Forgot your password? Facebook aims to replace websites' email and security questions...

midian182

Posts: 9,662   +121
Staff member

After recently allowing users to register physical security keys to their Facebook accounts, the social network has just introduced a new online safety tool, but this one is designed with other websites in mind.

At the USENIX Enigma conference yesterday, Facebook security engineer Brad Hill announced Delegated Recovery, a feature that lets users regain access to online accounts without relying on emails or security questions, both of which can be insecure.

Delegated Recovery works by allowing Facebook members to set up encrypted recovery tokens for any sites that support the feature, which at the moment is only Github. Should someone forget their login credentials, they simply access Facebook and send the stored token back to the website in question, thereby proving their identity.

"We need something better -- a way to recover access, using identities and services you trust, regardless of whether they are associated with an email address or a phone number," wrote Hill.

Facebook says it can’t access the information on the token as it’s encrypted, and the company assures people it will not share identity information with third-party websites, other than those authorized by users .

Another benefit of this system is that it removes the worry of losing a device used for two-factor authentication. “No matter what kind of site you are, you have to deal with the issue that someone will lose their password or their token. We can get you back into your account even if you drop your phone off the boat,” Hill told TechCrunch.

Delegated Recovery is available in a limited trial with Github and is part of Facebook’s bug bounty program, so any potential vulnerabilities should be sniffed out by security researchers. It’s being open-sourced for other websites to join the service.

We’ll have to wait and see many people use Delegated Recovery, but it’s safe to say that the email and 2FA methods aren’t going to disappear overnight. And anyone who comes to rely on it best make sure they don't forget their Facebook password.

Permalink to story.

 
I think a better solution is to open up the google account login to more sites, even on facebook, that way you only need to remember that one password, could have 2 step authentication (And multiple login steps) even if the other site doesn't have, and so on so forth. I don't think there is a more secure standard than google's at the moment.
 
I think a better solution is to open up the google account login to more sites, even on facebook, that way you only need to remember that one password, could have 2 step authentication (And multiple login steps) even if the other site doesn't have, and so on so forth. I don't think there is a more secure standard than google's at the moment.
You can use Google Authenticator on a whole host of sites if you want the added peace of mind of 2FA. This site being one of them. I'm afraid FB just can't be caught dead using Googles app, they have to design and implement their own. It's one of those things that I'm sure you understand.
 
That's why I said "to more sites", sure there a bunch already, but there a whole bigger bunch that don't yet.
 
Back