Facebook Launches Beta of New Account Recovery System

Written by: Mike Yang

Facebook has opened a beta program for its new Delegated Account Recovery system, which is designed to replace traditional email or SMS-based recovery processes.
The Facebook system allows users to connect their Facebook accounts with other services and use that trusted link to recover access to one of the accounts. The company has published an SDK and documentation on the system, which it has been testing for several months with GitHub. Now the program is entering a closed beta with the promise of a public release in the coming months. Delegated Account Recovery is meant to eliminate the use of insecure channels such as email or SMS to verify a user’s ownership of a given account.
“It’s an open protocol. Trust who you want. We’re really excited that GitHub is making the first connection with us,” Brad Hill, a security engineer at Facebook, said in January. “We really don’t want this to be a Facebook-only service, so that we can have that network effect protecting you. The best way for us to address that is to share it.”
On Tuesday, Hill announced the beta program for Delegated Account Recovery and said GitHub also is publishing its own SDK. The hope, he said, is that many other companies will join the program, creating a large ecosystem with a variety of interconnected services and users. The system relies on a trusted relationship between two participants and uses cryptographically signed tokens, rather than emailed links, for account recovery.

Image: Facebook

“Instead of requesting user data at the outset, your business creates a recovery token linked to your identifier for the customer, and sends it to Facebook. We keep it safe and private until that person needs it. Think of it as giving a sealed envelope to a trusted friend. Facebook can’t see what’s inside; we just know we shouldn’t give it back to anyone but you,” Hill said in a post announcing the beta.

“When the need to recover access arises, Facebook will take the person through a re-authentication flow and then send the original sealed envelope back to the service that created it, with a new cryptographic signature from Facebook. The result? As a developer, you’re able to confirm the original identity of the person and restore their access, without learning their identity on Facebook — and without Facebook learning their identity on your service.”

Both email and SMS are considered insecure channels, as attackers can intercept the messages in a variety of ways. A system such as Facebook’s helps users avoid the kind of chain reaction that can happen when an attacker is able to compromise one account and then use that as a launching point to go after others. The idea is to make each participating service an equally important part of the system.
“I want these core accounts strongly and redundantly cross-verifiable. None of the services should be more or less important,” Hill said in January. “We’re trying to build a reliable set of steps that anyone can follow without opening it up to attackers.”
Facebook has published extensive documentation on Delegated Account Recovery, as well as some sample applications.
Image: Startbloggingonline.com, CC by license.