Facebook has taken yet another step to make itself indispensable: It will now start to let its 1.79 billion users reset passwords for other websites using its platform. The option is available starting with Github.
The technology, which the social network calls “delegated account recovery,” functions much like the increasingly prevalent “login with Facebook” plugin now seen across websites as an alternative to creating site-specific credentials. In this case, if a user loses access to the phone number or security keys she uses at a third-party website, she can use her Facebook account to provide additional authentication as part of the recovery process.
Users will need to set up this method in advance by saving a recovery token with the Facebook account, which is encrypted so Facebook can't read personal information. If users need to recover their participating third-party accounts, they can re-authenticate to Facebook, which will then send the token back to the third party with a time-stamped counter-signature. It’s Facebook's assertion that the person recovering the account is the same who saved the token, which can be done without revealing who the user is.
“This is part of a larger story of industry investment and innovation around improving, and perhaps even replacing, the password,” said Brad Hill, security engineer at Facebook, in a post. “The truth is, technologies for login authentication like FIDO are only half of the story needed to keep accounts secure. The other half is account recovery—specifically, how do you regain access to your account if you lose your password, phone or security key? An email address alone can't provide the same level of two-factor authentication to recover access.”
The first site to sign onto the scheme is GitHub, a collaborative software development platform that hosts some of the most popular software in the world, including Facebook's own open source projects like React and osquery. GitHub maintains direct control of how it authenticates its users, how it assesses password strength and other risk signals, and how it deploys a diverse set of two-factor authentication methods.
“We're releasing this feature in a limited fashion with GitHub so we can get feedback from the security community, including participants in our bug bounty programs,” said Hill. “Not only will our implementation be immediately in-scope for our bounty programs, but Facebook and GitHub will jointly reward security issues reported against the specification itself, according to our impact criteria.”
Facebook would like to see more services adopt this account recovery design, and has published the protocol behind the feature on its open source site at GitHub. Both Facebook and GitHub plan to publish open source reference implementations of the protocol in various programming languages as well.
This is the latest in security moves for the internet giant. Last week, Facebook announced support for U2F Security Keys, to help keep accounts secure with a second-factor authentication feature called login approvals.