Facebook attempts to improve account security across the web, starting with the release of Delegated Recovery.
The only thing more frustrating than forgetting your password? Resetting it.
Between searching your spam folder for a reset link or trying to find a password you haven’t used before, current methods of resecuring your accounts are neither convenient nor particularly secure. But Facebook is looking to change that. At Monday’s USENIX Enigma Conference, Facebook security engineer Brad Hill announced that the social media giant launched an account recovery feature dubbed Delegated Recovery.
Debuting with a GitHub partnership, Facebook essentially hopes to take the place of your email account as your identity-management hub. This, the social media giant says, is safer than email because there is no end-to-end security guarantee, and often, the “security questions” you have to answer tend to be “inconvenient and risky.”
So now, “Facebook will let users set up encrypted recovery tokens for sites like GitHub, and if a user ever loses access to her Github account, she will send the stored token from her Facebook profile back to GitHub, proving her identity and unlocking her account,” the company explained in a blog post. “Encryption of the token provides privacy — Facebook can’t read the information stored in the token, and it won’t share information about your identity with third-party websites.”
Beginning Tuesday, you can use your Facebook account to provide additional authentication as part of the recovery process at GitHub. In order to do so, you’ll have to save a recovery token with your Facebook account, which will be encrypted so Facebook can’t access your personal data.
“If you ever need to recover your GitHub account, you can reauthenticate to Facebook and we will send the token back to GitHub with a time-stamped counter-signature,” the company explained. “Facebook doesn’t share your personal data with GitHub, either; they only need Facebook’s assertion that the person recovering is the same who saved the token, which can be done without revealing who you are.”
Delegated Recovery is part of Facebook’s larger effort to improve account security, not only on their site, but across the web.
“We’re building this and giving it away because recovery is a problem every online service shares,” Hill said. “Recovery isn’t a product, it’s a foundation. Secure access is the foundation on which we build all our other products.”