Delegated Recovery: Facebook gives its security a boost
Traditional 2-factor authentication (2FA) is all about your phone or a physical token. But what happens when you lose your mobile phone or the physical token? Then you’ll have to contact Customer Service and the troubles will start as you work to get account access again. Now there is a new option. Facebook has a smart way to reduce the effort it takes to recover access to your account with a new twist on 2-factor authentication: Delegated Recovery.
So what’s the difference with Delegated Recovery?
The main principles of Facebook’s Delegated Recovery feature are the same as for 2-factor or multi-factor authentication. You’ll have to confirm your identity by combining two or more different components. But there is a difference! While the classic 2-factor authentication is primarily based on access to your mobile phone or a physical token, Delegated Recovery will store the digital token of one of your third party accounts – directly on Facebook. At this very moment, this just works with GitHub since Delegated Recovery is in a beta phase. During this time, Facebook is collecting feedback from the GitHub security community, including participants in their bug bounty program.
Wait! Third party accounts? Where’s my data going?
No worries, it’s not going anywhere. First of all, on Facebook you will have to save the recovery token which you’ve created in the settings of your third party (in this case GitHub) account. This token will be encrypted, which means Facebook will not be able to read your personal GitHub information at all! Facebook also doesn’t share your personal data with GitHub. To recover access to a GitHub account they just need to know: “Hey, this person is the person who should have access to this GitHub account.” Since you’ve just saved the encrypted token to your Facebook account, there’s no need to share your real Facebook identity.
Murphy’s law strikes: You’ve lost access to your GitHub account.
Of course, now you had to lose access to your GitHub account and need to recover it. Re-authenticate with Facebook, they will send a token to GitHub with a “time-stamped counter-signature,” et voilá: You’ll be able to login to GitHub again.
Interested in this method? It’s open source! Well… soon…
Facebook has also published the specs for its Delegated Recovery feature – how surprising – on GitHub. They’re even planning to publish a reference implementation of the protocol in several programming languages to speed up implementation of their service. How cool’s that?
Would you implement this feature on your website? Or better yet, would you use it at all? Share with us your thoughts in the comments.