Facebook has introduced a new method for recovering lost accounts for third party services through a method known as delegated recovery. The new feature is being introduced first for GitHub, and is planned to be rolled out to other third party services based on how well the process works for GitHub. Users can recover their lost GitHub accounts through Facebook verification, instead of using an e-mail address or phone numbers.
The new method is called delegated recovery, and Facebook has published the protocols on its open source site at GitHub. Both Facebook and GitHub intend to publish open source implementations of the security protocol in various programming languages as references for developers. Facebook plans to eventually open up the authentication and account recovery mechanism for any third party service. Facebook also wants to allow users with accounts in third party services, such as GitHub, the ability to recover their lost Facebook accounts.
This is how delegated recovery works. Users have to set up the account recovery process in advance. Users have to save a recovery token that is generated by Facebook on request. The recovery token is encrypted, and Facebook or GitHub does not read any personal information, but only confirm that the person trying to access the accounts is the same. If a GitHub account is lost, users can re-authenticate on Facebook, and Facebook sends the recovery token to GitHub with a timestamped counter-signature. The entire process takes place through a browser, over https, and requires only a few mouse clicks.
Security questions are risky as they expose accounts to compromise by those who personally know the individual. If fake answers are given, the recovery questions are inconvenient. Re-using the same security questions and answers across accounts also exposes the users to more malicious attacks. Using recovery emails and SMS are dated, and do not guarantee end to end security, and are getting less reliable with an influx of the next wave of internet users. Facebook hopes to address these problems with the delegated recovery protocol. Facebook and GitHub will jointly reward those who find security issues with the delegated recovery protocol.
The announcement follows close on the heels of Facebook improving the security of its own accounts by allowing authentication of accounts through physical USB keys. GitHub already supports a login process that authenticates accounts through physical USB keys. The physical USB keys use the U2F standard developed by Google and Yubico.