What happens when you forget your password? Often there is an automatic back up procedure that allows to get it back. Sometimes, it is just an authentication through mail address, i.e. the password or a new one is sent to the address you registered. More often, it uses secret questions that should authenticate you. For instance the name of your pet, your birth town… Obviously, these secret questions have two problems:
- They are easy to guess because too simple. You may harden it by cheating with the answer, but you need to remember your cheating.
- If they are too complex, then you may have forgotten the answer.
In other words, they are inadequate, although largely deployed.
SCHECHTER S., EGELMAN S. and REEDER R. from Microsoft describe an interesting solution to this problem in “It’s not what you know, but who you know“. Each user defines a list of trustees. Each trustee will receive a recovery code. To retrieve the password, the user must obtain form his/her trustees their recovery code.
The experiment highlighted two issues:
- After a while, the user often forgets his/her trustees. Thus, you need a procedure to retrieve the trustees’ identity.
- Many trustees would provide the recovery code to someone close to the user.
I would also add one major one. It takes a lot of times. One subject took 5 days to get three recovery codes. Often, you want immediate access.
Nevertheless, an interesting paper to read. I recommend the section that describes how the trustee gets the recovery code. It was designed to highlight many risks of social engineering. Nice work.