all our face are belong to us: breaking facebook's social authentication
DESCRIPTION
I delivered a talk based on this presentation at http://hek.si 2013 in Ljubljana. This presentation is based on the joint research that we did in 2011–2012, which results have been first presented at ACSAC 2012 in December. Authors: Jason Polakis, Marco Lancini, Georgios Kontaxis, Federico Maggi, Sotiris Ioannidis, Angelos Keromytis, and Stefano Zanero Abstract: Two-factor authentication is widely used by high-value services to prevent adversaries from compromising accounts using stolen credentials. Facebook has recently released a two-factor authentication mechanism, referred to as Social Authentication, which requires users to identify some of their friends in randomly selected photos. A recent study has provided a formal analysis of social authentication weaknesses against attackers inside the victim’s social circles. In this paper, we extend the threat model and study the attack surface of social authentication in practice, and show how any attacker can obtain the information needed to solve the challenges presented by Facebook. We implement a proof-of-concept system that utilizes widely available face recognition software and cloud services, and evaluate it using real public data collected from Facebook. Under the assumptions of Facebook’s threat model, our results show that an attacker can obtain access to (sensitive) information for at least 42% of a user’s friends that Facebook uses to generate social authentication challenges. By relying solely on publicly accessible information, a casual attacker can solve 22% of the social authentication tests in an automated fashion, and gain a significant advantage for an additional 56% of the tests, as opposed to just guessing. Additionally, we simulate the scenario of a determined attacker placing himself inside the victim’s social circle by employing dummy accounts. In this case, the accuracy of our attack greatly increases and reaches 100% when 120 faces per friend are accessible by the attacker, even though it is very accurate with as little as 10 faces. Paper (PDF): http://tinyurl.com/socialauthTRANSCRIPT
![Page 1: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/1.jpg)
ALL YOUR FACEARE BELONG TO US
BREAKING FACEBOOK'S SOCIAL AUTHENTICATION
FEDERICO MAGGINECSTLAB, POLITECNICO DI MILANO
![Page 2: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/2.jpg)
ABOUT THE TITLE
JAPANESE-TO-ENGLISH TRANSLATION ERROR
EU EDITION OF "ZERO WING" CONSOLE GAME, 1991
BECAME AN INTERNET MEME, 2000
"All Your Face are Belong to Us"
![Page 3: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/3.jpg)
CATS:連邦政府軍のご協力により、君達の基地は、全てCATSがいただいた。
CATS: All your base are belong to us.
CATS: With the cooperation of Federation Forces,all of your bases now belong to us.
![Page 4: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/4.jpg)
![Page 5: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/5.jpg)
JOINT WORK
MARCO LANCINIFEDERICO MAGGISTEFANO ZANERO
POLITECNICO DI MILANO, ITALY
JASON POLAKISSOTIRIS IOANNIDIS
FORTH, GREECEGEORGIOS KONTAXISANGELOS KEROMYTIS
COLUMBIA UNIVERSITY, US
ACCEPTED AT ACSAC 2012
![Page 6: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/6.jpg)
ONLINE SOCIAL NETWORKS
![Page 7: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/7.jpg)
ONLINE SOCIAL NETWORKS (2013)
FacebookTencent QQ
Google+Twitter
LinkedinTencent Qzone
Sina WeiboWindows Live
Registered Users Active Users1+ billion 1 billion784+ million 712 million500+ million 235 million500+ million 200+ million200+ million 160 million597+ million 150 million400+ million 100+ million100 million 100 million100+ million 100 million
Wikipedia"List of virtual communities with more than 100 million active users"
![Page 8: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/8.jpg)
ONLINE SOCIAL NETWORKS
FACEBOOK REACHED 1+ BILLION ACTIVE USERS
1/7th OF THE WORLD POPULATION
MASSIVE USER BASE
APPEALING TARGET FOR ONLINE CRIME
![Page 9: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/9.jpg)
ONLINE SOCIAL NETWORKS ABUSED
IDENTITY THEFT
SPAMMING
PHISHING
SELLING CREDIT CARDS SELLING STOLEN ACCOUNTS
![Page 10: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/10.jpg)
MALICIOUS FACEBOOK ACCOUNTS
Gao et al."Detecting and Characterizing Social Spam Campaigns"
ACM Internet Measurement Conference, 2010
97% ARE REAL, COMPROMISED ACCOUNTS
![Page 11: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/11.jpg)
MAIN CAUSES OF STOLEN ACCOUNTS
INFORMATION-STEALING MALWARE
SOCIAL ENGINEERING
PHISHING
![Page 12: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/12.jpg)
KEEPING STOLEN ACCOUNTS SAFE
MULTI-FACTOR AUTHENTICATION
SOMETHING YOU KNOW: A PASSWORD
SOMETHING YOU HAVE: A TOKEN
![Page 13: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/13.jpg)
Paul Applegatehttp://www.flickr.com/photos/mrapplegate/1287965486/
![Page 14: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/14.jpg)
DRAWBACKS
LOW ACCEPTANCE
CUMBERSOME
CAN BE LOST
![Page 15: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/15.jpg)
FACEBOOK'S APPROACH
SOMETHING YOU HAVE (TOKEN)
SOMEONE YOU KNOW (FRIEND)
![Page 16: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/16.jpg)
![Page 17: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/17.jpg)
"A CONTINUED COMMITMENT TO SECURITY"
https://www.facebook.com/blog/blog.php?post=486790652130
![Page 18: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/18.jpg)
![Page 19: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/19.jpg)
WHEN DOES IT COME INTO PLAY?
