With the rampant increase in the number of internet services, our task of remembering a variety of passwords has also peaked. We are now accustomed to using different security protocols, namely two-factor authentication or security questions, for protecting our accounts. But, we’re also aware of the frustration and anxiety attached to losing access to the said methods of recovery. Thus, Facebook is now planning to leapfrog ahead of these methods and introduce a new recovery tool.
At the Enigma Conference in Oakland, Facebook has shown off a new modern solution for account recovery on 3rd-party websites. Called ‘Delegated Recovery,’ it is a protocol which allows applications to outsource the task of account recovery to other third-party accounts that are controlled by the same user. This method is particularly aimed at users who’ve lost their phones, 2FA authentication keys, or forgotten answers to security questions.
Talking about the same, Facebook security engineer Brad Hill told TechCrunch,
No matter what kind of site you are, you have to deal with the issue that someone will lose their password or their token. We can get you back into your account even if you drop your phone off the boat.
Earlier, if you have been using two-factor authentication then you might be required to also provide an OTP sent to your registered mobile number alongside the login credentials. But what would you do if you’re not in possession of your phone at the moment or have lost it? You can always use any of the workaround methods, be it changing your forgotten password or verifying your identity through e-mail.
But, Facebook has worked out a better solution for the same. And it doesn’t involve your mobile phone or even your e-mail address. You just need to remember (and never forget) your Facebook password. Using Delegated Recovery, the social network enables the user to set up the encrypted recovery token for a third-party service, like Github. This recovery token is stored within your Facebook account and can be used to re-authenticate the said third-party service at any instant.
For the same, you’ll need to login into your Facebook account and send the stored token to prove your identity. This has been described in the official blog post as under,
If you ever need to recover your GitHub account, you can re-authenticate to Facebook and we will send the token back to GitHub with a time-stamped counter-signature.
Facebook doesn’t share your personal data with GitHub, either; they only need Facebook’s assertion that the person recovering is the same who saved the token, which can be done without revealing who you are. This can happen in just a few clicks in your browser, all over HTTPS.
The said authentication service is currently only being made available to Github users. The rollout of the service is limited and the protocol is available on Github for those willing to access and contribute to it. Facebook is hoping for security community and its bug bounty members to provide feedback before it publishes a multilingual open-source guideline for using the said protocol. Github and Facebook are planning to jointly reward security issues reported against the specification itself.
Talking about the launch, Hill further adds,
Soon, we hope to open the ability for any service to improve its account recovery experience using Facebook. We also want to offer the ability for people to use other accounts, such as a GitHub account, to help you recover your access to Facebook.