Faces in the Distorting Mirror: Revisiting Photo-based Social Authentication


In an effort to hinder attackers from compromising user accounts, Facebook launched a form of two-factor authentication called social authentication (SA), where users are required to identify photos of their friends to complete a log-in attempt. Recent research, however, demonstrated that attackers can bypass the mechanism by employing face recognition software. Here we demonstrate an alternative attack. that employs image comparison techniques to identify the SA photos within an offline collection of the users’ photos. In this paper, we revisit the concept of SA and design a system with a novel photo selection and transformation process, which generates challenges that are robust against these attacks. The intuition behind our photo selection is to use photos. that fail software-based face recognition, while remaining recognizable to humans who are familiar with the depicted people. The photo transformation process. creates challenges in the form of photo collages, where faces are transformed so as to render image matching techniques ineffective. We experimentally confirm the robustness of our approach against three template. matching algorithms that solve 0.4 percent of the challenges, while requiring four orders of magnitude more processing effort. Furthermore, when the transformations are applied, face detection software fails to detect even a single face. Our user studies confirm that users are able to identify their friends in over 99% of the photos with faces unrecognizable by software, and can solve over 94 percent of the challenges with transformed photos.

Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security
New York, NY, USA