Social authentication has been suggested as a usable authentication ceremony to replace manual key authentication in messaging applications. Using social authentication, chat partners authenticate their peers using digital identities managed by identity providers. In this paper, we formally define social authentication, present a protocol called SOAP that largely automates social authentication, formally prove SOAP's security, and demonstrate SOAP's practicality in two prototypes. One prototype is web-based, and the other is implemented in the open-source Signal messaging application. Using SOAP, users can significantly raise the bar for compromising their messaging accounts. In contrast to the default security provided by messaging applications such as Signal and WhatsApp, attackers must compromise both the messaging account and all identity provider-managed identities to attack a victim. In addition to its security and automation, SOAP is straightforward to adopt as it is built on top of the well-established OpenID Connect protocol.

翻译：社交认证已被提议作为一种可用性认证仪式，用以替代消息应用中的手动密钥认证。通过社交认证，聊天伙伴可利用身份提供者管理的数字身份对彼此进行认证。本文正式定义了社交认证，提出了一种名为SOAP的协议，该协议在很大程度上实现了社交认证的自动化，形式化证明了SOAP的安全性，并通过两个原型展示了其实用性。一个原型基于Web实现，另一个则已在开源Signal消息应用中部署。使用SOAP，用户可显著提升攻破其消息账户的难度。与Signal和WhatsApp等消息应用提供的默认安全性相比，攻击者必须同时攻破消息账户和所有身份提供者管理的身份才能发动攻击。除安全性和自动化优势外，SOAP还基于成熟的OpenID Connect协议构建，因此易于采用。