Most of the noise in the account security world revolves around the passwords and two-factor authentication for accessing your accounts, but we hardly see any movement on the account recovery process. Facebook believes that the current standard of recovery — sending a reset token to your email address — isn’t going to cut it in the future.
And so, they’re looking to reinvent the wheel. Their proposal is to let them be the account recovery tool instead of your email, so instead of clicking a link in an email, Facebook will do the heavy lifting over fully secured HTTPS connections.
The way it’d work is you would save an account recovery token with Facebook, who, by the way, won’t be able to see what it is. Then, if you ever need to recover your account password, simply login with your Facebook account and have the service you’re using receive the token. They’ll then whisk you in and allow you to change the password.
Facebook will first test the feature with GitHub in order to gather feedback, and here’s how it’ll work:
You’ll need to set up this method in advance by saving a recovery token with your Facebook account. A recovery token is encrypted so Facebook can’t read your personal information. If you ever need to recover your GitHub account, you can re-authenticate to Facebook and we will send the token back to GitHub with a time-stamped counter-signature. Facebook doesn’t share your personal data with GitHub, either; they only need Facebook’s assertion that the person recovering is the same who saved the token, which can be done without revealing who you are.
This method ensures GitHub gets no information about you that they don’t need, and also still offers full control over their own authentication tracks.
And it’s not just about Facebook wanting to be your security nanny. They will release open source reference implementations, and they even want you to be able to use third-party services in this manner to recover your Facebook account.
Whether the world will ever see the need to delegate these steps away from their email account is a question that we’re still exploring the answer to, but we’re all for folks trying new things. Look out for this option on GitHub starting today.