| In this thesis we present a scheme for automating authentication based on social factors using mobile phones. We test its feasibility by running simulations on an existing dataset. We implement two protocols one based on public key infrastructure and the other on hash chains. Then we consider possible threat scenarios.;Recently it has been suggested that a fourth factor: someone you know also be part of the authentication process. This technique has been applied to the problem of emergency authentication, as a replacement for challenge questions or calls to a help-desk. The idea is that the user uses a token and pin to authenticate himself. If the user forgets his token, he can ask a friend who has their token to grant him a temporary password. Thus fourth factor or social authentication is based on the process of vouching. In this method a user asks a friend to vouch for them, that is the friend must recognize the user and then issue some proof of this recognition, which the user then uses to log in to the service. In , this vouching was done explicitly, with the user contacting a friend and literally asking for a vouching code. In this thesis we will use users' cellphones to automate this process.;Whenever a user calls a friend, a token will be issued "vouching" for this contact.;Web applications such as online banking, online shopping carts, and so on, depend on the user authenticating himself securely. Traditionally this involves a username and password and if more security is required an electronic token is used in addition to this password. Other than these two "factors" there is also biometrics, such as fingerprints, retinal scans and voice recognition. Thus the traditional systems use some combination of these three factors: something you know (passwords), something you have (tokens) and something you are (biometrics). |
