After recently allowing users to register physical security keys to their Facebook accounts, the social network has just introduced a new online safety tool, but this one is designed with other websites in mind.
At the USENIX Enigma conference yesterday, Facebook security engineer Brad Hill announced Delegated Recovery, a feature that lets users regain access to online accounts without relying on emails or security questions, both of which can be insecure.
Delegated Recovery works by allowing Facebook members to set up encrypted recovery tokens for any sites that support the feature, which at the moment is only Github. Should someone forget their login credentials, they simply access Facebook and send the stored token back to the website in question, thereby proving their identity.
"We need something better -- a way to recover access, using identities and services you trust, regardless of whether they are associated with an email address or a phone number," wrote Hill.
Facebook says it can’t access the information on the token as it’s encrypted, and the company assures people it will not share identity information with third-party websites, other than those authorized by users .
Another benefit of this system is that it removes the worry of losing a device used for two-factor authentication. “No matter what kind of site you are, you have to deal with the issue that someone will lose their password or their token. We can get you back into your account even if you drop your phone off the boat,” Hill told TechCrunch.
Delegated Recovery is available in a limited trial with Github and is part of Facebook’s bug bounty program, so any potential vulnerabilities should be sniffed out by security researchers. It’s being open-sourced for other websites to join the service.
We’ll have to wait and see many people use Delegated Recovery, but it’s safe to say that the email and 2FA methods aren’t going to disappear overnight. And anyone who comes to rely on it best make sure they don't forget their Facebook password.