OAKLAND–Facebook has developed a new account-recovery system that eschews the typical communications channels used for this process, and instead relies on a user’s connections with other services. The scheme allows users to regain access to accounts without providing any identifiable information to other services.
The Delegated Recovery system, which Facebook introduced at the Enigma conference here Monday, could be a major step forward in the way that sites handle the messy and sensitive process of account recovery. Right now, most sites use either email, SMS, or a combination of the two when a user needs to recover her account. A user typically clicks on a link, which will generate an email or text with a link that the user can follow to reset a password or go through other account-recovery steps.
The system that Facebook has implemented allows a user to link her Facebook account with an account on another site. Instead of using email or SMS, the two sites exchange cryptographically secured packages with data tokens. The two sites don’t change any identifiable information about the user during the process and the communications are done over HTTPS.
“The only thing that gets learned is that you have an account on the other site,” said Brad Hill, a Facebook engineer, who spoke at the Enigma conference. “No user-identifiable information is exchanged, so it’s not tied to a username, or email, or phone number.”
“It’s an open protocol. Trust who you want.”
Facebook has published the protocol for Delegated Recovery and already has partnered with GitHub as the first outside service to participate. But Hill said ultimately he’d like to see a large, diverse set of sites and service join the ecosystem so that it is more robust and resistant to failure. For example, if a user loses control of her Facebook account, she can sign in to GitHub and the site will send a recovery token–which has been associated with her account previously–to Facebook with a counter-signature and a time stamp.
“I want these core accounts strongly and redundantly cross-verifiable. None of the services should be more or less important,” Hill said. “We’re trying to build a reliable set of steps that anyone can follow without opening it up to attackers.”
Account recovery is one of the ugly little problems in security. Because of its ubiquity, email has long been the default method for communication in this process. But email is inherently insecure and can be intercepted easily. The same is true of SMS, which typically is unencrypted and is open to redirection or interception. Hill said the intent behind the new Delegated Recovery system is to move away from those channels and toward a more reliable and attack-resistant process.
But he acknowledged that some users might be hesitant to tie their account recovery at other services to Facebook.
“It’s an open protocol. Trust who you want. We’re really excited that GitHub is making the first connection with us,” he said. “We really don’t want this to be a Facebook-only service, so that we can have that network effect protecting you. The best way for us to address that is to share it.”
Tomorrow, GitHub will implement enhanced recovery of two-factor authentication protected accounts via the Facebook service. And Facebook plans to publish an open-source reference implementation for the service soon, with general availability for other sites coming later this year.