GEO LOCATION THAT YOU NEVER ACCESSED FROM
FIRST TIME YOU USE A COMPUTER
![Page 20: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/20.jpg)
HOW DOES IT WORK?
7 FRIENDS TO IDENTIFY
3 PHOTOS PER FRIEND
6 SUGGESTIONS
2 MISTAKES
FRIENDS PHOTOS TAGSGROUND TRUTH
![Page 21: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/21.jpg)
ADVANTAGES OF SOCIAL AUTHENTICATION
PEOPLE ACCUSTOMED TO TAGGING FRIENDS
MORE USER FRIENDLY THAN A TOKEN
LOOKS LIKE A GAME
![Page 22: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/22.jpg)
ADVERSARY MODEL
ANYONE OUTSIDE THE VICTIM'S SOCIAL CIRCLE
A STRANGER
CLOSE COMMUNITIES
CLOSE FRIENDS
FAMILY
![Page 23: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/23.jpg)
ASSUMPTION
THE ATTACKER CANNOT INFILTRATEINTO THE VICTIM'S SOCIAL CIRCLE
![Page 24: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/24.jpg)
SECURITY WEAKNESSES
5 FRIENDS TO IDENTIFY
3 PHOTOS PER FRIEND
6 SUGGESTIONS
2 MISTAKES
is information is publicly available to some degree.
![Page 25: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/25.jpg)
CAN AN ATTACKER BYPASSSOCIAL AUTHENTICATION
AUTOMATICALLY?
(#1 CASUAL ATTACKER)
![Page 26: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/26.jpg)
FRIENDS
![Page 27: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/27.jpg)
SECURITY WEAKNESSES TAKE 2
7 5 FRIENDS TO IDENTIFY3 PHOTOS PER FRIEND
6 SUGGESTIONS
2 MISTAKES
FRIENDS PHOTOS TAGSGROUND TRUTH
![Page 28: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/28.jpg)
PUBLIC FRIENDS LIST
47% OF USERS LEAVE THEIR FRIEND LIST PUBLIC
R. Dey at al.Facebook users have become much more private: A large-scale study.
IEEE Workshop on Security and Social Networking, 2012
"Are friend lists publicly reachable?"
![Page 29: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/29.jpg)
CAN AN ATTACKER BYPASSSOCIAL AUTHENTICATION
AUTOMATICALLY?
(#2 DETERMINED ATTACKER)
![Page 30: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/30.jpg)
ACCEPT BEFRIEND REQUESTS?
70% OF USERS ACCEPT BEFRIEND REQUESTS BLINDLY
D. Irani et al.Reverse social engineering attacks in online social networks.
DIMVA 2011
100%-47% = 53% OF USERS LEAVE THEIR FRIEND LIST PRIVATE
![Page 31: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/31.jpg)
47% OF USERS LEAVE THEIR FRIEND LIST PUBLIC
53% OF USERS LEAVE THEIR FRIEND LIST PRIVATE
70% OF USERS ACCEPT BEFRIEND REQUESTS BLINDLY
47% + 53% * 70%
84% OF THE USERS
MATH: FRIEND LIST REACHABILITY
![Page 32: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/32.jpg)
FRIENDS PHOTOS TAGSGROUND TRUTH84%
![Page 33: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/33.jpg)
PHOTOS
![Page 34: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/34.jpg)
PUBLIC PHOTOS: A CLOSER LOOK
71% OF THE USER LEAVE THEIR PHOTOS PUBLIC
We measured this on a sample of 236,752 Facebook users.
"Are photos publicly reachable?"
FRIENDS PHOTOS TAGSGROUND TRUTH
![Page 35: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/35.jpg)
71% OF THE USER LEAVE THEIR PHOTOS PUBLIC
29% OF USERS LEAVE THEIR PHOTOS PRIVATE
70% OF USERS ACCEPT BEFRIEND REQUESTS BLINDLY
84% * (71% + 29% * 70%)
77% OF THE USERS
MATH: PHOTO REACHABILITY
![Page 36: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/36.jpg)
FRIENDS PHOTOS TAGSGROUND TRUTH84% 77%
![Page 37: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/37.jpg)
TAGS
![Page 38: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/38.jpg)
PUBLIC TAGS
42% OF THE TAGS ARE REACHABLEPUBLIC TAGS + PRIVATE TAGS ON PUBLIC PHOTOS
We measured this on a sample of 236,752 Facebook users.
"Are tags publicly reachable?"
