At DeepSec 2014 Marco Lancini (CEFRIEL - Politecnico di Milano) held a presentation about the results of a study conducted to find the attack surface of social authentication:
"As social networks have become an integral part of online user activity, a massive amount of personal information is readily available to such services. In an effort to hinder malicious individuals from compromising user accounts, high-value services have introduced two-factor authentication to prevent adversaries from compromising accounts using stolen credentials. Facebook has recently released a two-factor authentication mechanism, referred to as Social Authentication (SA), which requires users to identify some of their friends in randomly selected photos to be allowed access to their accounts.
In this work, we first studied the attack surface of social authentication, showing how any attacker can obtain the information needed to solve the challenges presented by Facebook. We implemented a proof-of-concept system that utilizes widely available face recognition software and cloud services, and evaluated it using real public data collected from Facebook. We have empirically calculated the probability of an attacker obtaining the information necessary to solve SA tests when relying on publicly accessible data as well as following a more active approach to gather restricted information, and we have then designed an automated attack able to break the SA, to demonstrate the feasibility of carrying out large-scale attacks against social authentication with minimal effort on behalf of an attacker.
We then revisited the Social Authentication concept and propose reSA, a two-factor authentication scheme that can be easily solved by humans but is robust against face-recognition software. Our core concept is to select photos in which state-of-the-art face-recognition software detects human faces, but cannot identify them due to certain characteristics. We implemented a web application that recreates the SA mechanism and conducted a user study that sheds light on user behavior regarding photo tagging, and demonstrated the strength of our approach against automated attacks."