Faces in the Distorting Mirror: Revisiting Photo-based Social Authentication

Authors

Iasonas Polakis, Panagiotis Ilia, Federico Maggi, Marco Lancini, Georgios Kontaxis, Stefano Zanero, Sotiris Ioannidis, Angelos D. Keromytis

Venue

Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS), November 2014

Abstract

In an effort to hinder attackers from compromising user accounts, Facebook launched a form of two-factor authentication called social authentication (SA), where users are required to identify photos of their friends to complete a log-in attempt. Recent research, however, demonstrated that attackers can bypass the mechanism by employing face recognition software. Here we demonstrate an alternative attack. that employs image comparison techniques to identify the SA photos within an offline collection of the users' photos. In this paper, we revisit the concept of SA and design a system with a novel photo selection and transformation process, which generates challenges that are robust against these attacks. The intuition behind our photo selection is to use photos. that fail software-based face recognition, while remaining recognizable to humans who are familiar with the depicted people. The photo transformation process. creates challenges in the form of photo collages, where faces are transformed so as to render image matching techniques ineffective. We experimentally confirm the robustness of our approach against three template. matching algorithms that solve 0.4% of the challenges, while requiring four orders of magnitude more processing effort. Furthermore, when the transformations are applied, face detection software fails to detect even a single face. Our user studies confirm that users are able to identify their friends in over 99% of the photos with faces unrecognizable by software, and can solve over 94\% of the challenges with transformed photos.

BibTeX

@inproceedings{Polakis2014Faces_in,
  title     = {{Faces in the Distorting Mirror: Revisiting Photo-based Social Authentication}},
  author    = {Polakis, Iasonas and Ilia, Panagiotis and Maggi, Federico and Lancini, Marco and Kontaxis, Georgios and Zanero, Stefano and Ioannidis, Sotiris and Keromytis, Angelos D.},
  booktitle = {Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security},
  series    = {CCS},
  month     = {November},
  year      = {2014},
  address   = {New York, NY, USA},
  doi       = {10.1145/2660267.2660317},
  isbn      = {978-1-4503-2957-6},
  pages     = {501--512},
  publisher = {ACM},
  url       = {http://dx.doi.org/10.1145/2660267.2660317}
}