Today, at the USENIX Enigma conference, Facebook engineers announced a new mechanism for recovering access to lost online accounts, which relies on the cooperation between different online services.
Called Delegated Recovery, Facebook engineers created a protocol that allows one online service to vouch for a user on another website. This new protocol works like this:
- User Bob has an account on Facebook and GitHub.
- Bob generates a recovery token with GitHub.
- Bob saves the GitHub recovery token inside his Facebook account.
- Bob loses access to his GitHub account.
- Bob recovers his GitHub account using the recovery token stored in his Facebook account.
According to Facebook, the recovery token is encrypted and no online service that temporarily stores these tokens can read them.
Furthermore, the token also features a time-stamped counter-signature and the issuing service can always tell if someone tampered with the original token.
“This can happen in just a few clicks in your browser, all over HTTPS,” said Brad Hill, a security engineer at Facebook, about the new Delegate Recovery mechanism.
Delegated Recovery is better than email recovery and secret questions
Facebook engineers claim this system is a much more appropriate solution to modern day account recovery operations, compared to those that rely on secret questions, email addresses, or phone numbers.
The new Delegate Recovery mechanism is currently under testing by Facebook and GitHub.
Facebook has also published the protocol at the base of this new mechanism in a GitHub repository, and together with GitHub’s staff plan to release a series of open-source libraries in various programming languages to assist other online services in implementing Delegate Recovery in their user authentication systems.
Facebook adds support for U2F security keys
Last week, Facebook also added support for Universal 2nd Factor (U2F) security keys, which are cryptographic tokens stored on special USB keys.
These U2F security keys allow a user to plug a USB stick in their device and automatically log into Facebook without entering a password.