Facebook Launches Delegated Recovery Feature
How many times have you went to login to an online account and realized you have forgotten the password you created? Most sites have you do a recovery method of clicking on the 'forgot password' link and they send you an email with instructions to create a new password. Unfortunately this method is not safe. Yahoo has proven this to us a couple of times.
The problem lies in the ability to hack an email account. If someone hacks your email account, they are able to get all of your online accounts that use this kind of recovery system. All they have to do is tell the website to email the recovery directions to your email that they now have control of. They change the password to something they know and boom, they got your online presence and are able to do whatever they want.
Facebook understands the risks of this, and they have developed a new feature called "Delegated Recovery". This feature is a protocol that helps applications delegate account recovery permissions to third-party accounts controlled by the same user. The process takes only a few seconds and is done over encrypted HTTPS Web links.
Delegated Recovery is available to GitHub users for account recovery. This allows them to set up encrypted recovery tokens in advance and save it to their Facebook account. This allows them to re-authenticate to Facebook and request the stored token if they should ever lose their access to GitHub.
The user requests the stored token to be sent from their Facebook account back to GitHub with a time-stamped signature which proves their identities and lets them regain access to their accounts securely. Facebook will not be able to read the personal data stored in the token because the token is encrypted. For a user that may have lost their physical tokens or keys used as a second factor of authentication like a smartphone, this feature will be especially helpful.
Facebook has placed Delegated Recovery as part of their bug bounty program by allowing security researchers and bug hunters to test it. Facebook has also asked the hacker and security communities to report bus, make suggestions and give feedback on the new feature.
Delegated recovery is open-source allowing third-party sites to implement it. As of the time of this article, the service is only available for GitHub.
For more stories like this one, listen to the TCOP Daily Podcast and signup for the TCOP Daily Newsletter!
Photo Credit: www.digitaltrends.com