The primary authentication method for a user account is rarely
the only way to access that account. Accounts can often be ac-
cessed through other accounts, using recovery methods, password
managers, or single sign-on. This increases each account’s attack
surface, giving rise to subtle security problems. These problems
cannot be detected by considering each account in isolation, but
require analyzing the links between a user’s accounts. Furthermore,
to accurately assess the security of accounts, the physical world
must also be considered. For example, an attacker with access to a
physical mailbox could obtain credentials sent by post.

Despite the manifest importance of understanding these interre-
lationships and the security problems they entail, no prior methods
exist to perform an analysis thereof in a precise way. To address this
need, we introduce account access graphs, the first formalism that
enables a comprehensive modeling and analysis of a user’s entire
setup, incorporating all connections between the user’s accounts,
devices, credentials, keys, and documents. Account access graphs
support systematically identifying both security vulnerabilities and
lockout risks in a user’s accounts. We give analysis algorithms and
illustrate their effectiveness in a case study, where we automati-
cally detect significant weaknesses in a user’s setup and suggest
improvement options.