IEEE COMMUNICATIONS, SURVEYS & TUTORIALS, VOL. , NO. , JANUARY 2017 1 Social Authentication Applications, Attacks, Defense Strategies and Future Research Directions: A Systematic Review Noura Alomar, Mansour Alsaleh, Abdulrahman Alarifi Abstract—The ever-increasing volumes of social knowledge shared in OSNs, the establishment of trustworthy social relation- ships over these platforms, and the emergence of technologies that allow friendship networks to be inferred from data exchanged in communication networks have motivated researchers to build socially-aware authentication schemes. We conduct the first study that surveys the literature related to social authentication. In this study, we not only created a taxonomy for classifying all social authentication schemes deployed in online or physical social contexts and extensively analyzed their authentication features, but also built a novel framework for evaluating the effectiveness of all social authentication schemes, identified all the practical and theoretical attacks that may be mounted against such schemes, addressed possible defense strategies, and identified challenges, open questions, and future research opportunities. To measure their accuracy, strengths, weaknesses, and limitations, as well as to identify the potential of knowledge-based and trust- based social authentication schemes, a comprehensive compara- tive assessment of the security, usability, and deployability was conducted. We hope, by providing a solid foundation for gaining sufficient understanding of the manners in which users’ social interactions have been utilized in user authentication schemes and their corresponding security implications, we will guide future research in this domain. Index Terms—Multi-Factor Authentication, Social Authentica- tion, Social Factors, Social Media, Systematic Literature Review. I. I NTRODUCTION T HE growing demand that traditional authentication schemes be replaced, coupled with the uniqueness of the social knowledge surrounding every individual, have mo- tivated researchers to exploit human-to-human relationships for authentication purposes. User authentication methods for granting or denying access to restricted content that are based on capturing individuals social contexts and exploiting users relationships with others have gained significant attention in the authentication research community. Thus, various socially aware schemes have been proposed as either primary or sec- ondary authentication mechanisms. The abundance of social data in online social networking sites and the availability of mechanisms for analyzing the social connections between the users of these sites have facilitated the adoption of social authentication techniques on top of these online platforms. For instance, the large number of daily active users (DAUs) N. Alomar is with the College of Computer and Information Sciences, King Saud University, Riyadh, KSA, e-mail: nnalomar@ksu.edu.sa M. Alsaleh and A. Alarifi are with King Abdulaziz City for Science and Technology, Riyadh, KSA, emails:{maalsaleh, aarifi}@kacst.edu.sa on Facebook (e.g., an average of 968 million DAUs in the second quarter of 2015 [1]), in addition to the huge number of photos that are posted on a daily basis (e.g., Facebook reported that its users uploaded more than 250 billion photos with an average of 350 million daily photo uploads in 2013 [2]) have contributed to making Facebook an attractive platform for deploying social authentication. Thus, the expansion of information sharing on Online Social Networks (OSNs), the availability of many different types of social information about the individuals on these platforms, and the ability to visualize the highly sophisticated nature of human social structures formed in these online virtual worlds appear to provide the required foundation for building secure and effective social au- thentication schemes [3], [4], [5]. Furthermore, the emergence of communication technologies that enable individuals to be continuously connected to their social communities and the growing availability of techniques that streamline the process of deriving the social interactions of large user populations from online or offline contexts could also lead existing social authentication schemes to a fundamentally promising direc- tion. In real life, people are naturally skilled at identifying their friends, acquaintances, family members, and enemies, for example, by recognizing their voices or associating them with past experiences [6]. However, in online communities, the visibility of individuals’ social interactions is lower. Users’ interactions on these virtual platforms may not necessarily resemble their real-world social interactions, as most OSNs allow the creation of multiple anonymous identities [7]. The complexity of verifying the accuracy of social knowledge and the difficulties involved in extracting and identifying the characteristics of trust relationships that could be utilized for identity verification highlight further the importance of measuring the robustness of social authentication mechanisms. One of the most important properties that differentiate these mechanisms from traditional authentication methods is that users’ security levels are strongly affected by the security of the people they know [8]. Thus, users’ inappropriate behaviors in social contexts and their misuse of social information could cause significant increases in the number of compromised users in social graphs. Further, the involvement of human factors in social authentication schemes may also contribute to an increase in the number of security vulnerabilities that can be exploited [9], [10]. For instance, a number of social engineering tricks could be employed for leaking users’ sen- sitive social knowledge [11]. Therefore, a clear prerequisite This is the author's version of an article that has been published in this journal. Changes were made to this version by the publisher prior to publication. The final version of record is available at http://dx.doi.org/10.1109/COMST.2017.2651741 Copyright (c) 2017 IEEE. Personal use is permitted. For any other purposes, permission must be obtained from the IEEE by emailing pubs-permissions@ieee.org.