging: seventeen of the nineteen participants who made the effort to call trustees authenticated successfully. However, we also found that users must be reminded of who their trustees are. While email-based attacks were largely unsuccessful, stronger countermeasures will be required to counter highly-personalized phone-based attacks.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	John Brainard , Ari Juels , Ronald L. Rivest , Michael Szydlo , Moti Yung, Fourth-factor authentication: somebody you know, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA  [doi>10.1145/1180405.1180427]
	2	T. Bridis. Hacker impersonated Palin, stole e-mail password, Sept. 18, 2008. Associated Press.
	3	S. Brostoff and A. M. Sasse. Ten strikes and you're out: Increasing the number of login attempts can improve password usability. In Proceedings of CHI 2003 Workshop on HCI and Security Systems, 2003.
	4	CommonwealthBank. NetBank NetCode SMS, 2008. http://www.commbank.com.au/netbank/netcodesms/.
	5	CREDANT Technologies. Mountains of mobiles left in the back of New York cabs, 16, 2008. http://www.credant.com/mountains-of-mobiles-left-inthe-back-of-new-york-cabs.html.
	6	Google Inc. Contact Us - Google Accounts Help, 2008. http://www.google.com/support/accounts/bin/request.py?hl=en&contact type=ara&ctx=accounts&uses apps=no&product=other&submit=Continue.
	7	Markus Jakobsson , Erik Stolterman , Susanne Wetzel , Liu Yang, Love and authentication, Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, April 05-10, 2008, Florence, Italy  [doi>10.1145/1357054.1357087]
	8	Microsoft Corporation. Complete the form below for Windows Live ID validation, 2008. https://support.live.com/eform.aspx?productKey=wlidvalidation&ct=eformcs&scrx=1.
	9	John Podd , Julie Bunnell , Ron Henderson, Cost-Effective Computer Security: Cognitive and Associative Passwords, Proceedings of the 6th Australian Conference on Computer-Human Interaction (OZCHI '96), p.304, November 24-27, 1996
	10	Ariel Rabkin, Personal knowledge questions for fallback authentication: security questions in the era of Facebook, Proceedings of the 4th symposium on Usable privacy and security, July 23-25, 2008, Pittsburgh, Pennsylvania  [doi>10.1145/1408664.1408667]
	11	SafeNet, Inc. 2004 annual password survey results, 2005. http://www.safenetinc.com/news/view.asp?news ID=239.
	12	S. Schechter, A. J. Bernheim Brush, and S. Egelman. Its no secret: Measuring the security and reliability of authentication via 'secret' questions. In submission.
	13	Kim-Phuong L. Vu , Robert W. Proctor , Abhilasha Bhargav-Spantzel , Bik-Lam (Belin) Tai , Joshua Cook , E. Eugene Schultz, Improving password security and memorability to protect personal and organizational information, International Journal of Human-Computer Studies, v.65 n.8, p.744-757, August, 2007  [doi>10.1016/j.ijhcs.2007.03.007]
	14	M. Zviran , W. J. Haga, User authentication by cognitive passwords: an empirical assessment, Proceedings of the fifth Jerusalem conference on Information technology, p.137-144, September 1990, Jerusalem, Israel