ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Fourth-factor authentication: somebody you know
Full text PdfPdf (372 KB)
Source Conference on Computer and Communications Security archive
Proceedings of the 13th ACM conference on Computer and communications security table of contents
Alexandria, Virginia, USA
SESSION: Privacy and authentication table of contents
Pages: 168 - 178  
Year of Publication: 2006
ISBN:1-59593-518-5
Authors
John Brainard  RSA Laboratories, Bedford, MA
Ari Juels  RSA Laboratories, Bedford, MA
Ronald L. Rivest  MIT CSAIL, Cambridge, MA
Michael Szydlo  RSA Laboratories, Bedford, MA
Moti Yung  RSA Laboratories, Bedford, MA
Sponsors
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 29,   Downloads (12 Months): 313,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Review this Article  
Save this Article to a Binder    Display Formats: BibTex  EndNote ACM Ref   
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1180405.1180427
What is a DOI?

ABSTRACT

User authentication in computing systems traditionally depends on three factors: something you have (e.g., a hardware token), something you are (e.g., a fingerprint), and something you know (e.g., a password). In this paper, we explore a fourth factor, the social network of the user, that is, somebody you know.Human authentication through mutual acquaintance is an age-old practice. In the arena of computer security, it plays roles in privilege delegation, peer-level certification, help-desk assistance, and reputation networks. As a direct means of logical authentication, though, the reliance of human being on another has little supporting scientific literature or practice.In this paper, we explore the notion of vouching, that is, peer-level, human-intermediated authentication for access control. We explore its use in emergency authentication, when primary authenticators like passwords or hardware tokens become unavailable. We describe a practical, prototype vouching system based on SecurID, a popular hardware authentication token. We address traditional, cryptographic security requirements, but also consider questions of social engineering and user behavior.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
v-GO SSPR 5.0 product description. Referenced 2006 at www.passlogix.com.
 
2
Simple Distributed Security Infrastructure (SDSI) web page, 2001. Referenced 2006 at http://theory.lcs.mit.edu/~cis/sdsi.html.
 
3
PeopleSoft and Courion deliver integrated password management solution, 27 August 2001. Press release. Referenced 2006 at www.courion.com.
 
4
Matt Blaze , Joan Feigenbaum , Angelos D. Keromytis, KeyNote: Trust Management for Public-Key Infrastructures (Position Paper), Proceedings of the 6th International Workshop on Security Protocols, p.59-63, April 15-17, 1998
 
5
Matt Blaze , Joan Feigenbaum , Martin Strauss, Compliance Checking in the PolicyMaker Trust Management System, Proceedings of the Second International Conference on Financial Cryptography, p.254-274, February 23-25, 1998
 
6
W. Eazel. 'Live phishing' experiment nets consumers hook, line, and sinker. SC Magazine, 8 November 2005. Referenced 2006 at www.scmagazine.com.
 
7
C. Ellison. UPnP security ceremonies design document: For UPnP device architecture 1.0, 3 October 2003. Referenced 2006 at http://www.upnp.org.
 
8
C. Ellison, SPKI Requirements, RFC Editor, 1999
 
9
V. Griffith and M. Jakobsson. Messin' with Texas: Deriving mothers' maiden names using public records. In J. Ioannidis, A. D. Keromytis, and M. Yung, editors, Applied Cryptography and Network Security (ACNS), pages 91--103. Springer-Verlag, 2005. LNCS no. 3531.
 
10
RSA Security Inc. RSA SecurID authenticators, 2006. Product Specification. Referenced 2006 at www.rsasecurity.com.
 
11
J. Jubak. Globalization isn't what's killing GM. MSN Money, 29 November 2005. Referenced 2006 at moneycentral.msn.com.
 
12
D. V. Klein. Foiling the cracker: A survey of and improvements to, password security. In UNIX Security II: USENIX Workshop Proceedings, pages 5--14, Berkeley, CA, 1990.
 
13
J. Leyden. Office workers give away passwords for a cheap pen. The Register, 18 April 2003. Referenced 2006 at www.theregister.co.uk.
 
14
Jonathan M. McCune , Adrian Perrig , Michael K. Reiter, Seeing-Is-Believing: Using Camera Phones for Human-Verifiable Authentication, Proceedings of the 2005 IEEE Symposium on Security and Privacy, p.110-124, May 08-11, 2005  [doi>10.1109/SP.2005.19]
 
15
Kevin D. Mitnick , William L. Simon , William Simon, The Art of Deception: Controlling the Human Element of Security, John Wiley & Sons, Inc., New York, NY, 2002
 
16
T. Pullar-Strecker. NZ bank adds security online. Sidney Morning Herald, 8 November 2004. Referenced 2006 at www.smh.com.au.
 
17
B. Ross, C. Jackson, N. Miyake, D. Boneh, and J. Mitchell. Stronger password authentication using browser extensions. In P. McDaniel, editor, USENIX Security, pages 17--32, 2005.

INDEX TERMS

Primary Classification:
  H. Information Systems
  H.m MISCELLANEOUS


General Terms:
Human Factors, Security


Keywords:
authentication, hardware tokens, vouchers

Collaborative Colleagues:
John Brainard: colleagues
Ari Juels: colleagues
Ronald L. Rivest: colleagues
Michael Szydlo: colleagues
Moti Yung: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2008 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player