Facebook’s Delegated Account Recovery, a protocol that allows applications to delegate account recovery permission to third-party applications, entered its beta phase today with the release of SDKs and additional support for new platforms.
The feature has been running on a trial basis since late January with GitHub being the first service to adopt the protocol. Today, at the F8 developer conference in San Jose, Calif., Facebook announced it was publishing software development kits, documentation and sample apps for Java and NodeJS server platforms, while GitHub simultaneously published its SDK for Ruby.
“Developers can use these resources to build a recovery flow that integrates with their application, and they can try it out immediately with test users,” said Facebook Security Engineer Brad Hill in a statement.
Delegated Account Recovery forgoes the need for a user to remember and answer security questions or request PINs via SMS or email messages. Instead, an organization would create a recovery token in advance that is shared with the delegated third-party site. The token is encrypted and Facebook said it cannot access personal information. Facebook has positioned this option as an ideal alternative for a user who has lost their second form of authentication, be it a smart phone or physical security key.
“Instead of requesting user data at the outset, your business creates a recovery token linked to your identifier for the customer, and sends it to Facebook. We keep it safe and private until that person needs it. Think of it as giving a sealed envelope to a trusted friend. Facebook can’t see what’s inside; we just know we shouldn’t give it back to anyone but you,” Hill said. “When the need to recover access arises, Facebook will take the person through a re-authentication flow and then send the original sealed envelope back to the service that created it, with a new cryptographic signature from Facebook.”
Facebook said that developers choosing to use the protocol would have a means of authenticating a user and restoring access without needing to expose their personal information on Facebook or having Facebook know their identity on the respective service.
GitHub was Facebook’s first partner with this feature, and users who needed to recover their GitHub account were able to do so by authenticating with their Facebook accounts. The recovery token would in turn be sent from Facebook to GitHub time-stamped with a new cryptographic signature without the need to exchange information over email or share personal information of any kind.
Hill said Delegated Account Recovery also implements rate limiting to prevent potential abuses of the system and also limits recoveries of other accounts if a user’s Facebook account was recently recovered. The tokens are cryptographically protected, unlike plaintext emails so often used in current recovery schemes, Hill said.
“Plaintext email reset links tend to end up in many different places — from ad keyword extraction systems to e-discovery to spam and anti-virus scanners. Delegated recovery tokens don’t need to be seen by these systems, and they can’t be abused if they are incidentally disclosed,” Hill said. “The system is designed to be resilient even to large scale data dumps email and user databases that have become common. With independently held cryptographic keys needed to use them, recovery tokens offer a level of security that we don’t see from email.”
