Account recovery, the second fiddle to authentication, still largely hinges on insecure schemes such as security questions or email-based verification for password resets and the like.
Facebook today at the Enigma Conference in Oakland, Calif., offered a more modern solution called Delegated Recovery, a protocol that can be used to allow applications to delegate account recovery permissions to third-party accounts controlled by the same user.
Starting tomorrow, the service will be available to GitHub users for account recovery, the first service to adopt Delegated Recovery.
Facebook said the service will be particularly effective for users who have lost a smartphone, physical token or key used as a second factor of authentication.
“An email address alone can’t provide the same level of two-factor authentication to recover access,” said Facebook security engineer Brad Hill, “so starting Tuesday, you’ll be able to use your Facebook account to provide additional authentication as part of the recovery process at GitHub.”
The protocol behind the feature is available on Facebook’s GitHub page, and it says the rollout with GitHub is limited in the hopes of getting feedback from the security community and its bug bounty members. Facebook and GitHub are expected to publish open source reference implementation of the protocol in a number of language to satisfy numerous development efforts.
“Soon, we hope to open the ability for any service to improve its account recovery experience using Facebook. We also want to offer the ability for people to use other accounts, such as a GitHub account, to help you recover your access to Facebook,” Hill said. “Usable security must cover all the ways we access our accounts, including when we need to recover them. We hope this solution will improve both the security and the experience when people forget a password or lose their phone and need to get back into their accounts.”
Rather than relying on security questions, SMS codes or email messages, Delegated Recovery relies only on the exchange of a recovery token, which must be created in advance. Hill said the token is encrypted and Facebook cannot access any personal information.
“If you ever need to recover your GitHub account, you can re-authenticate to Facebook and we will send the token back to GitHub with a time-stamped counter-signature,” Hill said. “Facebook doesn’t share your personal data with GitHub, either; they only need Facebook’s assertion that the person recovering is the same who saved the token, which can be done without revealing who you are.”
GitHub application security engineer Neil Matatall provided step-by-step instructions for initiating and storing a token in advance, and how to initiate the recovery process through Facebook.
“GitHub only stores the token ID, user ID, and token state. Facebook only stores a token with an encrypted secret that is associated with a Facebook account and does not become valid until it’s used in a recovery,” Matatall said. “This process helps limit the impact of database dumps and SQL injection vulnerabilities without an additional compromise of the encryption and signing keys.”