Information Security Summit 2009

Invited Talk by Mike Just

Account Recovery: Authentication's Dirty Secret?

It would appear that everyone is guarding the front door: Password rules, and update and length requirements are already stretching human processing and recall abilities, but are often accepted in the name of security. Though attackers have begun to realize that impersonation can be made easier by trying to recover a user's account. By entering this back door, which uses an alternative authentication approach, an attacker will potentially encounter less rigorous security, e.g. based on the knowledge of a user's mother's maiden name or first school attended. A recent, prominent example was the alleged hack of US vice presidential candidate Sarah Palin's email account via her recovery questions. Yet despite the ubiquitous use of such recovery mechanisms, there is surprisingly little published research on the topic. In this talk, the presenter will review the research that does exist (including some of his own) and discuss what this means for the future of authentication.
Back to Knowledge-Based Authentication Project Page