Fourth-Factor Authentication: Somebody You Know, CCS, 06
Somebody the user knows has been proposed as a fall-back authentication mechanism. The user has a list of helpers and he can ask a helper to vouch for him during fall-back authentication. The regular authentication involves token and PIN. If the user lost the token, he can receive a vouch-code from one of his helpers over telephone or in face-to-face meeting.
The mechanism requires a nontrivial choice for the user's PIN, otherwise a malicious helper could request vouch-code as a user and then issue one for himself. The system logs all events though, for forensics. The administrator has to pair an asker with a helper, and it can work only in an organization where peer groups are available. No user study accompanied the work, leaving the human factors unexamined.
Citation (ACM Ref): John Brainard, Ari Juels, Ronald L. Rivest, Michael Szydlo, and Moti Yung. 2006. Fourth-factor authentication: somebody you know. In Proceedings of the 13th ACM conference on Computer and communications security (CCS '06). ACM, New York, NY, USA, 168-178. DOI=10.1145/1180405.1180427 http://doi.acm.org/10.1145/1180405.1180427
The mechanism requires a nontrivial choice for the user's PIN, otherwise a malicious helper could request vouch-code as a user and then issue one for himself. The system logs all events though, for forensics. The administrator has to pair an asker with a helper, and it can work only in an organization where peer groups are available. No user study accompanied the work, leaving the human factors unexamined.
Citation (ACM Ref): John Brainard, Ari Juels, Ronald L. Rivest, Michael Szydlo, and Moti Yung. 2006. Fourth-factor authentication: somebody you know. In Proceedings of the 13th ACM conference on Computer and communications security (CCS '06). ACM, New York, NY, USA, 168-178. DOI=10.1145/1180405.1180427 http://doi.acm.org/10.1145/1180405.1180427
It's Not What You Know, But Who You Know. A social approach to last-resort authentication, CHI, 09
This study complements the CCS 06 ones by supplying the user study. They found that users forget who they selected as their trustees and phone-based attacks by close acquaintances often succeed. Email based attacks did not fare well, because the trustees suspected something fishy in them. The participants took several hours at the least to acquire enough trustee-codes to pass the fall-back authentication, which should not pose too great a problem; because the need for fall-back occurs rarely. The authors started with 43 individuals and were left with only 19, which may signal that the social approach might be onerous for the trustees. The individuals who are forgetful needs fall-back more often which results in an asymmetric relationship between people.
Citation (ACM Ref): Stuart Schechter, Serge Egelman, and Robert W. Reeder. 2009. It's not what you know, but who you know: a social approach to last-resort authentication. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '09). ACM, New York, NY, USA, 1983-1992. DOI=10.1145/1518701.1519003 http://doi.acm.org/10.1145/1518701.1519003
Citation (ACM Ref): Stuart Schechter, Serge Egelman, and Robert W. Reeder. 2009. It's not what you know, but who you know: a social approach to last-resort authentication. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '09). ACM, New York, NY, USA, 1983-1992. DOI=10.1145/1518701.1519003 http://doi.acm.org/10.1145/1518701.1519003