The stakes of computer security have risen far too high for any modern human to depend on their mother's maiden name to preserve their secrets. But the lingering "forgot password?" function on plenty of apps and websites still falls back to antiquated identity tests. Even better-secured services still offer password reset links sent via insecure email. Facebook thinks there's a better way---and now it's releasing the code to make it possible for everyone.
At its F8 developer conference Tuesday, Facebook announced a beta version of what it calls Delegated Account Recovery, a feature designed to make your account on Facebook or similar services the ultimate fallback for recovering any forgotten password. Apps that adopt the feature can give users the option to recover or reset their password by proving their identity to Facebook, rather than by clicking on an emailed link, or worse, coughing up personal trivia like the name of their first pet or high school mascot. The approach holds the promise of far tighter account security, shoring up the problem of hackers guessing security question answers or hijacking insecure email accounts. Facebook has tested the feature with Github for months. Now it's publishing the code to let any app try it, and then apply to be part of Facebook's closed beta.
"It’s really about up-leveling what happens when you click 'forgot my password,'" says Facebook security engineer Brad Hill. "We can do something a lot more sophisticated and easier that's also a much more secure experience."
Security questions are a notoriously broken form of account recovery: One study found that about one in eight answers to those questions could be guessed in five tries. Security question fallibility has claimed high-profile victims like Mitt Romney and Sarah Palin.
Today, most apps and services instead send password reset links. But that approach still leaves accounts vulnerable to anyone who can hijack the linked email account, or intercept the unencrypted message. Phone-based text message recovery options are in some ways more secure---but unlike your Facebook account, people periodically change their phone numbers. "They're not stable identifiers," says Hill. "We really want a secure, safe way for people to get back into their accounts even if they change their email and phone number."
Facebook's new system works by allowing apps or web sites to store an account recovery "token" on Facebook's servers. When a user turns the feature on, the service pushes that token to Facebook via the user's browser in an HTTPS-encrypted connection. From then on, if at any point the user forgets his or her password, or loses a device used for two-factor authentication, they can retrieve the token by proving their identity to Facebook, and then use it to recover access to the account they were locked out of.
Facebook's identity-proving process uses more than just a password. It can require inputting a temporary code texted to the user's phone, checking that the token's being retrieved from a known device in a familiar location, and even requiring the person to fill out Facebook's so-called Social CAPTCHA, which requires them to identify pictures of friends within a time limit. "The idea is to leverage those indicators Facebook has and let you prove that you’re still you," says Hill. "Account recovery isn’t something that happens every day, so it’s not a big deal to add a little friction to that process to keep it secure."
Like practically every action Facebook takes, Delegated Account Recovery will no doubt raise suspicions. It's possible to see it as an effort to gain a tighter hold of your online activities, or gather more data by spying on your linked accounts. But Hill says Facebook designed the system to not let Facebook learn anything from the account recovery tokens other than which service a user has linked. The service encrypts the token so that only the partnered service, not Facebook, can identify the specific account being recovered.
"It's like giving a sealed envelope to a trusted neighbor and saying 'hold this for me, don’t look in it, and only give it back to me,'" Hill says. (The privacy goes the other way too, preventing the service from learning the user's specific Facebook account.)
If Facebook's Delegated Account Recovery catches on with more apps and sites, it could make quitting the service virtually impossible without risking losing access to other accounts, too. But customers already entrust their logins for a multitude of services to Facebook and Google through the open OAuth standard. Similarly, Facebook's account recovery mechanism isn't intended to be a lock-in, monopoly tactic, Hill argues. In fact, he says, Facebook is releasing the open source code. Any other company, from Apple to Google to Twitter, could just as easily use the code to offer itself as a backup service, storing users' account recovery tokens. Hill suggests that someday highly secure services might require you to retrieve recovery tokens from multiple services to regain access to an account when you've forgotten a password or lost a second-factor authentication device. "We want to see more people than just Facebook implementing this protocol," says Hill.
Github became the first service to try Facebook's account recovery features in January, when the service was first announced. For now, using the service remains "not that common among all our users," says Neil Matatall, the engineer who led the Gitbub integration. But he's still optimistic about the idea. "We believe this is far superior to all the existing means" of account recovery, he says. "As we build confidence in this over time, we believe it can replace all other methods."
Now that the code is in the wild, Facebook's Hill says he's hopeful the service will spread far beyond Github---and perhaps far beyond Facebook, too. "Instead of giving your mother’s maiden name to a thousand places until it's not even secret any more, the idea is to let people decide which are the services they trust, and best able to reauthenticate them to prove who they are," says Hill, "And then let them bring that trust with them everywhere they go."
