Secure Fallback Authentication and the Trusted Friend Attack

Fallback authentication, i.e., recovering access to an account after the password is lost, is an important aspect of real-world deployment of authentication solutions. However, most proposed and deployed mechanisms have substantial weaknesses that seriously degrade security and/or usability. A promising new fallback authentication mechanism is social authentication, which bases authentication on information about the social context of the user (e.g., on his social graph). We consider fallback authentication mechanisms deployed in practice on a number of social network sites (we concentrate on social networks because those can realistically implement social authentication). Our main contribution is a novel attack against Facebook's social authentication mechanism called Trusted Friends, which is the prime example for social authentication. Our attack is different from previous attacks in that it does not exploit bias in user choice but exploits tests that are realized client-side (but should be server-side) and POST-data fields that can be manipulated by an attacker. Furthermore, we found problems with all fallback authentication mechanisms used by social network sites, and demonstrate a number of cases where we can circumvent the schemes used. These findings are problematic as successfully breaking the fallback authentication gives full access to an account, just as breaking the main authentication mechanism. We conclude that implementations of fallback authentication mechanisms require more attention, both on a conceptual and an implementation level, as even seemingly minor implementation details can have a broad impact on the overall security. We have responsibly reported all attacks to the respective security teams well in advance of publication.