Social Authentication: Vulnerabilities, Mitigations, and Redesign [MSc Thesis]


We pointed out the security weaknesses of using Social Authentication (SA) as part of a two-factor authentication scheme, focusing on Facebook's deployment. We have empirically calculated the probability of an attacker obtaining the information necessary to solve SA tests when relying on publicly accessible data as well as following a more active approach to gather restricted information. We have designed an automated attack able to break the SA, to demonstrate the feasibility of carrying out large-scale attacks against social authentication with minimal effort on behalf of an attacker. We then revisited the SA concept and proposed reSA, a two-factor authentication scheme that can be easily solved by humans but is robust against face-recognition software.

  • NATO CCDCOE Best Student Thesis Award, as the best thesis published on cyber defence topics. Awarded during the International Conference on Cyber Conflict (CyCon 2014), Tallinn
  • "Innovation in Information Security" Thesis Award (Premio Tesi Clusit: 'Innovare la sicurezza delle informazioni'), as the 2nd best thesis published in Italy in 2013. Awarded during the Security Summit 2014, Milan
  • CyCon 2014
  • DEEPSEC 2014
  • All Your Face Are Belong to Us: Breaking Facebook's Social Authentication (ACSAC 2012)
  • Faces in the Distorting Mirror: Revisiting Photo-based Social Authentication (CCS 2014)
  • Social Authentication: Vulnerabilities, Mitigations, and Redesign (DEEPSEC 2014)