Facebook has proposed a new method for recovering accounts when users forget their passwords or their credentials are stolen by hackers, and it will be first tested by the members of GitHub.
The social media giant wants users to be able to recover their accounts via a method it calls “delegated recovery,” where an application delegates the capability to recover an account to a different account controlled by the same user at a third-party service provider.
GitHub users who want to test the method need to save a special recovery token in their Facebook account. If access to the GitHub account is lost, the user can re-authenticate to Facebook and the token is sent to GitHub with a time-stamped counter-signature to verify their identity.
The token is encrypted and Facebook will not share any personal information with GitHub. Furthermore, the data is transmitted over HTTPS to prevent it from being intercepted by a third-party.
This account recovery system will be covered by the Facebook and GitHub bug bounty programs. Based on feedback received from users, the social media company wants to improve the system and have it adopted by more services. Both Facebook and GitHub will release open source reference implementations in various programing languages.
“Usable security must cover all the ways we access our accounts, including when we need to recover them. We hope this solution will improve both the security and the experience when people forget a password or lose their phone and need to get back into their accounts,” said Brad Hill, a security engineer at Facebook.
Delegated recovery is promoted as an alternative to security questions, which are known to be risky, and email- and SMS-based methods, which do not offer the security guarantees many users expect today.
The announcement comes just days after Facebook announced support for Universal 2nd Factor (U2F) security keys.