Facebook has announced a new technology it believes could overhaul the insecure mess of recovering an account where the password or user credential has been forgotten or compromised.
Called Delegated Recovery, the principle behind it is simple enough: use Facebook (or another trusted provider) as the re-authentication mechanism.
As anyone who has ever done it will know, current methods for regaining access to an account, for example resetting a password, don’t inspire much confidence.
Common mechanisms involve sending a password reset link sent to a registered email address, answering a recovery question, or simply being prompted by a password hint. Each has widely acknowledged weaknesses, starting with the glaring insecurity of email as a channel for initiating a reset and the laughable ease with which security questions can be guessed.
As Facebook’s Brad Hill reportedly said of an unnamed online bank account recovery system during his USENIX Enigma conference presentation on Delegated Recovery: “It asked me what my favourite colour was, and it let me guess as many times as I wanted.”
A decade ago it looked as if federated authentication – accessing different services using a single identity such as Google or Microsoft – might provide an answer but their uptake among consumer-oriented providers remains modest.
Delegated Recovery strips the problem back to a simpler level. In this design, Facebook is used to generate and store an encrypted recovery token for a given website. Should a credential such as a password be forgotten, a time-stamped token (countersigned by the provider’s private key) is sent to restore access after the user re-authenticates to Facebook.
This whole process should take seconds with a browser over HTTPS, Hill told the audience.
For now, Delegated Recovery has the catch that it is only available for GitHub users. Facebook hopes other websites and identity providers will start using the protocol in time, extending its usefulness.
The initiative serves a reminder that there is more to password security than length, complexity or how often a password if re-used across different sites. Even the best passwords are vulnerable is the reset system is open to compromise.
That said, Delegated Recovery demands that Facebook users properly secure their account to avoid simply shifting the weakness. This can be done by turning on Facebook’s two-step login approvals verification security in security settings, which defaults to sending one-time SMS codes.
Alternatively, as of last week, more secure FIDO U2F tokens such as the YubiKey can be used on supported browsers such as Chrome. Unlike simpler two-step verification systems, these are true two-factor authentication (2FA) because they fully separate the first factor (something known, such as a password) from the second factor (something in the user’s possession).
We discussed the U2F approach in more detail yesterday – it’s good to see Facebook paying attention to improving security.
Reader
Glad to see Facebook offer a Security Key option (see Security > Login Approvals > Security Keys).
My Facebook account has been hacked at least twice since last September, although I have used 2FA on the site for at least three years, have changed my long complex password several times during that time, and do not share my computer.
Dumb question: Can someone hack my Facebook account again, surreptitiously delete my key, just as surreptitiously add their own key, and give their key the same name as mine?