FRIENDS PHOTOS TAGSGROUND TRUTH
![Page 39: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/39.jpg)
FRIENDS PHOTOS TAGSGROUND TRUTH84% 77% 42%
![Page 40: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/40.jpg)
THE GUESS SPACE FORAN ATTACKER IS NARROW.
![Page 41: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/41.jpg)
COULD AN ATTACKERNARROW IT FURTHER?
![Page 42: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/42.jpg)
PHOTOS TAKE 2
![Page 43: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/43.jpg)
PUBLIC PHOTOS A CLOSER LOOK
82% OF PHOTOS IN SOCIAL AUTH. CONTAIN FACES
vs.
ONLY 69% OF PHOTOS CONTAIN FACES OVERALL
We measured this on a sample of 6,115 photos.
"Does Facebook select the photos for social auths?"
FRIENDS PHOTOS TAGSGROUND TRUTH
![Page 44: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/44.jpg)
FACEBOOK PICKSPHOTOS THAT CONTAIN FACES.
![Page 45: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/45.jpg)
FRIENDS PHOTOS TAGSGROUND TRUTH84% 77% 42%
82%
![Page 46: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/46.jpg)
PRACTICAL ATTACK STEP1
CRAWLING FRIENDS LIST OF THE VICTIM (1)
COLLECTING THEIR TAGGED PHOTOS (2)
FACE MODELING (3)
DATABASE OFFACE MODELS
![Page 47: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/47.jpg)
Who is "Mister X"?
NAME! FACE RECOGNITION PHOTO
SOCIAL AUTHENTICATION
PRACTICAL ATTACK STEP2
DATABASE OFFACE MODELS
![Page 48: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/48.jpg)
FACE MODELING AND RECOGNITION
what did we use?
![Page 49: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/49.jpg)
![Page 50: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/50.jpg)
acquired by
![Page 51: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/51.jpg)
SO, AN ATTACKER COULD EVEN USE FACEBOOK'S OWN TECHNOLOGY TO
BYPASS ITS SOCIAL AUTHENTICATION
AH...THE IRONY
![Page 52: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/52.jpg)
EXPERIMENTAL EVALUATION
CASUAL ATTACKER
ONLY PUBLICLY AVAILABLE INFORMATION
NO BEFRIEND REQUESTS
![Page 53: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/53.jpg)
SUCCESS OF THE CASUAL ATTACKER
22% FULL SOLUTION
56% 1–2 GUESSES NEEDED
78% OVERALL (2 MISTAKES ALLOWED)
![Page 54: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/54.jpg)
WHEN THE CASUAL ATTACKER FAILS
25% NO FACES IN THE PHOTOS
50% UNRECOGNIZABLE FACE
25% NO FACE MODEL FOUND
![Page 55: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/55.jpg)
![Page 56: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/56.jpg)
EXPERIMENTAL EVALUATION
DETERMINED ATTACKER
ACCESS TO 77% OF THE PHOTOS
EMULATED OFFLINE
![Page 57: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/57.jpg)
SUCCESS OF THE DETERMINED ATTACKER
FACES CRAWLED
30
90
120
MINIMUM SUCCESS RATE
42%
57%
100%
![Page 58: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/58.jpg)
![Page 59: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/59.jpg)
SPEED OF THE DETERMINED ATTACKER
MAX TIME REQUIRED
100s
140s
150s
MINIMUM SUCCESS RATE
42%
57%
100%< TIMEOUT
![Page 60: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/60.jpg)
![Page 61: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/61.jpg)
FACEBOOK RESPONSE
ACKNOWLEDGED OUR RESULTS
SOCIAL AUTH. MEANT AS A "WEAK" PROTECTION
INEFFECTIVE AGAINST TARGETED ATTACKS
USERS CAN USE LOGIN APPROVAL (WHO DOES IT?)
![Page 62: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/62.jpg)
QUICK REMEDIATIONS
OPT-IN LOGIN APPROVAL (USERS)
REMOVE SUGGESTIONS (FACEBOOK)
REDUCE TIMEOUT (FACEBOOK)
![Page 63: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/63.jpg)
RETHINKING SOCIAL AUTHENTICATION
PEOPLE CAN RECOGNIZE THEIR FRIENDS "LOOK"
USE PHOTOS WITH NO FACES
FACE RECOGNITION
![Page 64: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/64.jpg)
CONCLUSIONS
SOCIAL AUTH. INEFFECTIVE FOR 84% OF THE USERS
THREAT MODEL EXCLUDES OUR TARGETED ATTACK
CLOUD-BASED FACE-RECOGNITION MADE IT EASIER
SOCIAL AUTHENTICATION SHOULD BE REVISITED
![Page 65: All Our Face are Belong to us: Breaking Facebook's Social Authentication](https://reader033.vdocuments.site/reader033/viewer/2022042813/546254deb4af9f711c8b4720/html5/thumbnails/65.jpg)
FEDERICO MAGGI: @PHRETOR HTTP://MAGGI.CC
FACE
THANK YOU!